Penetration testing.
Manual testing of web, API, cloud, and mobile applications. One to three weeks, fixed price. Written report with every finding, severity, reproduction, and fix.
Alcance
Web, API, nube, móvil.
Aplicaciones web
Authenticated and unauthenticated. Session and account separation, multi-tenant isolation, payment and admin flows.
APIs
REST, GraphQL, gRPC. OWASP API Top 10 walked end-to-end. BOLA, BOLA, BOLA — and the other nine.
Nube
AWS, GCP, Azure. IAM blast radius, S3 / GCS exposure, Lambda and Cloud Run permission paths, metadata service abuse.
Móvil
iOS and Android client review with backend correlation. Local storage, IPC, deep links, certificate pinning bypass.
Método
Source review, manual exploitation, written findings.
Week one is reconnaissance and source code review where access permits — reading auth, authorisation, and trust boundaries directly. Week two is targeted exploitation: every interesting boundary gets a real attempt, with the request, response, and impact recorded as I go.
Tools are used where they help — Burp, Caido, jadx, nuclei for known CVE coverage. Findings come from understanding the code at the line level.
Entregable
The report.
Por hallazgo
Title, severity, request/response pair, reproduction steps, the affected file or endpoint, suggested fix at the line level.
Sección ejecutiva
Plain-English risk summary your VP of Engineering can read in ten minutes. Findings tied to the file or endpoint, with patch-level fix recommendations.
Re-test
Once your fixes ship, every finding is re-tested. Sign-off goes into the same report so you have a single artefact to hand to your auditor.
¿Necesitas un pentest?
Send the scope — app type, tech stack, deadline. Triage and a fixed quote come back.