Penetration testing.
Manual testing of web, API, cloud, and mobile applications. One to three weeks, fixed price. Written report with every finding, severity, reproduction, and fix.
Scope
Web, API, cloud, mobile.
Web applications
Authenticated and unauthenticated. Session and account separation, multi-tenant isolation, payment and admin flows.
APIs
REST, GraphQL, gRPC. OWASP API Top 10 walked end-to-end. BOLA, BOLA, BOLA — and the other nine.
Cloud
AWS, GCP, Azure. IAM blast radius, S3 / GCS exposure, Lambda and Cloud Run permission paths, metadata service abuse.
Mobile
iOS and Android client review with backend correlation. Local storage, IPC, deep links, certificate pinning bypass.
Method
Source review, manual exploitation, written findings.
Week one is reconnaissance and source code review where access permits — reading auth, authorisation, and trust boundaries directly. Week two is targeted exploitation: every interesting boundary gets a real attempt, with the request, response, and impact recorded as I go.
Tools are used where they help — Burp, Caido, jadx, nuclei for known CVE coverage. Findings come from understanding the code at the line level.
Deliverable
The report.
Per-finding
Title, severity, request/response pair, reproduction steps, the affected file or endpoint, suggested fix at the line level.
Executive section
Plain-English risk summary your VP of Engineering can read in ten minutes. Findings tied to the file or endpoint, with patch-level fix recommendations.
Re-test
Once your fixes ship, every finding is re-tested. Sign-off goes into the same report so you have a single artefact to hand to your auditor.
Need a pentest?
Send the scope — app type, tech stack, deadline. Triage and a fixed quote come back.