What is the difference between a vulnerability scan and an application penetration test?
A scan is mostly automated: it crawls the app and flags known issues and misconfigurations, which is useful for breadth but cannot understand what your application is meant to do. A penetration test is hands-on: a CREST-certified tester works through the app like a real attacker, chaining flaws and abusing business logic to prove genuine impact, such as account takeover or access to data belonging to other customers. Scanning gives you coverage; a pen test gives you depth, and most teams want both.
Do you test APIs, including REST and GraphQL?
Yes. We test REST and GraphQL APIs, whether they sit behind a web or mobile app or serve partners directly. We focus on the things scanners miss: authentication and token handling, object-level and function-level access control (BOLA and BFLA), input handling, and the logic of how endpoints chain together.
Do you test mobile apps for iOS and Android?
Yes. We test iOS and Android apps to the OWASP MASVS, covering how the app stores data on the device, how it protects its traffic (including certificate pinning), and the backend API it talks to. A mobile test almost always includes that API, because it is where most of the real risk sits.
Do you need our source code or test accounts?
We do not need source code, though sharing it (a grey or white-box test) usually finds more in the same number of days. What we do need is test accounts, ideally one per user role, so we can properly test access control and separation between tenants. We will tell you exactly what to set up during scoping.
Can you test in production, or do you need a staging environment?
Either works. Many application tests run safely against production under agreed rules of engagement; where there is a real risk to live data or uptime, a staging or pre-production environment that mirrors production is the safer choice. We agree this with you up front and work to your change windows.
How long does an application penetration test take?
It depends on the size of the app and the number of roles and workflows in scope. A small web app can be a few days; a large application with several user roles, an API and a mobile client runs longer. We scope it with you on a free call and give you a fixed number of testing days up front, so you know the cost before you commit.