Web, API and mobile, tested by hand.

Your web apps, APIs and mobile apps are where your business logic and your customer data live, and where attackers spend most of their time. We test them by hand, mapped to OWASP, and prove the flaws that actually matter.

Web application

Manual testing of your web apps against the OWASP Top 10 and beyond: authentication, access control, injection, and the business-logic flaws automated tools never find.

  • Authentication & sessions
  • Access control (IDOR)
  • Injection & XSS
  • Business logic

API

REST and GraphQL, and the integrations your apps and partners rely on. We test the auth, object-level access and logic that scanners cannot reach.

  • REST & GraphQL
  • Auth (OAuth / JWT / keys)
  • BOLA / BFLA
  • Rate limiting & abuse

Mobile applications

iOS and Android apps and the backends behind them, tested to the OWASP MASVS: on-device storage, transport security, and the API they talk to.

  • iOS & Android
  • Local data storage
  • Code analysis
  • Backend API

Where the real risk hides.

Scanners are good at known issues. The findings that actually hurt are the ones that need a human: broken access between users, logic you can abuse, and small issues that chain into a full compromise. That is where we spend our time.

  • Broken access control and privilege escalation between roles
  • Business-logic flaws unique to how your application works
  • Authentication, session handling and multi-tenant isolation
  • Low-severity issues chained into account takeover

How an application test runs.

We run every application test the same disciplined way, six phases from scoping to retest, so you can follow the work as it happens.

  1. 01

    Scope and test accounts

    We agree the apps, APIs and user roles in scope, get the test accounts and any source access sorted, and sign off the rules of engagement before we start.

  2. 02

    Mapping and recon

    We map every page, endpoint, parameter and role, so nothing in scope goes untested and we understand how the app is meant to work.

  3. 03

    Automated and manual testing

    We run tooling for coverage, then test by hand for the flaws tools cannot see: access control, logic and chained issues.

  4. 04

    Exploitation

    We safely exploit what we find and prove the real impact: account takeover, access to sensitive data, privilege escalation.

  5. 05

    Business logic and abuse

    We work through your app the way a motivated user would, abusing workflows, limits and trust boundaries to see what breaks.

  6. 06

    Report and retest

    You get an executive and technical report within 48 hours, then a free retest of critical and high findings once you have fixed them.*

What you get.

You get a report built to be used: a clear executive summary your board can act on, and the technical depth your developers need to close each finding.

  • A senior, CREST-certified tester on your app from first login to final report
  • Executive and technical report within 48 hours of testing finishing
  • Each finding rated by CVSS and by the real impact on your business
  • Fixes your developers can apply, prioritised by what matters most
  • A working proof of concept for every issue we report
  • A free retest of critical and high findings within 30 days*

* The free retest covers critical and high findings within 30 days, one retest per engagement, delivered remotely and excluding on-site costs. Applies to UK-based engagements only. See our terms for full details.

Application testing, answered.

Straight answers to what clients ask most about application engagements.

What is the difference between a vulnerability scan and an application penetration test?

A scan is mostly automated: it crawls the app and flags known issues and misconfigurations, which is useful for breadth but cannot understand what your application is meant to do. A penetration test is hands-on: a CREST-certified tester works through the app like a real attacker, chaining flaws and abusing business logic to prove genuine impact, such as account takeover or access to data belonging to other customers. Scanning gives you coverage; a pen test gives you depth, and most teams want both.

Do you test APIs, including REST and GraphQL?

Yes. We test REST and GraphQL APIs, whether they sit behind a web or mobile app or serve partners directly. We focus on the things scanners miss: authentication and token handling, object-level and function-level access control (BOLA and BFLA), input handling, and the logic of how endpoints chain together.

Do you test mobile apps for iOS and Android?

Yes. We test iOS and Android apps to the OWASP MASVS, covering how the app stores data on the device, how it protects its traffic (including certificate pinning), and the backend API it talks to. A mobile test almost always includes that API, because it is where most of the real risk sits.

Do you need our source code or test accounts?

We do not need source code, though sharing it (a grey or white-box test) usually finds more in the same number of days. What we do need is test accounts, ideally one per user role, so we can properly test access control and separation between tenants. We will tell you exactly what to set up during scoping.

Can you test in production, or do you need a staging environment?

Either works. Many application tests run safely against production under agreed rules of engagement; where there is a real risk to live data or uptime, a staging or pre-production environment that mirrors production is the safer choice. We agree this with you up front and work to your change windows.

How long does an application penetration test take?

It depends on the size of the app and the number of roles and workflows in scope. A small web app can be a few days; a large application with several user roles, an API and a mobile client runs longer. We scope it with you on a free call and give you a fixed number of testing days up front, so you know the cost before you commit.

Ready to scope your application test?

Tell us what your apps and APIs look like and what you are worried about. We will come back within one working day with a suggested approach and a fixed-price scope you can sign off with confidence.

Book a scoping call