🎯 Free Website Audit. Get Yours →
Optimum Web
Multi-FrameworkISO 27001SOC 2CR-CROSS-09

Penetration Test — REST & GraphQL API

OWASP API Top 10 manual test. Up to 50 endpoints, REST or GraphQL. Auth flow review. Retest included. SOC 2 / ISO 27001 ready. €539 fixed. 7-day delivery.

Penetration Test — REST & GraphQL API by Optimum Web is a fixed-price compliance service covering OWASP API Top 10 + GDPR Art. 32 + ISO 27001 A.8.28 + SOC 2 CC7.1 + PCI DSS Req. 6/11. It costs €539 with 7 business days delivery by senior security engineers. OWASP API Top 10 coverage report with PoC for each finding. 14-day warranty included.

Covers: OWASP API Top 10 + GDPR Art. 32 + ISO 27001 A.8.28 + SOC 2 CC7.1 + PCI DSS Req. 6/11

3 clients onboarded this month
4.8·172 clients·25 yrs

"Senior engineers who actually deliver what they promise. Rare."

Thomas K., IT Manager · Austria

€539
Fixed price, VAT excluded
7 business daysSenior only
OWASP API Top 10 coverage report with PoC for each finding
Authentication and authorisation flow analysis across all user roles
Postman or Burp Suite collection of all tested requests
One free retest of critical and high findings within 30 days
🛡️
14-Day Money-Back Guarantee
Issue recurs? We fix it free or refund in full. No questions asked.

Secured by PayPal · 256-bit SSL encryption

or order without payment
+373 22 843569
PayPal · SSL
👨‍💻 Senior only
14-day warranty
🆔 CR-CROSS-09

This Service Covers

GDPRArticle 32 — Regular testing of technical measures
ISO 27001A.8.28 — Secure coding; A.8.29 — Security testing
SOC 2CC7.1 — Vulnerability management

What You Get

Manual API security test covering OWASP API Top 10. Up to 50 endpoints across REST or GraphQL. BOLA (broken object level authorization), broken authentication, broken object property level authorization, unrestricted resource consumption, broken function level authorization, SSRF, security misconfiguration, mass assignment, and business logic abuse. Authentication and authorisation flow review across roles. Postman or Burp collection included in deliverables.

Who Needs This

  • SaaS companies serving EU customers via API
  • Fintech, healthtech, and B2B platforms with mobile or partner integrations
  • Organisations that recently shipped a new API or major version
  • Teams whose last API security review is more than 12 months old
  • Businesses preparing for SOC 2 or ISO 27001 audit

ONGOING COMPLIANCE

Don't Want to Think About Compliance Every Quarter?

Compliance-as-a-Service: €729/month. We handle reviews, scans, documentation, security questionnaires. Your outsourced compliance officer.

Start CaaS — €729/month

Ready to Start?

€539 · 7 business days · 14-day warranty

+373 22 843569

Secured by PayPal · 256-bit SSL encryption

or order without payment

Want ongoing compliance? Compliance-as-a-Service — €729/month

Learn more
CLIENT REVIEWS

What Our Clients Say

4.8 / 5·172 clients · 25+ years

"Senior engineers who actually deliver what they promise. Fixed price, fixed timeline, thorough documentation. Rare combination."

T
Thomas K.
IT Manager · Manufacturing company · Austria

"Worked with 4 agencies before finding Optimum Web. First team that delivered exactly what the scope said, on time."

S
Sophie V.
Operations Manager · Logistics company · Belgium

"The 14-day warranty is real. Had a small follow-up question and it was handled same day, no extra charge."

M
Mikael B.
CTO · B2B SaaS · Germany
Read all reviews on Clutch →

Frequently Asked Questions

REST or GraphQL — both?+
Either, or both. We adapt methodology per technology.
How many endpoints in scope?+
Up to 50 in the base package. More endpoints = scoped quote.
Do you test production or staging?+
We prefer a staging environment that mirrors production. Production testing is possible with read-only credentials.
What do you need from us to start?+
API documentation (OpenAPI/Swagger or GraphQL schema), test accounts for each role, and a kickoff call.
Can we get a retest after we fix findings?+
Yes — one retest of critical and high findings included within 30 days.
Will this satisfy our SOC 2 auditor?+
Yes. The deliverable includes mapping to SOC 2 Trust Service Criteria.

Also Relevant

Multi-Framework

Penetration Test — External Infrastructure & Cloud

€699 · 8 business days
Multi-Framework

Penetration Test — Internal Network & Active Directory

€729 · 10 business days
Multi-Framework

Penetration Test — Mobile Application (iOS or Android)

€729 · 10 business days
Multi-Framework

Penetration Test — Web Application

€539 · 7–10 business days
+373 22 843569

Secured by PayPal · 256-bit SSL encryption

or order without payment
📞Call Us💬Get Free Quote