Enterprise SaaS Penetration Test
Maximum-scope penetration testing for fintech, healthtech, and regulated B2B platforms. Web + API + Cloud + Integrations. Two-tester team with independent QA review.
Quick Answer
Maximum-scope penetration testing for Series-A+ SaaS, fintech, healthtech, and regulated B2B platforms. Includes all Tier 3 scope plus cloud infrastructure surface, async/background processing paths, webhook and integration security, SSO/OAuth deep-dive, and custom exploitation development. Delivered by two-tester team (Lead + Senior + QA Reviewer) with independent peer review. 15–22 person-days, delivered in 4–5 weeks. Optional OWASP LLM Top 10 module for AI-powered platforms. From €8,000.
Why You Need This
This tier is for platforms where the consequences of a security incident are existential or industry-shaking: regulated industries (finance, healthcare, legal, defence-adjacent); multi-million-customer SaaS where breach means mass GDPR notification; B2B platforms whose enterprise customers are themselves regulated; public sector contracts requiring deep security validation; or pre-IPO / pre-Series-B security due diligence.
Who Requires This From You
- ISO/IEC 27001:2022 Annex A.8.29 + A.8.8 — Full enterprise audit evidence
- SOC 2 Trust Services Criteria — CC4.1, CC6.1, CC7.1, CC7.2, A1.2
- DORA Article 25 — Threat-Led Penetration Testing (TLPT) for in-scope financial entities
- NIS2 Directive Article 21 — Risk management measures for essential and important entities
- PCI DSS 4.0 Requirement 11.4 — For payment processing platforms
- Multinational enterprise vendor security reviews with deep technical scrutiny
What You Get
All Tier 3 scope plus Cloud infrastructure
- AWS / GCP / Azure surface assessment
- Publicly exposed services inventory
- IAM misconfigurations
- Storage permissions (S3, Blob, Cloud Storage)
- Network segmentation testing
- Secrets exposure in repositories and infrastructure
Asynchronous, webhook, and integration security
- Message queue security (RabbitMQ, SQS, Pub/Sub)
- Worker/cron job authorisation
- Webhook authentication and replay attacks
- Third-party API integration security
- Service-to-service authentication
SSO/OAuth deep-dive & custom exploitation
- OAuth 2.0 / OIDC implementation review
- SAML SSO security
- Identity provider integration
- Trust boundary verification
- Custom PoC scripts for complex business logic flaws
Enhanced deliverables (two-tester team)
- Full enterprise-grade pen test report (typically 50–100 pages)
- Multi-stakeholder findings presentation (1-hour call)
- Auditor handover session (90 minutes)
- Multi-round follow-up with end-customer security teams
- Quarterly briefing for the following 12 months (included)
- Independent peer review by QA Reviewer
What Happens If You Don't
Our Process
Pricing & Delivery
From €8,000 for enterprise SaaS without specialist add-ons. Up to €12,000 for highly complex platforms (multiple cloud providers, extensive integrations, multiple distinct user types). Add-on modules: OWASP LLM Top 10 (+€2,000–3,000), mobile app (+€3,500–5,500), source code review (+€3,500–6,000), threat modelling workshop (+€1,500–2,500), tabletop IR exercise (+€2,500–4,000).
Frequently Asked Questions
What does "two-tester team" mean in practice?
The Lead Penetration Tester drives primary test execution. The Senior Consultant provides specialist depth on specific areas (cloud, APIs, OAuth). The QA Reviewer independently reviews all findings for severity calibration and false positive elimination before the report is finalised. This three-layer structure significantly reduces the risk of missed findings and severity miscalibration.
Does this satisfy DORA Article 25 (TLPT)?
DORA Article 25 mandates Threat-Led Penetration Testing (TLPT) for in-scope significant financial entities. Our Enterprise tier covers the technical execution component. Full TLPT compliance also requires a Threat Intelligence (TI) provider and specific documentation formats. We can coordinate with your TI provider. For smaller financial entities not in the TLPT scope, our Tier 3 Standard is typically sufficient.
Can you work under our enterprise NDA template?
Yes, in most cases. We review enterprise NDA templates under English law. EU/UK DPAs (including Standard Contractual Clauses) are available. For non-standard jurisdiction requirements, we'll flag this during the scoping call.
What cloud providers are covered?
AWS, Google Cloud Platform (GCP), and Microsoft Azure are covered in the standard Enterprise tier scope. Multi-cloud environments are covered within the standard engagement price. Dedicated cloud security review (without web/API component) is available as a separate engagement.
Is this suitable for pre-IPO security due diligence?
Yes. Pre-IPO due diligence security reviews typically require exactly what this tier delivers: broad scope, independent peer-reviewed report, formal Attestation Letter, evidence of methodology alignment with recognised standards (OWASP, PTES, NIST), and auditor handover capability. We can structure deliverables specifically for due diligence evidence files on request.