Focused Web Application Penetration Test
Real manual penetration test of a single web application. Authenticated and unauthenticated testing, manual exploitation, ISO 27001 Annex A.8.29 ready.
Quick Answer
Real manual penetration test of a single web application. Authenticated and unauthenticated testing. Manual exploitation of all findings within Rules of Engagement. OWASP WSTG v4.2 methodology, OWASP Top 10:2025 and OWASP API Security Top 10 (2023) coverage. CVSS v3.1 scoring with CWE classification. Signed Attestation Letter accepted as evidence for ISO 27001 Annex A.8.29, SOC 2 CC4.1, and most enterprise vendor security reviews. 3–5 person-days. Delivered in 1.5–2 weeks. From €1,800.
Why You Need This
This is the minimum scope under which we will deliver work labelled "penetration test" and stand behind the deliverable in front of an enterprise security team or an ISO 27001 auditor.
Most SaaS startups and small B2B platforms don't need an Enterprise-tier engagement. They need a real, focused penetration test of their core application — sufficient evidence for ISO 27001 Annex A.8.29 audit, SOC 2 CC4.1/CC7.1 evidence, enterprise prospect vendor security review, cyber insurance underwriter requirement, and annual security re-validation.
Who Requires This From You
- ISO/IEC 27001:2022 Annex A.8.29 — Security testing in development and acceptance
- SOC 2 Trust Services Criteria — CC4.1, CC7.1, CC7.2
- Enterprise vendor security questionnaires requiring "penetration test" (not "vulnerability assessment")
- Cyber insurance underwriters — AIG, Hiscox, Beazley, Chubb, Travelers standard questionnaires
- GDPR Article 32 (1)(d) — Process for regularly testing security measures
- PCI DSS 4.0 Requirement 11.4.1 — At least annually and after significant changes
What You Get
Testing scope (one web application end-to-end)
- Authenticated testing with provided test accounts (multiple roles where applicable)
- Unauthenticated testing of public attack surface
- Manual exploitation of all findings where safely possible within Rules of Engagement
- OWASP WSTG v4.2 operational basis — full test case coverage
- OWASP Top 10:2025 and OWASP API Security Top 10 (2023) coverage
- Authentication and session management testing
- Authorisation enforcement testing
- Server-side and client-side injection testing
- Business logic flaws (where applicable to scope)
- Cryptographic implementation review
Deliverables
- Formal penetration test report (typically 15–25 pages)
- Executive summary, methodology, findings with CVSS v3.1 vectors and CWE classification
- Reproducible proof-of-concept evidence
- Remediation guidance per finding
- Signed Attestation Letter suitable for audit evidence file and vendor security file
- One round of clarification questions included
- Critical finding escalation within 4 hours of validation
Add-on options
- Remediation retest within 30 days (+€500)
- Additional clarification rounds (+€200/round)
- Auditor handover session (30 min) (+€200)
- Follow-up Q&A with end-customer's security team (+€300)
What Happens If You Don't
Our Process
Pricing & Delivery
From €1,800 for a small, single-purpose web application. Up to €2,500 for a more complex single application with multiple user roles, integrated payment, file uploads, or moderate API surface. Exact figure confirmed in Statement of Work after scoping call.
Frequently Asked Questions
What's the difference between this and the €539 Vulnerability Assessment?
Vulnerability Assessment is automated scanning with manual validation of high-severity findings only. Focused Pentest is a real manual penetration test — every finding is exploited where safe, business logic flaws are tested, authorisation is challenged, and the Attestation Letter explicitly identifies the work as penetration test. If your auditor or prospect specifically requires "penetration test" rather than "vulnerability assessment", choose this tier.
Will this satisfy an ISO 27001 audit?
For Annex A.8.29 (Security testing) with a single in-scope application — typically yes, provided the application matches your ISMS scope. If your ISMS scope includes multiple distinct applications, separate APIs, or specific cloud infrastructure, additional testing may be needed. We recommend confirming your ISMS scope with your auditor before engagement.
Is remediation retest included?
Not by default at this tier (it's a +€500 add-on). Remediation retest is included as standard in our Standard tier (€4,500+) and above. Tier 2 is designed for budget-conscious engagements where retest can be optional.
Can your report be shared with our enterprise customer?
Yes. The Attestation Letter is designed to be extractable as a standalone document for inclusion in your customer's vendor security file. Full report can be shared under standard confidentiality terms.
How quickly can you start?
Subject to current engagement load, typically 3–4 weeks after Statement of Work signature. For compliance-deadline-driven engagements, faster starts may be possible — please indicate urgency in your scoping request.
Do you sign DPAs?
Yes. UK GDPR-compliant DPAs and EU Standard Contractual Clauses are available. We are a GDPR processor for all client engagements.