Standard Web Application & API Penetration Test
Comprehensive pen test for multi-tenant SaaS. REST API testing, cross-tenant isolation, IDOR/BOLA testing. Remediation retest included as standard.
Quick Answer
Comprehensive penetration test for multi-tenant SaaS platforms. Includes authenticated and unauthenticated web app testing, REST API security testing aligned with OWASP API Security Top 10 (2023), cross-tenant isolation testing, authorisation matrix construction across multiple roles and tenants, IDOR and BOLA testing across the API surface, business logic flaws, and session security deep-dive. Remediation retest included as standard within 60 days. 8–12 person-days, delivered in approximately 3 weeks. From €4,500.
Why You Need This
This is our most-requested tier — the sweet spot for growing B2B SaaS platforms that have moved beyond a simple single-page application. If your platform has any of these characteristics, this is the right tier: multi-tenant architecture (subdomain-per-tenant, path-based, or header-based); REST APIs serving mobile apps, partner integrations, or webhooks; role-based access control with multiple permission levels; customer-uploaded files or documents; integration with third-party SaaS (Stripe, SendGrid, OAuth providers); or you are subject to ISO 27001, SOC 2, or enterprise vendor security review.
Who Requires This From You
- ISO/IEC 27001:2022 Annex A.8.29 + A.8.8 — Full audit evidence
- SOC 2 Trust Services Criteria — CC4.1, CC6.1, CC7.1, CC7.2, A1.2
- Enterprise vendor security reviews for B2B SaaS in regulated industries
- GDPR Article 32 — For B2B platforms processing personal data of EU citizens
- Cyber insurance underwriters at SMB+ tier — full coverage application
- PCI DSS 4.0 Requirement 11.4 — For payment processing platforms
What You Get
REST API security testing (OWASP API Security Top 10:2023)
- API1: Broken Object Level Authorization (BOLA / IDOR)
- API2: Broken Authentication
- API3: Broken Object Property Level Authorization
- API5: Broken Function Level Authorization
- API7: Server Side Request Forgery
- Mass assignment vulnerabilities
- Rate limiting and resource consumption
- JWT, OAuth, API key authentication mechanisms
Multi-tenant isolation testing
- Authorisation matrix construction (roles × endpoints × tenants)
- Cross-tenant data access attempts (IDOR / BOLA across tenant boundaries)
- Subdomain-based, path-based, and header-based tenancy testing
- File storage and retrieval tenant isolation
- Search and indexing tenant scoping
Deliverables (includes everything in Tier 2 plus)
- Full penetration test report (typically 30–60 pages) with dedicated API and multi-tenant sections
- Compliance mapping section (ISO 27001 / SOC 2 / GDPR Art. 32)
- Prioritised remediation roadmap with effort estimates
- Signed Attestation Letter (extractable for vendor security file)
- Remediation retest included as standard (scheduled 30–60 days after report)
- Delta retest report documenting remediation status of each finding
- Auditor handover session (60 minutes, by Zoom)
- Follow-up Q&A with end-customer's security team
What Happens If You Don't
Our Process
Pricing & Delivery
From €4,500 for moderate-complexity multi-tenant SaaS with REST APIs. Up to €6,500 for higher-complexity platforms with multiple distinct user types, extensive API surface, or complex business logic. Add-on modules: OWASP LLM Top 10 (+€2,000–3,000), source code review (+€2,500–4,000), mobile app (+€3,500–5,500), cloud infrastructure check (+€1,500–3,000).
Frequently Asked Questions
How is "multi-tenant" defined for this tier?
Multi-tenant means your platform serves multiple distinct customers (tenants) with logical or physical isolation between their data. Tenancy can be implemented via separate subdomains (customer1.yourapp.com), URL paths (/customer1/), or HTTP headers. All three approaches are covered.
Will this satisfy SOC 2 Type II audit?
Yes — our deliverables align with the evidence requirements under CC4.1, CC6.1, CC7.1, CC7.2, and A1.2. The Attestation Letter is structured for direct inclusion in SOC 2 evidence files. We recommend a brief alignment call with your SOC 2 auditor before engagement to confirm specific control coverage.
Do you include OWASP LLM Top 10 testing?
Not as standard at this tier. LLM Top 10 testing requires specialist competency and dedicated effort — it's available as an add-on module (+€2,000–3,000). If your platform has significant AI/LLM features, we strongly recommend including this module.
What about cloud infrastructure (AWS / GCP / Azure)?
Cloud infrastructure surface is not included in the standard scope. It's available as an add-on (+€1,500–3,000) or fully covered in our Enterprise Tier 4 (€8,000+).
How does remediation retest work?
After delivering the initial report, you have up to 60 days to remediate findings. When ready, you notify us; we re-test only the remediated findings and produce a delta report documenting the status of each (Fixed / Partially Fixed / Not Fixed). This delta report is suitable for audit evidence. Additional retest rounds are +€500 each.