Web Application Vulnerability Assessment
Independent assessment combining automated discovery with manual validation of high-severity findings. OWASP Top 10:2025. Signed Attestation Letter included.
Quick Answer
Independent vulnerability assessment of one web application. Combines automated discovery (Burp Suite Professional, Nuclei, OWASP ZAP) with manual validation of high-severity findings. Delivers structured VA report mapped to OWASP Top 10:2025 with CVSS v3.1 vectors and CWE classification. Includes signed Attestation Letter identifying the engagement as Vulnerability Assessment. Suitable evidence for ISO 27001 Annex A.8.8, GDPR Article 32 risk assessment, and many vendor security questionnaires.
Why You Need This
Most compliance scenarios require evidence of regular security testing, but not all of them specifically demand a full penetration test. Vulnerability Assessment is the legitimate, audit-recognised baseline — and it's the right fit when your auditor accepts "regular vulnerability testing" rather than "penetration testing specifically", your enterprise prospect's vendor security questionnaire asks generally about "security testing", you need baseline security validation before investing in a full penetration test, or your budget doesn't yet support full pentest engagement (€1,800+).
What VA is not: it is not a substitute for a penetration test where regulation specifically demands one. ISO 27001 Annex A.8.29 requires "security testing" which most auditors interpret as penetration testing. Where the requirement specifically names "penetration test", choose our Focused Pentest (€1,800+) instead.
Who Requires This From You
- ISO/IEC 27001:2022 Annex A.8.8 — Management of technical vulnerabilities
- GDPR Article 32 — Regular testing of effectiveness of security measures
- Some vendor security questionnaires — those asking about "regular security testing" without specifying penetration test
- Internal security baselines — for SaaS in pre-Series-A stage
What You Get
Automated discovery and scanning
- Burp Suite Professional (current licensed version)
- Nuclei with curated, regularly-updated templates
- OWASP ZAP automated baseline scan
- Subfinder + httpx for asset inventory
Manual validation of all high-severity findings
- Critical and High findings manually validated to eliminate false positives
- CVSS v3.1 vectors for each finding
- CWE classification per finding
- OWASP Top 10:2025 mapping
Deliverables
- Structured Vulnerability Assessment Report (executive summary, methodology, findings)
- Remediation guidance per finding
- Signed Attestation Letter explicitly identifying the engagement as Vulnerability Assessment
- One round of clarification questions within 14 days of delivery
What Happens If You Don't
Our Process
Pricing & Delivery
€539 fixed price — one web application, public attack surface. Add-ons: Authenticated testing → upgrade to Focused Pentest (€1,800+). REST API depth → upgrade to Standard Pentest (€4,500+). Remediation retest → +€200.
Frequently Asked Questions
Is this a penetration test?
No. This is a Vulnerability Assessment (VA). The Attestation Letter explicitly identifies it as VA. We use this honest labelling because the difference matters in audit and procurement contexts. If your requirement specifically names "penetration test", choose our Focused Pentest (€1,800+) instead.
Will my auditor accept this?
It depends on your specific control requirement. For ISO 27001 Annex A.8.8 (Management of Technical Vulnerabilities) — typically yes. For Annex A.8.29 (Security testing in development and acceptance) — auditor-dependent; most accept it but some specifically require pen testing. We recommend confirming with your auditor before purchase.
How is this different from a free online scanner?
Three things: (1) we use Burp Suite Professional, Nuclei, and OWASP ZAP — professional commercial-grade tools, not free SaaS scanners; (2) every high-severity finding is manually validated by a certified engineer to eliminate false positives; (3) we deliver a structured report and signed Attestation Letter recognised in audit contexts. Free scanners deliver raw output with no validation and no formal report.
What if you find Critical vulnerabilities?
Critical-severity findings are communicated to your nominated contact within 4 hours of validation via secure channel, with clear reproduction steps and immediate remediation guidance. We don't wait for the report delivery date.
Can I order this anonymously?
You need to be the legitimate owner or authorised representative of the target application — we will verify this during NDA signature. Beyond that, your engagement is held under strict confidentiality.