Web Application & API Pentest

What is a web application pentest?

A web application pentest is a security assessment where we attack your web application like a real hacker would. SQL injection, cross-site scripting, broken authorisation, business-logic flaws - we test it all. Not to tick boxes, but to demonstrate what can actually go wrong: can an attacker steal data, take over accounts or manipulate payments?

The difference with an automated OWASP scan? Tools like Burp Suite, Nuclei and ZAP find known patterns. But the vulnerabilities we most frequently report - IDORs in API endpoints, race conditions in payment flows, JWT abuse, OAuth errors - are not found by scanners. You only find those through manual work by someone who understands how web applications are built. From React frontends and GraphQL APIs to microservice architectures: our pentesters know the stack.

OWASP Top 10 and beyond

The OWASP Top 10 is our starting point, not our finish line. We test for injection, broken access control, security misconfiguration, SSRF and all other categories. But the most impactful vulnerabilities often fall outside this list. It is the flaws in your specific business logic that make the difference - and no framework finds those automatically.

Why should you get a web application pentest?

Your web application is directly exposed to the internet. It is the first thing an attacker sees:

• Prevent data breaches: broken authorisation leads to access to customer data, financial records or medical files.
• Protect reputation: a hacked web application directly damages client trust.
• Compliance: ISO 27001, NIS2, PCI-DSS and GDPR require demonstrably secure applications.
• Early discovery is cheaper: fixing a vulnerability in production costs 10-100x more than during development.

We recommend embedding pentesting into your development cycle. Testing after every major release saves time and money in the long run.

Our approach

Our web application pentests combine methodical manual work with targeted automation:

• Scoping - you speak directly with the pentester who will perform the test. Together we determine which components, roles and functionalities are in scope.
• Mapping & discovery - mapping all endpoints, parameters, API calls and authentication flows. Burp Suite Professional, but also extensive manual exploration.
• Authentication & authorisation - login mechanisms (brute force, credential stuffing, MFA bypass), session management and RBAC. Can a regular user perform admin actions? Can customer A view customer B's data?
• Input handling - SQL, NoSQL, LDAP, OS command injection, XSS (reflected, stored, DOM-based), SSRF, XXE, template injection.
• Business logic - manual testing of workflows: can a user skip steps, manipulate prices, repeat actions that should be one-time?
• Reporting - management summary, technical write-ups with reproduction steps, CVSS scores and priority recommendations. We call you about critical findings - they do not sit in a report for three weeks first.
• Retest - after your fixes we can verify whether vulnerabilities have been resolved.

What does a web application pentest cost?

Our hourly rate is €175 per hour. The total investment depends on your application:

• Small application (5-10 endpoints, 1-2 roles): approximately €3,500 - €7,000
• Medium application (20-50 endpoints, multiple roles, API): approximately €7,000 - €15,000
• Large/complex application (100+ endpoints, microservices, complex business logic): €15,000+

After a free scoping call you receive a fixed quote. No surprises.