A senior engineer manually probes your application for the things scanners can't find — IDOR, broken access control, business logic abuse, chained exploits, authenticated session attacks. Methodology-based, fixed-fee, with an audit-ready report.
Different problems need different answers. Both are useful. They aren't the same thing — and we're never going to pretend they are.
Our scanner toolchain runs against your application. Catches a real, defined subset of issues. Great as an annual artifact for vendor questionnaires and a baseline for any team.
A senior engineer spends real time in your application. Manual exploitation, business logic probing, authenticated session attacks, chained exploits. The class of finding scanners genuinely cannot produce.
Selected categories from the OWASP Web Security Testing Guide that need a person, not a template, to evaluate.
User A reading or modifying User B's data. Forced browsing to admin endpoints. Indirect object references that aren't authorized.
OWASP A01:2021MFA bypass, session fixation, token reuse, race conditions in login flow, password-reset weaknesses, JWT mishandling.
OWASP A07:2021Coupon stacking, race conditions on rate-limited actions, multi-step bypass, abuse of refund / cancel / role-change flows.
OWASP WSTG-BUSLBeyond the templated checks — context-aware payload crafting, second-order injection, blind & time-based exfiltration, NoSQL operator injection.
OWASP A03:2021Coercing your backend to reach internal services, cloud metadata endpoints (IMDSv1/v2), or arbitrary URLs. Often chains into RCE.
OWASP A10:2021Broken object-level authorization and broken function-level authorization across your REST/GraphQL/gRPC endpoints, including admin-only paths reachable as a regular user.
OWASP API1, API5Every engagement maps to documented, public methodologies — so the report is defensible end-to-end.
The seven-phase industry framework: pre-engagement, intelligence gathering, threat modeling, vulnerability analysis, exploitation, post-exploitation, reporting. Our engagements explicitly track each phase.
The canonical checklist of test cases for web applications — 100+ documented procedures across configuration, identity, authentication, authorization, session, input validation, error handling, cryptography, and business logic.
The Application Security Verification Standard. Findings are mapped to specific ASVS controls (Level 1 / 2 / 3) so the report can drop directly into your compliance evidence package.
Exploitation paths are mapped to the MITRE ATT&CK matrix (Initial Access, Execution, Persistence, Privilege Escalation, Lateral Movement) so your detection & response team can simulate the chain.
A pen test stops being magic when you can read what the engine does. Here's the actual coverage list — these are the phases that fire on every engagement, plus the human review on top.
For every authenticated operation that takes a numeric id / userId / paymentId / orderId, we fuzz the ID range under your customer-tier token and diff response bodies. If 2xx responses contain other users' data (email, amount, token, createdAt patterns), it's flagged High with a Burp-Intruder-style results grid in the report. This is the class an automated scanner doesn't catch but an enterprise pen tester does.
For each auth/account mutation (resetPassword, forgotPassword, sendInvite, requestMagicLink, passwordlessLogin), we send one request with a known-valid email and one with a random invalid email. If the responses differ (status, body length, errors[].code), the mutation is enumerable — an attacker can iterate any email list against it to discover registered accounts.
When introspection is enabled or you provide schema.graphql, we parse every mutation, identify args matching id / email / targetUserId patterns, and replay each under one tenant's token with another tenant's IDs. Flags any 2xx response with data belonging to the other tenant. Catches business-logic IDOR no generic scanner finds.
Even if your documented /graphql correctly blocks introspection, a forgotten Apollo Federation gateway can be sitting at /graphiql / /graphiql.php / /playground / /altair leaking the full schema. We probe all common paths with a real introspection query and grade the finding Medium when types are exposed.
When you provide openapi.json or swagger.json, we enumerate every endpoint and probe each with customer + admin tokens + no-auth. Flags admin-only endpoints accepting customer tokens (BFLA), supposedly-authed endpoints returning 2xx without auth, and broken function-level authorization across REST and GraphQL.
Before any finding ships, four gates fire: (1) every critical/high finding's captured PoC is re-fired against the target — if the response diverged from the original capture, the finding downgrades; (2) any GraphQL operation name referenced in the report is verified against the live schema; (3) infrastructure mentions (AWS / GCP / Azure) are cross-checked against the target's actual cloud; (4) every HTTP capture stamped with timestamp + replay token for audit trail. If a finding doesn't reproduce within minutes of ship, you don't see it in the report.
After you remediate, request a retest from your dashboard. A senior engineer re-runs the original scan, marks every finding Fixed / Still Vulnerable / Not Tested with verification notes, and ships a separate signed Remediation Report — its own dated artifact with its own letter grade (green A if everything's fixed). This is the document procurement teams at enterprise customers ask for when they want proof of remediation. Most boutique consultancies charge for this separately; here it's included.
Define targets, rules of engagement, authorized timeframe. You sign the scope-of-work; we sign the NDA.
~2–3 daysSurface mapping, subdomain enumeration, attack surface scoping, threat model based on your application's trust boundaries.
~2 daysManual exploitation, business-logic probing, authenticated flows, chaining. PoC capture as we go.
~5–10 daysExecutive summary, technical details, reproducible PoCs, CVSS, remediation. Mapped to your compliance framework.
~3 daysAfter remediation, we retest each finding and issue a remediation report you can hand to the auditor.
includedFindings include the specific control reference for each major framework — drop straight into your evidence collection.
A single engineer is named in the Statement of Work and owns your engagement end-to-end: scope conversation, testing, reporting, and the retest. No mid-engagement handoffs, no junior contractors layered underneath.
When you reply in the engagement thread, you're talking to the person actually running the test — not a project manager translating to a tester.
A significant problem in the pen-test industry: the firm you signed with isn't who's actually testing your app. Junior contractors, offshore subs, or "associates" do the work; the named senior signs the report.
We don't operate that way. The engineer named on your SoW is the engineer testing your application. We'd rather take fewer engagements than scale that out.
Every engagement follows a published methodology — PTES, OWASP WSTG v4.2, OWASP ASVS v4.0.3, MITRE ATT&CK, CVSS v3.1 — and the report's methodology coverage matrix shows exactly which test cases were evaluated.
You can audit our methodology against the deliverable. Nothing relies on "trust me, we know what we're doing."
Any critical-severity finding is disclosed the same day it's identified — with a proof-of-concept and remediation guidance — rather than waiting for the final report.
Whether you pause the engagement to remediate first or continue with the rest of the scope is your call. We never sit on a finding to "build the narrative."
Who, specifically, will lead my engagement? The named lead engineer is identified in the Statement of Work before kickoff. When you request a quote, we send a bio of the engineer who would lead your specific engagement along with the SoW — so you know exactly who's testing your app before you sign.
$4,999 for the initial engagement. $1,999 for the retest after you remediate. You know the bill before kickoff — no padded hours, no scope creep, no "out of cycle" charges.
Most engagements are scoped against the OWASP WSTG checklist for the target you choose; we add or trim based on your real risk surface.
Book a pen test — $4,999// Multi-app, internal network, cloud, or continuous PTaaS: quoted separately.
Use our interactive calculator. Six questions about your app type, scope, auth, multi-tenancy, and compliance. You get a real industry-range estimate from $2K boutique to $50K Big-4 — and where our flat fee fits.
The automated scan runs nuclei, httpx, and testssl.sh against your application — fast, useful for header / TLS / known-CVE / configuration issues, but it can't find IDOR, business logic flaws, or authenticated session attacks. A pen test is a senior engineer manually probing for that class of issue. We sell both — clearly labeled — and never call one the other.
A senior engineer. Engagements aren't outsourced to junior contractors. The named lead on your engagement is the person doing the work.
5–10 business days from kickoff to delivered report. Reporting itself is 2–3 days; testing fills the rest. Retest (after you remediate) is a separate 2–4 day cycle.
After you remediate the findings in the initial report, schedule a retest within 12 months. We re-run every finding, mark each as fixed / partial / not fixed, issue a remediation addendum to the original PDF, and update the public attestation. Same engineer who ran the initial test — no re-onboarding cost.
The findings are mapped to the relevant controls (CC6.1, A.12.6.1, PCI 11.4, etc.) so they drop directly into your evidence collection. See the full compliance mapping. Final acceptance is between you and your auditor — no testing firm can guarantee a specific audit outcome.
We notify you immediately — the same day, with the proof-of-concept and remediation guidance — rather than wait for the final report. You decide whether to pause the engagement and remediate first or continue with the rest of the scope.
Default profile is non-destructive. We coordinate test windows and rate limits with you in the rules-of-engagement document signed at kickoff. If you want destructive / DoS-style testing, that's an explicit add-on and only against a staging environment unless you specifically authorize otherwise in writing.
Yes — all four are downloadable from the trust package. We'll execute your procurement team's paper too if they require it.
Available — quarterly engagements + on-demand retests + continuous-access platform for findings. Quoted per program. Email hello@thecybergrid.com to discuss.
The majority of the engagement is hands-on manual work by a senior engineer. Automated tooling is used for reconnaissance and known-CVE coverage — the parts where automation is genuinely faster and as accurate. The engineer's time then concentrates on the things tools can't find: chained exploits, business-logic abuse, authorization boundary failures, authenticated session attacks. The deliverable you receive — CVSS-scored, CWE-tagged, with reproducible proof-of-concept per finding — is the product of that manual time, not a scanner export.
Yes. Every category in the relevant framework — OWASP API Security Top 10 for API engagements, OWASP Web Top 10 for web app engagements — is actively probed. The methodology coverage matrix at the back of the report shows each category and either the specific findings or a clearly-documented "tested, no issues observed" note. You'll see exactly what was looked for, not a generic statement of intent.
Yes — this is one of the highest-value parts of the engagement and where manual effort concentrates. Standard authorization testing includes horizontal authz (same role, different IDs / objects), vertical authz (privilege escalation across roles), and — if your application is multi-tenant — cross-tenant isolation across every read and write surface. Chained exploits are explicitly in scope: the combinations of small issues that compound into a critical, which scanners cannot find by design.
To exercise this fully, you'll need to provision at least two test accounts at distinct privilege levels, and ideally two test tenants if multi-tenant.
The web / API pen test treats the mobile client as a trusted API consumer — the binary itself is out of scope. For mobile binary testing, the separate Mobile Application Penetration Test SKU covers static analysis, dynamic analysis with runtime instrumentation, local data storage review, deep-link / URL-handler abuse, and the mobile-facing authentication flow. Methodology: OWASP MASVS + MSTG. Pricing: $2,999 for one platform (iOS or Android), $4,999 for both. Same flat fee, same $1,999 retest. If scheduled in parallel with a web/API engagement, the combined timeline is typically 2–3 days shorter than running them separately. See pricing.
Each prior finding's original proof-of-concept is re-attempted against the remediated system — not a configuration spot-check. Every finding is marked one of: fixed (PoC no longer works), partial (original vector blocked but the underlying class of issue is still reachable via a different path — we describe the new path), not fixed (PoC still works), or configuration-verified (a small handful of findings such as "DEBUG=True in prod" are validated by inspecting deployment config because the PoC is just "look at the response" — clearly tagged in the addendum). The retest is delivered as an addendum to the original PDF and updates your publicly-verifiable attestation.
From you, before kickoff: signed NDA + SoW (templates at /trust-package); two test accounts at distinct privilege levels (regular + staff/admin); two test tenants if your app is multi-tenant; a staging environment URL (strong preference) or written authorization for production testing with an off-hours window; any API schema / OpenAPI spec / GraphQL introspection dump you have; an IP allowlist entry for the tester's source IP (we provide the IP at kickoff); a single technical point of contact.
From us: SoW + NDA templates within 1 business day of your reply; kickoff call within 2–3 business days of SoW signature; engagement typically starts ~5 business days after SoW signature; progress notes posted to your CyberGrid engagement thread throughout; draft report at day 7–8 for a clarification round; final PDF + publicly-verifiable attestation by day 10.
Most SOC 2 auditors require evidence of current pen testing for CC4.1 / CC7.1 / CC7.2 controls. Bundle our SOC 2 readiness program (from $5,999) with this pen test — we time the test to land inside the readiness window so the report is fresh at audit time and drops straight into the evidence package.
Tell us about your application and what's driving the test. We'll come back within one business day with a personalized scope, methodology mapping, and a transparent quote.