Multi-tenant isolation
Cross-tenant IDORs, exported reports, shared links, webhooks, integrations.
Your SaaS deal is stalling because procurement wants a current pentest report — and a SOC 2 audit deadline is closing in.
We scope and run the engagement so your team gets a SOC 2 / ISO 27001-aligned report that answers customer questionnaires and auditors — without rework.
What is at stake
Four situations where SaaS teams are blocked right now.
Customer questionnaires
Procurement wants a current pentest report. The deal stalls without one.
SOC 2 / ISO 27001
Pentest is on the control list and audit field-work is approaching.
Tenant isolation
Customers are asking how you guarantee tenant boundaries inside the application.
New product launch
You are shipping a new product line or major feature with new permissions.
How we help
We test the six surfaces customer questionnaires and SOC 2 auditors ask about most.
Every finding is mapped to SOC 2 Common Criteria and ISO 27001 Annex A — a section auditors can use directly, alongside a remediation engineers can act on.
SSO and SCIM
SAML/OIDC assertion handling, downgrade paths, SCIM provisioning misuse, role-claim manipulation.
Role-based access control
Vertical and horizontal escalation across documented roles. Role-aware features called by lower roles.
Public APIs and webhooks
Auth, IDORs, replay, rate limiting, signature verification, partner-token scope.
Billing and entitlements
Paid-feature logic, plan downgrades, trial abuse, seat-count enforcement.
Admin and operator surfaces
Internal admin tooling exposed inadvertently. Operator endpoints reachable by tenants.
How an engagement works
Four steps from scoping call to a report your auditors will accept.
- 01
Scoping call
A quick call. We learn what you ship, which tenants are in scope, and what is driving the deadline. You leave with a fixed scope, price, and date.
- 02
Hands-on testing
A senior tester runs the engagement end-to-end across tenant boundaries, SSO flows, and your customer-facing API. Critical findings surfaced immediately on a live channel.
- 03
Report you will read
Every finding has a working proof, a clear severity, and a remediation an engineer can paste into a ticket. Mapped to SOC 2 Common Criteria and ISO 27001 Annex A. One-page board summary included.
- 04
Retest included
We retest fixed items and update the report at no extra cost. The version you share with customers or auditors reflects your actual fixed state.
Deal deadline or audit window approaching?
A quick scoping call gives you a fixed scope, price, and start date — so you know exactly when the report lands.
Get a straight answer Why teams trust the result
Senior testers, real certifications, and a report that survives audit scrutiny.
-
Certifications
OSCP · OSWE · GPEN · GXPN · CRTO · CCSP · CISSP · CREST CRT
-
Control mapping
SOC 2 Common Criteria and ISO 27001 Annex A mapped in the same report
-
Senior-led
Every engagement led end-to-end by a senior tester — no subcontractors, no junior handoffs
-
Retest included
Retest of reported findings is included in scope at no extra cost
FAQ
SaaS & software — common questions
How quickly can you deliver a report a customer will accept?
A typical SaaS web app and API engagement is two to three weeks of testing plus reporting and a retest. Many customers schedule kickoff within the same week as the scoping call when a deadline is tight.
Will the report satisfy our SOC 2 or ISO auditor?
Yes. Findings are mapped to SOC 2 Common Criteria and ISO 27001 Annex A in the same document — used as audit evidence without rework.
How do you test multi-tenant isolation?
We test with at least two tenant accounts and walk every protected resource boundary — direct API access, shared links, exports, webhooks, and integrations that touch multiple tenants.
Do you test our SSO and SCIM integrations?
Yes. Assertion handling, replay, downgrade paths to local login, role-claim manipulation, and SCIM provisioning misuse are standard scope when those integrations exist.
Can you fit a pentest into a sales-driven deadline?
Often, yes — tell us the date on the scoping call. We routinely sequence engagements so the report and retest land in time for procurement review.
Want a credible answer when a customer, auditor, or your board asks how secure you are?
A quick scoping call with the senior tester who would run your engagement. No slides, no pitch — we look at what you have, tell you what we would test first, and give you a fixed scope, price, and date.