Methodology

A web application penetration test your engineers and auditors can rely on.

Six phases aligned to OWASP WSTG and ASVS, led by a senior tester from scoping through retest — no scanner substitutes.

Get a straight answer
Why methodology matters

A web app test is only as good as what it actually tested.

Most material web application findings — broken access control, tenant isolation failures, business logic abuse, chained exploits — require a real person reasoning about authorization, data flows, and what the application was designed to do versus what it allows.

Your engineers will reject findings without reproducible evidence. Your auditor will ask what standard was applied. The methodology below gives you defensible answers to both.

The methodology

Six phases, every engagement.

  1. 01

    Scoping and threat modeling

    Map the surface — endpoints, roles, integrations, multi-tenant boundaries — and build a role × resource matrix the engagement tests against.

  2. 02

    Reconnaissance and surface mapping

    Passive recon plus active proxy-based mapping: endpoint enumeration, JS file analysis, directory and parameter fuzzing. The real surface is consistently larger than the architecture diagram.

  3. 03

    Unauthenticated testing

    Perimeter posture, exposed admin paths, default credentials, missing security headers, TLS quality, account enumeration on registration/reset flows, and any OWASP Top 10 category reachable without a session.

  4. 04

    Authenticated testing — role by role

    Every role through every protected resource. Cross-tenant boundary testing (IDOR/BOLA), privilege escalation, function-level access control (BFLA), and business-logic abuse. This is where most material findings live.

  5. 05

    Targeted abuse cases

    Scenarios drawn from scoping — payment flows, support-agent overrides, partner integrations, webhook handling, JWT algorithm confusion, refresh-token replay, SSO downgrade.

  6. 06

    Reporting and retest

    Per-finding writeup with PoC, severity, CVSS, paste-ready remediation, and compliance control mapping. Same-day disclosure of criticals. Retest and reissued report after fixes.

What we look for

Coverage aligned to OWASP.

  • · OWASP Top 10 (2021) — every category, with priority on A01 Broken Access Control, A03 Injection, A04 Insecure Design, A07 Identification & Authentication, and A10 SSRF.
  • · OWASP WSTG test cases — identity, authentication, authorization, session management, input handling, error handling, cryptography, business logic, and client-side.
  • · OWASP ASVS requirements at the level appropriate to your application's tier.
  • · Multi-tenant isolation — cross-tenant IDOR/BOLA on every protected ID, exported reports, shared links, webhooks, and support-agent overrides.
  • · Auth and identity edge cases — JWT algorithm confusion, refresh-token replay, SSO downgrade, OAuth scope creep.

Ready to scope your web app test?

A quick call gives you a fixed scope, price, and date — no slides, no pitch.

Get a straight answer
Tools we use

Industry-standard, supplemented by custom tooling.

Tools accelerate coverage; the work is led by manual reasoning.

Burp Suite Professional

Primary proxy and active-scanning platform for manual testing.

ffuf and gobuster

Directory, parameter, and virtual-host fuzzing.

sqlmap

SQL injection validation and exploitation.

ProjectDiscovery suite

Nuclei templates, Subfinder, httpx — templated checks and asset discovery.

Postman / Insomnia

API surface exploration and request replay.

Custom Python and Go tooling

Tenant-aware scripts for role-matrix walks and cross-tenant validation.

Quality controls

How we keep the report honest.

  • · Peer review — every finding reviewed by a second senior tester before the report.
  • · Evidence standard — no reproducible PoC, no finding.
  • · Severity calibration — CVSS plus real-world exploitability in your environment, not raw CVSS alone.
  • · Senior throughout — same person from scoping call to retest. No subcontractors.
  • · Same-day disclosure — criticals go to your security and engineering leads the moment they're confirmed.
Deliverables

One report, three audiences.

  • · Board summary; executive section with SOC 2, ISO, PCI, HIPAA, and GLBA control mapping where applicable; developer section with paste-ready remediation per finding.
  • · Retest of all reported findings and reissued report after your team ships fixes — included, not a separate line item.
  • · Direct line to the lead tester through the engagement and for a defined window after delivery.
See the web app testing service
FAQ

Web app methodology — common questions

Do you rely on automated scanning?

Scanners handle breadth on well-defined issue classes, but the findings that matter — authorization flaws, multi-tenant isolation, business logic, chained exploits — require a senior tester reasoning about your application. Sample reports available after the scoping call.

How do you handle production safe-testing?

We default to staging when one exists. Where production testing is necessary, we agree throttling, exclusions, and communication windows before testing starts. Critical findings go to your security and engineering leads the same day.

Are your testers certified?

Yes. Certifications across the team include OSCP, OSWE, GPEN, GXPN, CRTO, CCSP, CISSP, and CREST CRT. Senior testers run every engagement end to end — no junior handoff, no subcontractors.

Want a credible answer when a customer, auditor, or your board asks how secure you are?

A quick scoping call with the senior tester who would run your engagement. No slides, no pitch — we look at what you have, tell you what we would test first, and give you a fixed scope, price, and date.

Get a straight answer