Upon request we share a sample report so you know exactly what you receive after a pentest.
More than a scanner
Automated vulnerability scanners find low-hanging fruit — but systematically miss the vulnerabilities that really matter. Our pentesters think like attackers: they understand application logic, link findings together and look for chains of vulnerabilities that collectively form a critical risk. Our web application penetration tests are based on the OWASP Testing Guide and the PTES (Penetration Testing Execution Standard), combined with years of practical experience in the Dutch market.OWASP Top 10 — volledig gedekt
The OWASP Top 10 is the industry standard for the most critical web vulnerabilities. We test systematically on all ten categories:- Broken Access Control: Authorisation flaws that allow users access to data or roles not intended for them
- Cryptographic Failures: Onveilige opslag of overdracht van gevoelige data, zwakke encryption, blootgestelde credentials
- Injection (SQL, NoSQL, LDAP, OS): Unsanitised input that can lead to data extraction, manipulation or destruction
- Insecure Design: Architectural flaws that lack security by design
- Security Misconfiguration: Incorrect configurations in servers, frameworks, cloud environments and applications
- Cross-Site Scripting (XSS): Reflected, stored and DOM-based XSS enabling session hijacking and phishing
- Vulnerable Components: Vulnerable libraries, frameworks and dependencies
- Authentication Failures: Zwakke passwordpolicies, ontbrekende MFA, sessie-fixatie
- Software & Data Integrity Failures: Onveilige CI/CD-pipelines, deserialisatiefouten
- Logging & Monitoring Failures: Insufficient detection capability for attacks and data breaches
Business Logic Assessment
Business logic vulnerabilities are the most underestimated category: flaws in the workflow or business logic of your application that automated tools never find. Think of price manipulation in a checkout, circumventing approval processes, or misusing discount codes. Our pentesters understand your application and actively look for these logical flaws.API Security
Modern web applications run on APIs — and APIs are a primary attack vector. We test REST, GraphQL and SOAP APIs on the OWASP API Security Top 10, including broken object level authorization (BOLA), mass assignment, rate limiting and JWT vulnerabilities.Actionable Remediation
Every finding in our report includes: a clear description of the vulnerability, a proof-of-concept demonstration, the potential impact, a CVSS score and — most importantly — concrete steps to fix the problem. No abstract recommendations, but workable fixes for your development team.Our Pentesting Approach
- Scoping: Inventory of the application, authentication levels, API endpoints and test environment
- Reconnaissance: Passive and active exploration of the attack surface
- Manual testing: Systematic, in-depth tests on all OWASP categories plus application-specific logic
- Reporting: Executive summary and technical report with priority scoring and remediation advice
- Retesting: Verification that reported vulnerabilities have been correctly remediated