Surface-01Web application (OWASP Top 10)
Injection, broken access control, auth flaws, and misconfiguration against your live web app. Every finding carries a reproduction, a severity, and the exact fix.
Surface-02API + authorisation testing
IDOR, broken object-level authorisation, rate limits, and token handling. We test whether one tenant can read another tenant’s data, the question your buyer cares about most.
Surface-03Cloud + infrastructure config
Public buckets, over-broad IAM roles, exposed metadata, weak segmentation. AWS by default, comfortable on GCP, Azure and Cloudflare. The misconfig that turns one bug into a breach.
Surface-04External + network surface
An external pen test of what the internet can reach: exposed services, forgotten subdomains, stale endpoints, leaked credentials. The surface you stopped looking at two pivots ago.
Surface-05Mobile (iOS + Android)
Insecure storage, certificate pinning, hard-coded secrets, and the API traffic behind the app. Tested against the OWASP Mobile Top 10 when your scope includes a mobile client.
Surface-06Report + retest included
Every engagement ends with an evidence-grade report, a remediation roadmap ranked by severity, and a retest after you ship the fixes. The held report procurement accepts.
Surface-01Web application (OWASP Top 10)
Injection, broken access control, auth flaws, and misconfiguration against your live web app. Every finding carries a reproduction, a severity, and the exact fix.
Surface-02API + authorisation testing
IDOR, broken object-level authorisation, rate limits, and token handling. We test whether one tenant can read another tenant’s data, the question your buyer cares about most.
Surface-03Cloud + infrastructure config
Public buckets, over-broad IAM roles, exposed metadata, weak segmentation. AWS by default, comfortable on GCP, Azure and Cloudflare. The misconfig that turns one bug into a breach.
Surface-04External + network surface
An external pen test of what the internet can reach: exposed services, forgotten subdomains, stale endpoints, leaked credentials. The surface you stopped looking at two pivots ago.
Surface-05Mobile (iOS + Android)
Insecure storage, certificate pinning, hard-coded secrets, and the API traffic behind the app. Tested against the OWASP Mobile Top 10 when your scope includes a mobile client.
Surface-06Report + retest included
Every engagement ends with an evidence-grade report, a remediation roadmap ranked by severity, and a retest after you ship the fixes. The held report procurement accepts.