A scoped, time-boxed assessment against a defined surface. The most common engagement shape we run.
What’s in scope
- Web applications — production-grade SPAs, APIs, admin consoles
- Mobile — native iOS and Android binaries plus their backends (OWASP MASTG)
- REST & GraphQL APIs — including auth-token replay, IDOR, rate-limiting
- Cloud configuration — AWS, GCP, Azure (read-only review)
We do not test customer-leased on-premises hardware, third-party SaaS we don’t host, or anything you don’t have written authorization to test.
How it runs
Grey-box by default — you give us credentials and a staging environment, we spend the first day in your repo orienting. Black-box engagements are available on request but add roughly 30% to the timeline for the same coverage.
Two-week minimum. Four-week typical. We file findings live in your tracker as we discover them — your team can start fixing on day three instead of waiting for a final PDF.
What you walk away with
- A final report — executive summary, technical detail, remediation steps
- An attestation letter you can share with customers and auditors
- A re-test included, scheduled within 90 days
- The ability to reference us in your SOC 2 / ISO 27001 evidence
- Direct Slack access to the lead tester for two weeks post-engagement
// what the report looks like
We publish a redacted sample on request. Email
[email protected] and we’ll send a PDF inside an
hour.