Security testing · Pentest · OWASP

Pentest you can show your auditor

Black/gray/white box pentest for web applications and APIs. Written authorization before every click, OWASP/PTES methodology, report with reproducible steps. Kali Linux + Burp Suite Pro + WebTesterAI MCP, orchestrated by agents — under human oversight.

Start an inquiry →

When you need a pentest

A pentest is a structured, controlled, and authorized attempt to breach your systems — it finds holes before real attackers do. Order one when:

Just before releasing a new application or major update
For regulatory requirements (PCI DSS, ISO 27001, NIS 2, GDPR art. 32)
After a security incident (post-breach assessment, root-cause)
During due diligence — investment, acquisition, M&A
Periodically (yearly or half-yearly) for high-value applications
Before major contractual obligations where the buyer requires proof

Types — Black / Gray / White box

The type defines how much internal information testers have up front. Each has its purpose; we often combine.

Black box — no prior knowledge, simulates an external attacker. Longest, closest to reality, limited by surface discovery.
Gray box — with basic information (user accounts, public docs). Optimal coverage/time ratio.
White box — full access to code, architecture, threat model. Deepest review, best for critical applications.
Gray + White combination — for maximum value within budget.
External (from the internet) or internal (within the network) or both — depending on scope.

Methodology — OWASP, PTES, ASVS

We work to established standards so the work is verifiable, comparable, and the report is understandable to auditors.

OWASP Top 10 and OWASP ASVS (Application Security Verification Standard) for web/API
PTES — Penetration Testing Execution Standard for the overall execution framework
MITRE ATT&CK for mapping attacker techniques and tactics
OWASP MASVS — when mobile apps are in scope
Every finding: CVSS 4.0 score + business impact description + remediation proposal
Reproduction via scripts, screenshots, raw requests — if you can’t reproduce it, it doesn’t count

Tools — Kali stack + AI-orchestrated

A classic pentest stack on Kali Linux, combined with an AI agent layer for faster pattern discovery, parallel scans, and regression after fixes. All under human oversight — agents propose, the human confirms.

Network: nmap, masscan, naabu, dnsx, subfinder, amass
Web/API: Burp Suite Pro, OWASP ZAP, sqlmap, ffuf, nuclei, wpscan
WebTesterAI MCP — our agent for fast pattern discovery (XSS/SQLi/SSRF/IDOR)
AIIOtalk — orchestrator for regression of security scenarios after fixes
Custom scripts for specific vectors (business logic, race conditions, broken access control)
For MCP/agentic apps: special focus on prompt injection, tool abuse, data exfiltration

Kali Linux · Burp Suite Pro · WebTesterAI MCP · nmap · sqlmap · Python · TypeScript

Legal safeguards — no authorization, no test

Pentesting without written authorization is unauthorized access to an information system under Slovenian Criminal Code (KZ-1 art. 221) — a criminal offence. That is why we work exclusively with explicit, written, signed authorization.

Written authorization signed by an accountable representative before any scan
Authorization explicitly lists IN-scope and OUT-of-scope systems
Time window with a start and end; testing stops after it
Allowed and prohibited methods — DoS, brute force, social engineering etc. are OFF by default
NDA (non-disclosure agreement) — signed up front if you require it
Notification to the hosting provider (by agreement) to avoid abuse-desk escalation

Price & timeline

Price depends on scope — number of applications, type of test, depth, report deadline. Indicative timelines:

Small web app, gray box: 3–5 working days + 2 days for the report
Standard web app + API, gray box: 1–2 weeks + 3 days for the report
Enterprise system or complex platform, white box: 2–4 weeks + 1 week for the report
Re-test after fixes: half price, valid 30 days after report delivery
Annual retainer (4× quarterly): discount on the whole + scheduling priority
Report: SL or EN, executive summary + technical detail, also printed on request

Written authorization · OWASP · MITRE ATT&CK · CVSS 4.0 · SL/EN report

FAQ

Frequently asked questions

Will you take down my traffic or cause damage?

Our approach is careful and controlled. DoS, brute force, and destructive methods are OFF by default; you can enable them explicitly with a risk acknowledgement. We run scans at rates the system can handle; if we detect instability we stop immediately. We have a 24/7 emergency contact for incidents.

How do you protect the data you find during the pentest?

All findings stored on an encrypted workstation (LUKS), transferred over encrypted channels. All data is destroyed within 30 days of report delivery (or immediately on request). NDA signed before we start if you require it.

What does the final report contain?

Executive summary (for leadership) + technical detail (for engineering). Each finding: description, CVSS 4.0 score, business impact, reproduction steps with screenshots, remediation proposal, references. Report in SL or EN, formatted for auditors (PDF and HTML). Printed on request.

Can our internal team do the pentest?

They can, but escaping internal bias is hard — you know your own system too well. So a combination: internal monitoring + an external pentest once a year gives the most realistic picture. An external report is also what auditors and customers trust.

How often should I order a pentest?

Yearly for stable apps; after every major update for fast-moving ones. After an incident, always. For regulated environments (PCI DSS, NIS 2) half-yearly. Re-test after fixes is included in the price (30 days after the report).

How long from inquiry to first scan?

Typically 1–2 weeks: 1 business day for the authorization template, 3–5 days for signature and legal, 3–5 days for detailed scoping and preparation. After signed authorization and a scope kickoff we begin. Urgent cases (post-incident) can move faster.