Offensive Security — Flagship Service

Web Application Penetration Testing

Manual, OSCP and CPTS-led testing of your web applications and APIs — covering OWASP Top 10, authentication and authorisation flaws, injection, business-logic abuse, and API-specific attack classes. Not a scanner report. Every finding manually validated.

AED 15,000 – 40,000 CPTS · CEH · OSCP 2 – 3 weeks typical
Book a 30-min Scoping Call →
Book a 30-min Scoping Call →
Jump to FAQ

What it is

A manual, authenticated penetration test of your web application and its backing APIs — performed by a credentialed offensive security practitioner, not an automated scanner.

We log in as each user role, walk through the application the way a real user would, and then try everything a real attacker would. We test authentication and session handling, authorisation boundaries (including IDOR and BOLA), injection classes across SQL, NoSQL, OS, XXE, and LDAP, file upload and deserialisation, client-side issues (XSS, CSRF, clickjacking, CORS), and the business-logic flaws that scanners never find because they're specific to what your application actually does.

Every engagement ends with a prioritised findings report, a live remediation walkthrough, and one free re-test of the critical and high findings within 30 days of your remediation.

What this is not

Not a vulnerability-scanner PDF. Scanners assist; humans do the testing.
Not a source-code review. This is black-box or grey-box dynamic testing. Code review is a separate engagement.
Not a DDoS stress test. We never intentionally impact availability.
Not a mobile-app engagement. Backing APIs are tested; full mobile-binary analysis is separate.

Who this is for

1
You're launching a new web product and need a security gate before go-live.
2
An enterprise client or bank has asked for a pen-test report before contract.
3
You're preparing for ISO 27001, SOC 2, PCI DSS, or NESA audit and need application-layer evidence.
4
You shipped significant changes (new auth, payment flow, role model, data model) and need validation.
5
You had an incident or close call (credential-stuffing attempt, suspicious activity, responsible-disclosure report) and need external assurance.

What you get

  • Rules of engagement — scope, timeline, testing windows, user roles, out-of-scope exclusions.
  • Findings report (typically 25 – 50 pages) — every finding with CVSS, reproduction, screenshots, business impact, specific remediation guidance.
  • Executive summary — 1 – 2 pages, board-consumable.
  • Live remediation walkthrough — 90 minutes with your dev team on every critical and high finding.
  • Free first re-test of critical and high findings within 30 days of remediation.
  • Clean-up evidence — every artefact we created during testing removed and documented.

How we deliver

01
Scoping
2 – 3 days
60-minute call, application walkthrough, user-role mapping, credential provisioning, ROE signed.
02
Reconnaissance & mapping
2 – 3 days
Endpoint enumeration, technology fingerprinting, attack-surface mapping, API documentation review.
03
Manual testing
5 – 10 days
OWASP Top 10 coverage, authorisation testing across roles, injection, business-logic testing, API-specific attacks, client-side issues.
04
Reporting
3 – 5 days
Findings compilation, CVSS scoring, reproduction steps, executive summary, internal review pass.
05
Walkthrough
90 minutes
Live screen-share with your dev team — every critical and high finding, reproducible.
06
Re-test
Within 30 days post-remediation
Validate fixes on all criticals and highs; issue re-test report.

Pricing

Published range

AED 15k – 40k

Per engagement. Written quote within 48 hours.

What drives the price:

  • Number of authenticated endpoints / pages
  • Number of user roles and role-based features
  • API surface size and complexity
  • Payment or financial transactions in scope
  • Testing mode (grey-box / black-box / white-box)
  • Timeline (standard 2 – 3 weeks vs. expedited 1.5-week)

Commercial terms

  • Deposit: 50% at signing; balance on final report
  • Net terms: Net-30
  • Quote validity: 30 days
  • Re-test: 1 × critical/high re-test included
  • Scope changes: written change request required

Your cert-backed team

Lead Tester

Nelson Durairaj

OSCP · eJPT · CEH · BlackHat Linux · HTB Omniscient

Focus: Authentication and authorisation testing, injection, business-logic abuse, API security.

Supervising Practitioner

Manoj Prabhakaran

CPTS · CDSA · Security+ · ISO 27001 Lead Auditor

Focus: Engagement oversight, report quality, audit-evidence alignment, complex business-logic cases.

Frequently asked questions

What do you actually test?

OWASP Top 10 (2021) as a baseline — broken access control, injection, authentication flaws, cryptographic failures, security misconfiguration, vulnerable components, SSRF, and more. Plus: API authentication and authorisation flaws, business-logic flaws unique to your application, file upload handling, session management, and client-side security. Coverage is manual; we use automation to assist, not to substitute for testing judgement.

Is this a black-box, grey-box, or white-box test?

Grey-box by default — we test with valid user credentials for each role to maximise coverage. Black-box (no credentials, external perspective only) is available for realism exercises. White-box (source code + credentials) is available for highest-depth engagements. Most clients choose grey-box as the best cost-to-coverage ratio.

How do you handle production testing?

We define safe testing windows and explicitly exclude destructive actions (mass data modification, account lockouts, DoS-style traffic). For logged-in tests we provision our own test accounts rather than using real user accounts. We never load user uploads, never store real user data, and every artefact we create during testing is cleaned up and documented.

How long does a typical engagement take?

For a single application with 50 – 200 authenticated endpoints, 2 – 3 weeks end-to-end (scoping + testing + reporting + walkthrough). Larger applications or API-heavy platforms extend to 3 – 4 weeks. Expedited 1.5-week delivery available with a 20% expedite fee.

Do you test REST, GraphQL, and SOAP APIs?

Yes — all three, plus WebSocket and gRPC. Our methodology covers authentication bypass, authorisation flaws, mass-assignment, rate-limit bypass, injection, BOLA/IDOR, and data-exposure classes specific to API surfaces.

What about mobile apps?

Mobile apps are tested through their backing APIs in this engagement. If you need full mobile-client binary analysis (static + dynamic on the device), scope it as a separate engagement — the tooling and methodology are distinct.

Will this satisfy compliance requirements?

Yes — our reports include scope, methodology, dates, named tester credentials, CVSS-scored findings, remediation guidance, and re-test validation. Usable as audit evidence for ISO 27001, SOC 2, PCI DSS, HIPAA, NESA, ADHICS, and similar frameworks.

Is the re-test included?

Yes. One re-test of critical and high findings within 30 days of final report is included in the base fee. We issue a separate re-test report confirming remediation. Additional re-tests beyond the first are charged separately.

You might also need

Network Penetration Testing

If your exposure is broader than just the application — infrastructure, AD, cloud — pair the two.

Read full details

Vulnerability Assessment (VA only)

Lower fee option — scan-and-report for SMEs not ready for full pen testing.

Read full details

Azure Cloud Security Assessment

Application and the Azure infrastructure it runs on — test both for full-stack assurance.

Read full details

ISO 27001 Implementation

Application pen testing is a standing ISO 27001 evidence requirement — we can include it in a broader program.

Read full details

Launching a product, preparing an audit, or under client pressure for a pen-test report?

Book a 30-minute scoping call. Written quote within 48 hours. We can start testing inside 1 – 2 weeks.

Book a Scoping Call →
Book a Scoping Call →