Security Testing

Web Application & API

OWASP-aligned testing of your web applications and APIs — authentication, authorisation, input validation, business logic and session management — by CREST-accredited experts.

Your web applications and APIs are your most exposed assets: public by design, updated constantly, and directly connected to your most valuable data. Our web application penetration testing puts them under exactly the same pressure a skilled attacker would apply — before someone hostile does it for real.

Using OWASP methodologies, our CREST-accredited consultants test the areas where applications actually fail: authentication and authorisation, input validation, business logic, and session management. APIs get the same rigour — REST, SOAP and GraphQL — covering endpoints, data handling and the authorisation gaps that automated tools routinely miss. Single-page applications, multi-tenant platforms and microservice back-ends are all familiar territory.

Web application penetration testing beyond the scanner

Scanners find known vulnerability signatures. They do not notice that your password reset flow leaks account information, that a discount code can be applied twice, or that one customer can read another's records by changing an ID in a request. Finding flaws like these takes a human who understands how the application is supposed to work — which is why our testing is manual and expert-led, with exploitation to demonstrate real impact where safe and agreed.

Everything is delivered through Sentry: tailored scoping questionnaire, findings uploaded in real time as they are discovered, immediate alerts for critical and high-severity issues, and direct messaging with your tester throughout. You receive a board-ready executive summary, detailed technical findings with evidence, CVSS scores and remediation guidance, and a debrief session.

Because web applications are internet-facing, critical and high-severity findings qualify for free retesting — we verify your fixes at no extra cost. If you release frequently, we can scope regular testing cycles aligned to your development roadmap. And between tests, our continuous vulnerability management service keeps watch over the same assets, so a new weakness does not wait a year to be found.

What you get

OWASP-aligned manual testing

Authentication, authorisation, input validation, business logic and session management tested by CREST-accredited experts.

Full API coverage

REST, SOAP and GraphQL APIs tested for endpoint, authorisation and data-handling weaknesses.

Business logic depth

Human testers find the flaws in how your application works that no scanner can detect.

Real-time findings in Sentry

Issues appear as they are discovered, with immediate alerts for critical and high-severity findings.

Free retesting included

Critical and high findings on your internet-facing applications are retested free once fixed.

Developer-ready remediation

Findings include evidence, CVSS scores and clear guidance your engineers can act on directly.

How it works

  1. 01

    Scoping and agreement

    Complete a short questionnaire tailored to the test type, then join a scoping call with a consultant. You receive a clear proposal and Statement of Work, and your project is created in Sentry. Typically one to two weeks.

  2. 02

    Pre-engagement preparation

    Your consultant is assigned and logistics are arranged: IP whitelisting, credentials, access and rules of engagement. The testing window is scheduled around your business. Typically one week.

  3. 03

    Testing execution

    Expert-led manual testing begins. Findings appear in Sentry in real time as they are discovered, you are alerted immediately to critical and high-severity issues, and you can message your consultant throughout. From two days for a small web application to fifteen or more for enterprise estates.

  4. 04

    Reporting and delivery

    After quality assurance you receive a board-ready executive summary and detailed technical findings with evidence, CVSS scores and remediation guidance, followed by a debrief session. Findings remain in Sentry for remediation tracking and comparison with future tests.

Frequently asked questions

Straight answers to what prospective clients ask us most.

We have a web application firewall — do we still need testing?

Yes. A WAF is a valuable layer, but it can fail or be bypassed, and it cannot fix flaws in the application itself. Penetration testing assesses the underlying application, identifying vulnerabilities a WAF may not protect against.

Do you test APIs as part of a web application test?

Yes. Web applications and their APIs can be scoped together or separately — we test REST, SOAP and GraphQL APIs, covering authentication, authorisation, input handling and the business logic behind each endpoint.

What access do we need to provide?

For most engagements we recommend testing with credentials for each user role, which lets us properly test authorisation between roles and tenants. The scoping questionnaire captures this, and unauthenticated testing can be included alongside.

How long does a web application test take?

A small application typically takes around two days of testing; larger applications with multiple roles and APIs take proportionally longer. We confirm the effort during scoping so there are no surprises.

Which findings qualify for a free retest?

Critical and high-severity findings on internet-facing applications from your original scope. Request the retest through Sentry within two calendar months of your report being released and we will confirm your remediation at no additional cost.

Ready to talk about web application & api?

Get a fixed-scope quote, usually the same working day.