External network pentest
Internet-perimeter assessment per PTES + NIST SP 800-115: enumeration, vulnerability analysis, manual exploitation of exposed services, credential attack chains, and the breach scenario your CISO needs to see written down.
Services
Penetration Testing & Security Audits for SaaS — External, Web App, Mobile, API and Cloud
Manual penetration testing by OSCP/OSCE/CREST-credentialled testers against the standards your auditors and customers actually expect: PTES methodology, OWASP ASVS L1–L3 for web, OWASP MASVS for mobile, OWASP API Security Top 10 2023, CIS Benchmarks for cloud. Every finding scored on CVSS v4.0 with business-risk context, a board-readable executive summary, JIRA-importable remediation tracker, and a free retest within 90 days. Reports designed for SOC 2 CC4/CC7 evidence, PCI DSS Req 11.4, HIPAA §164.308(a)(8), EU AI Act Article 15 and DORA TLPT. Tests from 5,500 EUR.
Automated scanners catch the noise; humans catch the bugs that ship. Our engagements are manual, hypothesis-driven, and follow PTES (Penetration Testing Execution Standard) end-to-end — pre-engagement, intelligence, threat modelling, vulnerability analysis, exploitation, post-exploitation and reporting. Every finding ships with a working PoC, a CVSS v4.0 vector that includes Threat and Environmental metrics, and a remediation block your developers can ticket on Monday morning. Reports survive enterprise procurement, audit fieldwork and cyber-insurance underwriting because the methodology is documented and the testers are named.
What we deliver
Web application pentest
OWASP ASVS L1/L2/L3 coverage: authentication, session, access control (including BOLA/IDOR), input validation, business logic abuse, file handling, API surface, and the OWASP Top 10 2021 ten chapters with active exploitation.
Mobile pentest (iOS + Android)
OWASP MASVS coverage with MASTG test cases: platform interaction, data storage, cryptography, network, authentication, code quality, resilience (root/jailbreak detection, anti-debug), and the IPA/APK static + dynamic analysis your store reviewers also do.
API pentest
OWASP API Security Top 10 2023: BOLA (API1), Broken Authentication (API2), BOPLA (API3), Unrestricted Resource Consumption (API4), BFLA (API5), SSRF (API7), Security Misconfiguration (API8), Improper Inventory Management (API9). REST, GraphQL and gRPC.
Cloud configuration audit
AWS/GCP/Azure against CIS Benchmarks plus the provider Well-Architected Framework security pillar: IAM, encryption, logging, network exposure, secret management, container/serverless config, and the cross-account/cross-tenant boundary review.
Report & retest
Executive summary, methodology with PTES phases and ASVS/MASVS/API Top 10 chapters cited, findings with CVSS v4.0 vectors and PoC, attack narrative, JIRA-importable remediation tracker, and one free retest within 90 days with reissued clean letter.
Methodologies, standards and tools we use
PTES
NIST SP 800-115
OSSTMM 3
OWASP Top 10 2021
OWASP ASVS L1
OWASP ASVS L2
OWASP ASVS L3
OWASP MASVS
OWASP MASTG
OWASP API Top 10 2023
OWASP LLM Top 10
CVSS v4.0
CWE / CAPEC
CIS Benchmarks
MITRE ATT&CK
OSCP / OSCE / OSEP
CREST CRT / CCT
CISSP
Burp Suite Pro
Nuclei / ZAP
Frida / Objection
MobSF
Pacu / Prowler
ScoutSuite
DORA TLPT
CBEST / TIBER-EU
How an engagement runs
-
01
Scope & ROE
Week 0: scoping call, signed Rules of Engagement (target list, allowed techniques, time windows, emergency contacts), test accounts provisioned, source-code access for grey/white-box where in scope.
-
02
Test
Days 1–N: PTES-driven manual testing with named lead and shadow tester, daily status updates, immediate notification of any Critical finding with a working PoC, screenshot evidence captured throughout.
-
03
Report & debrief
Within 5 business days of test end: draft report, technical debrief call with engineering, executive debrief with leadership, final report shipped as PDF + JIRA-importable CSV remediation tracker.
-
04
Retest
Within 90 days: free retest of every High and Critical finding, clean retest letter reissued for hand-off to procurement/auditor. Annual bundles add quarterly cadence and continuous retest per quarter.
Engagement packages
External Network Pentest
Five business days testing + report. Internet-perimeter scope, up to ~50 hosts, PTES methodology, CVSS v4.0 scoring, executive + technical report, free retest within 90 days. 5,500 EUR.
Web Application Pentest
Eight business days. Single web application, OWASP ASVS L2 default (L3 +30%), authenticated multi-role testing, full OWASP Top 10 + business logic, report and retest included. 8,500 EUR.
Mobile App Pentest
Seven business days, single platform (iOS or Android). MASVS L1+R, static + dynamic analysis, runtime instrumentation (Frida/Objection), report and retest. Both platforms together: 13,500 EUR. Single: 7,500 EUR.
API Pentest
Six business days. Single API surface (REST/GraphQL/gRPC), OWASP API Security Top 10 2023, authenticated multi-role testing, report and retest included. 6,500 EUR.
Cloud Configuration Audit
Six business days. Single AWS, GCP or Azure account, CIS Benchmark + Well-Architected security pillar, IAM/encryption/logging/network review, hardening backlog. 7,000 EUR.
Annual 4-Test Bundle
Any combination of four tests across the year with priority scheduling, continuous retest within each quarter, year-end executive summary across all engagements, named relationship lead. 22,000 EUR/year.
Threat-Led Penetration Testing (DORA TLPT, CBEST, TIBER-EU) and red team engagements quoted separately on a custom-scope basis. NDA and signed Rules of Engagement before any testing begins.
Related services
SOC 2 Readiness
Annual pentest evidence packaged for CC4.1 monitoring and CC7.1 vulnerability identification — report accepted by every major audit firm.
Read more →
PCI DSS Compliance
Annual external/internal pentest per Req 11.4.3 and segmentation testing per Req 11.4.5 — scoped and reported the way your QSA expects.
Read more →
HIPAA Software Development
§164.308(a)(8) technical evaluation evidence, with findings traceable to Security Rule safeguards and OCR-defensible remediation tracking.
Read more →Why CISOs and audit committees pick YuSMP for pentesting
GDPR-aligned · ISO 27001 ready · SOC 2 Type II in progress · HIPAA-capable · OSCP/CREST-led
Humans, not just scanners
Every engagement is led by a named OSCP/OSCE/CREST-credentialled tester. Automated scanners run in support to maximise coverage, but the findings that matter come from manual hypothesis testing and chained exploitation.
Reports auditors accept on sight
PTES-cited methodology, OWASP standard chapters, CVSS v4.0 vectors, named testers and credentials, retest letter format that maps to SOC 2 / PCI / HIPAA evidence requirements. No back-and-forth with the audit firm.
Remediation that ships
Findings are written for the developer who has to fix them: minimal repro, root-cause analysis, code-level guidance, JIRA-importable. Engineering teams close findings instead of arguing with the report.
For continuous assurance, the annual bundle pairs you with a relationship lead who learns your stack across the year — each quarter's test builds on prior findings rather than restarting from scratch.
Frequently asked questions
Which type of penetration test do I actually need, and which standard does the test follow?
It depends on your attack surface. External network pentest (PTES methodology, NIST SP 800-115) covers internet-exposed infrastructure — DNS, mail, perimeter services, exposed admin interfaces. Web app pentest covers your application logic and is scoped against OWASP ASVS (Application Security Verification Standard) L1 for opportunistic threats, L2 for most SaaS applications handling sensitive data, L3 for high-assurance (healthcare, fintech, defence). Mobile pentest follows OWASP MASVS (Mobile ASVS) covering platform (iOS/Android) controls, network, cryptography, auth and code quality. API pentest follows the OWASP API Security Top 10 2023 (BOLA, broken auth, BOPLA, unrestricted resource consumption, etc.) and tests authn/authz at the request level. Cloud config audit reviews AWS/GCP/Azure against CIS Benchmarks plus provider-specific Well-Architected Framework security pillar. Most SaaS need web app + API + cloud config annually; mobile if you ship a mobile app.
What credentials do your testers actually hold, and why does that matter?
Our lead testers hold a combination of OSCP (Offensive Security Certified Professional — practical 24-hour exam), OSCE/OSEP (more advanced exploitation), CREST CRT/CCT (UK industry-recognised, accepted by HMG and Bank of England CBEST), and where relevant CISSP for the senior advisor role. Why it matters: an OSCP-holder has demonstrably exploited multi-host environments under time pressure; an automated scanner has not. Enterprise procurement, Bank of England CBEST, EU TIBER-EU, and most cyber-insurance underwriters now ask for named credentialed testers on the engagement, not just a firm's marketing claim of 'certified professionals'.
How do you score findings, and what should I expect in the report?
Every finding is scored on CVSS v4.0 (the current FIRST-published vector that includes Threat and Environmental metrics, plus the Safety/Automated/Recovery extensions). We also assign a contextual business risk rating because CVSS alone misses tenant isolation and data-classification context. The report contains: an executive summary readable by the board, a methodology section citing PTES phases and the ASVS/MASVS/API Top 10 chapters tested, a findings section with reproduction steps, CVSS vector, business impact, and prioritised remediation, an attack narrative reconstructing the path an attacker would take, and an appendix of testing evidence. We also deliver a remediation tracker as JIRA-importable CSV.
How does the retest workflow work, and is it included?
Yes — every engagement includes one free retest within 90 days of the report. We re-execute the proof-of-concept for every High and Critical finding, verify the fix, and reissue a clean retest letter you can hand to enterprise procurement or an auditor. Out-of-scope retests (more than 90 days, or expanded scope) are quoted at 30% of the original engagement. For continuous assurance, the annual 4-test bundle includes quarterly cadence and continuous retest within each quarter.
How does your pentest satisfy SOC 2, PCI DSS Req 11.4, HIPAA, and EU AI Act / DORA requirements?
SOC 2 expects a regular pentest as evidence for CC4.1 monitoring and CC7.1 vulnerability identification; our reports are accepted by every major audit firm. PCI DSS v4.0.1 Req 11.4.3 requires annual external/internal penetration testing plus after any significant change; Req 11.4.5 requires segmentation testing (annual merchants, every 6 months service providers). HIPAA does not name 'penetration test' explicitly but §164.308(a)(8) requires periodic technical evaluation — pentests are the de-facto evidence. EU AI Act Article 15 requires accuracy, robustness and cybersecurity testing; DORA (Regulation (EU) 2022/2554) imposes Threat-Led Penetration Testing (TLPT) on significant financial entities from January 2025. We map every finding to the relevant control so the report does double duty in audits.
What does pricing look like, and what is in versus out of scope?
Per-engagement pricing. External Network Pentest is 5,500 EUR (5 business days testing + report) — internet-perimeter scope, up to ~50 hosts. Web Application Pentest is 8,500 EUR (8 days) — single application or tightly scoped multi-app, ASVS L2 by default. Mobile Application Pentest is 7,500 EUR (7 days) — iOS or Android, MASVS L1+R; both platforms quoted together at 13,500 EUR. API Pentest is 6,500 EUR (6 days) — single API surface, OWASP API Top 10 2023. Cloud Configuration Audit is 7,000 EUR (6 days) — single AWS/GCP/Azure account, CIS Benchmark + provider Well-Architected security pillar. Annual 4-test Bundle is 22,000 EUR — any combination of four tests through the year with priority scheduling, continuous retest, and a year-end executive summary across all engagements. Free retest within 90 days included on every engagement.