A manual, methodology-led assessment of your web applications designed to identify exploitable vulnerabilities, validate business impact, and deliver evidence-based recommendations aligned with global standards and Hong Kong regulatory expectations.
Modern web applications are the principal gateway between your business and its customers. They are also the most frequent target of opportunistic and targeted attacks.
A web application penetration test simulates realistic attack scenarios against your in-scope applications, combining automated discovery with extensive manual testing techniques. The objective is to uncover technical vulnerabilities, business logic flaws, and configuration weaknesses that scanners alone will not detect.
Our consultants assess applications from multiple perspectives: unauthenticated external users, authenticated users across different privilege levels, and where appropriate, users with partial knowledge of the environment. This multi-perspective approach provides an accurate picture of risk against both anonymous attackers and malicious or compromised internal users.
Each engagement concludes with a detailed report containing prioritised findings, proof-of-concept evidence, business impact analysis, and clear remediation guidance suitable for both technical and executive stakeholders.
We combine elite offensive cybersecurity expertise with institutional backing to deliver penetration testing that actually drives business resilience.
Our consultants bring deep offensive cybersecurity experience from top-tier global consulting firms, backed by the industry's most rigorous certifications including OSWE, OSCP, eWPTX, HTB CWEE, HTB CWES, and BSCP. We bring world-class execution to every web application penetration testing engagement.
No junior bait-and-switch and no offshore hand-offs. The senior consultants who scope your engagement are the ones executing the test, walking you through findings, and validating your remediation. You get the same expert from kickoff through closure.
Penetration testing requires absolute trust, you are granting access to your most sensitive systems. We are proudly supported by the HKSTP Incubation Programme and the CityU HK Tech 300 Seed Fund, making us a vetted Hong Kong cybersecurity partner with institutional accountability.
We don't deliver 200-page scanner reports. Every penetration testing engagement produces prioritised findings, attack-path narratives, proof-of-concept evidence, and remediation guidance, translated for both your engineers and your board.
Clients engage us when assurance has to be independent, findings have to be actionable, and the outcome has to hold up to auditors, regulators, customers, and the board.
Teams preparing to release new customer-facing or transactional applications and requiring assurance before public exposure.
Organisations preparing for PCI DSS, ISO/IEC 27001, SOC 2, HKMA C-RAF, or SFC cybersecurity examinations that require independent testing evidence.
Organisations re-validating security posture following a reported incident, control failure, or significant architectural change.
Mature security programmes with annual or bi-annual testing obligations to internal risk committees, customers, or regulators.
Engineering and security teams seeking third-party verification following internal testing, bug bounty programmes, or remediation cycles.
Acquirers and investors evaluating the security posture of target organisations' customer-facing applications prior to transaction close.
Every engagement is scoped collaboratively to ensure testing objectives align with business priorities, risk appetite, and regulatory context.
Coverage is structured around the OWASP Web Security Testing Guide, OWASP Top 10, and CWE Top 25. The domains below highlight our core focus areas, but our complete coverage extends far beyond them.
Mapping application surface, fingerprinting frameworks and platforms, enumerating visible and hidden functionality, and reviewing metadata exposure and error-handling behaviour.
Review of TLS configuration, HTTP methods and headers, platform and framework hardening, file and directory exposure, and deployment-level misconfigurations.
Testing of registration, credential policies, username enumeration, account lockout, multi-factor flows, recovery and reset workflows, and credential transmission security.
Horizontal and vertical access control validation, role and privilege boundary testing, insecure direct object references, and privilege escalation paths across user journeys.
Analysis of session token generation, cookie attributes, transmission security, timeout and invalidation behaviour, and resistance to fixation, hijacking, and CSRF.
Injection testing covering SQL, NoSQL, OS command, LDAP, XPath, SSTI, XXE, and SSRF, alongside cross-site scripting, deserialisation, and unsafe file upload handling.
Multi-stage workflow abuse, race conditions, feature-level logic flaws, and client-side weaknesses including DOM-based issues, insecure storage, and client-side trust assumptions.
Our consultants investigate how multiple lower-severity issues can be combined to achieve a higher-impact compromise that would be missed when each is assessed in isolation.
A structured, repeatable methodology that delivers consistent quality, with clear entry and exit criteria at each phase and defined responsibilities on both sides.
Define application boundaries, testing windows, communication protocols, and rules of engagement. Gather technical documentation, confirm authority to test, and agree on the delivery model.
Combined automated scanning and extensive manual testing across the full application attack surface. Critical issues are escalated in real time. All findings are manually verified to eliminate false positives.
A detailed technical report with executive summary, risk-rated findings, business impact analysis, proof-of-concept evidence, and prioritised remediation recommendations.
A structured walk-through of the findings with your technical team, covering issue context, exploitation impact, and remediation guidance. Support for clarification during fix implementation.
Retesting of remediated findings to confirm fixes are effective, followed by an updated risk posture and formal engagement closure. Deliverables are packaged for internal follow-up, audit, and regulatory evidence.
Every engagement produces a comprehensive report designed to serve both technical remediation and executive decision-making.
A non-technical overview of the assessment, key findings, business impact, and recommended priorities, written for leadership, risk, and board-level stakeholders.
Each finding documented with technical description, affected components, exploitation steps, observed impact, and references to relevant standards.
Findings are rated using the Common Vulnerability Scoring System (CVSS) and the OWASP Risk Rating Methodology, combined with business-context adjustments to reflect realistic risk to your organisation.
Screenshots, request/response captures, and step-by-step reproduction details that demonstrate each critical and high-severity issue without ambiguity.
Clear, prioritised recommendations mapped to each finding, including short-term containment and longer-term architectural improvements where applicable.
Every finding is mapped to OWASP, CWE, and where relevant, to regulatory frameworks. This supports audit, compliance evidence, and internal knowledge transfer.
Our methodology is built on internationally recognised testing standards and mapped to the compliance frameworks most relevant to Hong Kong-regulated organisations.
A vulnerability scan is automated and identifies known weaknesses through signatures and pattern matching. A penetration test adds extensive manual investigation. Consultants validate each finding, chain issues together, exploit business logic flaws, and demonstrate real-world business impact. Scanners tell you what might be wrong; a pentest confirms what is exploitable, why it matters, and how far an attacker could go.
We recommend the mode based on your objectives, available documentation, and coverage expectations. Black-box mirrors an external attacker with no prior knowledge, which is realistic but time-constrained. Grey-box provides limited credentials and balances realism with efficiency, and is the most common choice for authenticated applications. White-box offers full access to maximise depth and coverage, ideal for pre-launch assessments and high-assurance environments. For most web applications, grey-box at minimum ensures role-based access controls are fully validated.
All engagements are led by senior offensive security consultants. We do not assign junior operators or outsource execution to third parties. Our consultants hold recognised industry certifications across offensive security and red teaming, including credentials such as OSCE³, OSEP, OSWE, OSCP, HTB CPTS, HTB CWEE, CRTO, CRTE, and CRTP. Every assessment is reviewed by a senior lead before delivery, ensuring consistent technical depth and reporting quality regardless of which consultant is assigned.
Duration depends on application complexity, the number of authenticated roles, and the engagement mode. As a general guide, a focused small-to-medium web application in grey-box mode (2 to 3 roles) typically runs 5 to 10 business days of active testing, plus 3 to 5 days for reporting and review. Larger platforms, multi-tenant applications, or full white-box assessments can extend to several weeks. An accurate estimate is provided during the scoping call based on your specific application and objectives.
Most engagements kick off within 1 to 2 weeks of scoping sign-off, subject to consultant availability and the agreed testing window. Where a regulatory deadline or pre-launch milestone requires a faster start, we will do our best to accommodate and confirm feasibility during the scoping call.
Testing is designed to be non-disruptive. Before execution, we agree on the testing window, excluded actions (e.g., denial-of-service, destructive payloads), and real-time escalation protocols. Higher-risk techniques are coordinated in advance, and critical findings are communicated immediately rather than waiting for the final report. Where production is particularly sensitive, we can test against a representative staging environment or conduct out-of-hours testing on production with an open communication channel throughout. Where you operate a SOC, SIEM, or active monitoring tooling, we share testing source IPs, timing, and signatures in advance so your security team can suppress or contextualise the resulting alerts rather than triaging them as live incidents.
Any sensitive data encountered is handled under strict confidentiality. We do not extract, retain, or reproduce sensitive data beyond what is strictly necessary to evidence a finding, and where possible, data is anonymised in the final report. Credentials provided by you for authenticated testing are held in access-controlled secrets management throughout the engagement, used only for the agreed scope and duration, and confirmed destroyed in writing after engagement closure. All engagement artefacts are stored in access-controlled environments, transmitted over encrypted channels, and securely destroyed after the agreed retention period.
At minimum we require written authorization to test, confirmed target scope, and a technical point of contact for escalation. For grey-box and white-box engagements, we will also request credentials across relevant user roles, architectural or design documentation where available, and access to non-production environments where applicable. A kick-off call is held before execution to align on approach, and we maintain a dedicated communication channel throughout the engagement for queries and real-time escalation.
Unless explicitly agreed during scoping, the following are generally excluded: denial-of-service and volumetric load testing, destructive payloads against production data, social engineering and physical intrusion, and testing of third-party hosted services or SaaS platforms outside your direct control. Testing is strictly confined to the agreed target scope, and exploratory testing of adjacent systems is never performed without prior written authorization.
Yes. A complimentary retest is included with every engagement. After you have applied remediation, we re-examine each confirmed finding to verify that fixes are effective and that no regressions have been introduced, and issue an updated report reflecting closure status for each item. The retesting window is agreed with you during scoping to align with your remediation plan.
Yes. On request, we issue a formal Letter of Attestation summarising the engagement scope, testing period, methodology followed, and high-level outcome. The attestation is suitable for audit, regulatory submission, and third-party assurance purposes, including PCI DSS, SOC 2, ISO/IEC 27001, and HKMA-related obligations.
Schedule a scoping call with our specialists to define the right engagement model for your applications, regulatory context, and timeline. We will walk you through methodology, deliverables, and next steps.