Web Application Penetration Testing

Web application penetration testing typically costs between £3,750 and £8,750 depending on application complexity, number of user roles, and scope. A standard single web application test for a small-to-medium application averages £3,750-£6,250 for 3-5 days of testing covering OWASP Top 10, business logic flaws, and API security. Complex applications with multiple user roles, extensive functionality, or custom frameworks typically cost £6,250-£8,750. Multi-application testing (customer portal, admin portal, mobile app backend) ranges £8,750-£13,750+. We provide fixed-price quotes after a scoping call to understand your application architecture and testing requirements.

A vulnerability scan is an automated process that identifies known software vulnerabilities by matching versions and configurations against a database of CVEs. A web application penetration test involves a human tester who understands your application's business logic and actively attempts to exploit vulnerabilities, including flaws that have no CVE entry because they arise from the way your specific application is designed. Scans produce high volumes of findings (many false positives). Penetration tests produce a smaller number of confirmed, exploitable vulnerabilities with proof-of-concept evidence and specific remediation steps. For compliance purposes, most frameworks (PCI DSS, ISO 27001) distinguish between vulnerability scanning and penetration testing. Only a manual penetration test satisfies the requirement for independent security testing.

A standard web application penetration test takes 3-5 business days of testing time, with the full engagement (scoping to report delivery) typically completed within 10-15 business days. Timeline depends on application complexity: a simple web application with two user roles typically takes 3 days; a complex SaaS platform with multiple user tiers, extensive API surface, and custom authentication flows may require 5-7 days. We provide a detailed timeline at scoping. Urgent pre-launch testing can often be accommodated within 5-7 business days.

Yes. PCI DSS v4.0 Requirement 6.2.4 mandates security testing of bespoke and custom software, and Requirement 11.4.2 specifically requires penetration testing of web-facing applications. A web application penetration test conducted by a qualified, independent third party satisfies both requirements. We provide a CREST-certified test certificate and executive summary formatted for direct submission to your Qualified Security Assessor (QSA). If you require penetration testing as part of a broader PCI DSS scoping exercise, see our dedicated PCI DSS compliance testing service.

Automated scanners excel at finding common syntax-based vulnerabilities (XSS, SQL injection patterns) but miss business logic flaws that require human reasoning. Scanners might flag 100+ potential issues (many false positives), but manual testers identify the 5-10 critical issues that actually matter: 'Can User A access User B's orders by changing an ID?', 'Can I purchase items for £0.00 by manipulating the checkout flow?', or 'Can I escalate from basic user to admin by modifying JWT claims?'. These logic vulnerabilities represent 60-70% of critical security issues in modern web applications but are completely invisible to automated tools that only understand syntax, not business context.

If we discover critical vulnerabilities during testing, we keep going. We exploit them to verify the full extent of the risk — that is how you understand the real-world impact. Critical findings are surfaced immediately via the live portal so your team can see them as we work. All findings remain confidential and are delivered via our penetration testing portal with role-based access controls.

Professional penetration testing is designed to be non-destructive and safe: (1) All testing is conducted under signed legal agreement defining scope, rules of engagement, and liability, (2) We use read-only exploitation techniques wherever possible (testing for vulnerabilities without triggering them destructively), (3) Test accounts and dummy data are used instead of real customer information, (4) We maintain detailed testing logs for full audit trail and accountability, (5) CREST certification requires demonstrated competency in safe testing practices, and (6) We carry professional indemnity insurance covering any unintended damage. In 10+ years of testing, we have never caused application downtime or data loss when following agreed testing procedures.

We recommend testing in a staging or UAT environment that mirrors production to avoid any risk to live users. If production testing is required (no staging environment exists, or testing must validate production-specific configurations), we use test accounts, non-destructive payloads, and coordinate timing with your team to minimise impact. We never exfiltrate customer data, store sensitive information, or access data beyond what is necessary to demonstrate vulnerability impact. All testing activities are logged, and findings are delivered via an encrypted portal with role-based access controls. For sensitive production testing, we can conduct testing during maintenance windows or low-traffic periods.

For most organisations commissioning their first web application test, the choice of testing approach depends on what you want to simulate. For web applications, we generally recommend Grey Box (authenticated) testing. Providing credentials allows us to test the deeper logic of the application as a logged-in user, which is where 90% of critical vulnerabilities (IDOR, privilege escalation, business logic flaws) are found. Black box testing simulates an external attacker with zero knowledge, useful for testing login security and public-facing surfaces. White box testing includes source code review, identifying vulnerabilities in code logic before deployment.

Yes, if the web application communicates with an API, we test the API endpoints exercised by the application during normal web browsing. However, this only covers APIs actively used by the web interface. For a dedicated, comprehensive API assessment (covering unlinked endpoints, authentication flows, rate limiting, and OWASP API Top 10), we recommend our dedicated API penetration testing service.

Yes. Our CREST-certified web application penetration testing report is specifically structured to satisfy third-party auditors across ISO 27001:2022 (Annex A.8.8), PCI DSS v4.0 (Requirements 6.2.4 and 11.4.2), SOC 2 Type II (CC7.1), GDPR Article 32, and Cyber Essentials Plus. The report includes an executive summary written for non-technical reviewers, CVSS-scored technical findings, and a compliance mapping section that explicitly cross-references which findings are relevant to each framework. We can also provide a Letter of Attestation if your auditor requires an independent confirmation of testing scope and CREST accreditation status.