Also known as WEB PT, or applicative PT, it focuses on testing applicative systems such as websites, API infrastructures, external and internal business systems and web interfaces.


The testing process simulates a hacker attempting to attack systems (without prior knowledge or with partial prior knowledge) with the malicious intent to perform data theft, system shutdown, information disruption and fraud. The test is performed following the updated OWASP methodology and logic, which is the international standard in the field, as follows:

  1. Broken access control.
  2. Cryptographic failures.
  3. Injection.
  4. Insecure design.
  5. Incorrect security settings.
  6. Vulnerable and obsolete components.
  7. Identification and authentication failures.
  8. Software and data integrity failures.
  9. Security logging and monitoring failures.
  10. Server-side request forgery (SSRF).

Who would be possible candidates for this test?

  • Companies interested in professionally scanning if hackers can infiltrate their application systems
  • Companies that are required by their customers to have PT test certification
  • Development teams needing continuous testing and assistance to manage findings

What are the benefits?

  • Examination of the system by an application resiliency testing specialist and receipt of a detailed report of the findings and guidelines for handling the weaknesses discovered.
  • Compliance with customer requirements, regulations such as privacy protection laws, GDPR, HIPAA and cyber insurance.

Unfortunately, software development and information security do not necessarily go hand in hand. Therefore, information security breaches can arise. It is worthwhile and vital to ensure that your systems comply with recognized international cyber security standards.

What are the highlights of the test?

As part of the testing, all required categories will be checked, e.g.:

  • Checking user access and permissions .
  • To guarantee the quality of hardening in and out of the system.
  • Examining communication security.
  • Making acquisition attempts.
  • Review system resistance to hostile code injection.
  • Attempts to circumvent applicative logic.
  • Attempts to take control of the database.
  • Attempts to access source code and confidential data.

An application penetration test requires an inspector with internationally recognized certifications and more than 2 years of experience. Professional experience has a decisive impact on the number of findings and the ability to assess their severity - professionalism should never be gambled with! Always verify that the pentester is an employee of the company, has the necessary certifications and has professional liability insurance.