Service — Security audits

Security audits of web applications and websites

Find vulnerabilities before someone else does. OWASP-based audits, penetration tests and plain-language reports with concrete remediation steps.

Book an audit →

Security isn't solved by a single audit, but you have to start somewhere. We test web applications and corporate websites — from a simple one-pager to complex e-commerce platforms. We hunt for vulnerabilities that lead to data leaks, downtime or reputational damage, and we deliver a clear report you can act on.

When a security audit makes sense

Typical situations where booking an audit beats hoping things will hold up.

Pre-launch audit of a new site

Before launching a new project, we walk through every layer. You get recommendations before anything hits production — fixes at this stage cost a fraction of what they'd cost post-launch.

OWASP Top 10 scan of an existing app

Systematic walkthrough of the most common vulnerability categories (injection, broken auth, XSS, insecure deserialization). Reports include concrete examples from your application, not generic warnings.

Code audit before acquisition

Due-diligence look at the codebase you're buying. We identify technical debt and security risks that affect valuation — no nasty surprises after the deal closes.

Compliance (NIS2, GDPR security)

Preparation for an audit or certification process. We check whether your security controls meet regulatory requirements and recommend specific gap closures for the relevant framework.

API penetration test

Thorough testing of REST/GraphQL APIs covering auth, authorisation, rate limits and injection vectors. Critical for mobile apps, integrations and B2B endpoints.

Authentication-flow audit

Focused walkthrough of the auth flow: password, MFA, password reset, session management, OAuth/SSO. Statistically the most common source of critical bugs.

How the audit runs

Standard flow from kick-off call to final verification report.

  1. Scoping

    We agree what's in scope and what isn't, and clarify what you expect from the report. From this comes pricing and schedule.

  2. Testing

    Manual and automated. We combine tools (Burp, OWASP ZAP, custom scripts) with human reasoning over your specific business flows.

  3. Reporting

    Plain-language document: each finding has impact, reproduction steps, fix proposal and a CVSS score. No generic "fix XSS" — concrete instructions for your developers.

  4. Re-test after fixes

    After your fixes are deployed, we re-run the findings and issue a verification report. You can use that as proof for clients or regulators.

What we work with

Standard pen-tester toolset combined with custom scripts for typical business flows.

Web pen-testing

  • Burp Suite Pro
  • OWASP ZAP
  • Nuclei
  • Metasploit

Standards

  • OWASP Top 10
  • OWASP ASVS
  • CWE
  • CVSS scoring

Code review

  • Semgrep
  • CodeQL
  • manual audit

API testing

  • Postman / Newman
  • custom fuzz tests
  • GraphQL Voyager

Network layer

  • nmap
  • masscan
  • SSL Labs
  • security headers audit

Reporting

  • Markdown + PDF
  • executive summary
  • technical appendix
  • re-test verification

Frequently asked questions

What clients usually ask before booking an audit.

How much does a security audit cost?

Depends on scope. Small marketing site 1–2 days, e-shop 5–10 days, complex SaaS 2–4 weeks. Pricing is always fixed against agreed scope.

Can you test on production, or do you need staging?

Staging is preferred (zero risk of breaking anything). If production testing is necessary, we operate under explicit ground rules: no DDoS, no mass deletes, work hours only.

What if you find a critical bug during the audit?

We call you immediately, before delivering the report. Critical findings are treated as incidents, not as a deferred document.

Do you issue a certificate after the audit?

We issue an attestation letter confirming the audit took place and critical findings have been remediated.

It's not a formal certification (like ISO 27001), but it's usable for your clients' security requirements.

Do you also test mobile applications?

Yes. Mobile testing covers static analysis of APK/IPA, network traffic, local storage, deep linking and certificate pinning. Backend is treated as a separate API audit.

Do you do recurring audits?

Yes, often more useful than a one-off. Quarterly mini-audits of new code are more cost-effective than a single big audit once a year.

Let's see where your site is weak

A free initial call. From it comes the audit scope and a fixed price — no commitment to proceed.

Book an audit →

Let's work together

Describe your situation or request and we typically reply within one business day.