Use this when: a customer asks for a pentest and the useful scope is not clear.
We first review what may need testing, why, access, limits, and what result is needed. Then we test the agreed scope.
Examples: web app, API, exposed system, admin panel, or customer-facing product flow.
If it is only a questionnaire, use customer security response. If the issue is product operations, use product security setup.
Plan
- Target.
- Access.
- Test goals.
- Limits.
Test
- Login and roles.
- API and app behaviour.
- Business logic.
- Common weaknesses.
Output
- Scope.
- Risk map.
- Findings.
- Fix notes.
- Customer summary.
Not included
- Broad red-team work.
- Certification or legal opinions.
- Full product design review.
- Fixing all issues.
Typical timeline: 1-2 weeks.
Budget: €4k-€9k.