Skip to content

Fit first

Use active testing only when the application and authorization justify it.

Best fit

  • One customer-controlled custom application, portal, SaaS product, or e-commerce application has meaningful functionality.
  • An owner, customer, insurer, or governance process needs active testing within a verified written scope.
  • The organization can identify the application owner, environment, technical contact, and approved user roles.
  • A development team or provider can receive findings and coordinate remediation.

Not the right fit

  • A brochure website or ordinary managed WordPress site with no meaningful custom functionality.
  • A request to test a vendor, customer, competitor, or other third party without verified written permission.
  • An active compromise, forensic investigation, emergency incident, or 24/7 monitoring need.
  • A request for certification, a guaranteed pass, or proof that an application is secure.

Choose the right review

Public signals, diagnosis, and active testing are different services.

Free Website, Domain & Email Risk Check

Free

Limited public-signal triage with no exploit attempts or private access.

Run free public check

Cyber Risk Snapshot

$199

Fixed-scope public diagnosis with a prioritized plain-English report.

Snapshot details

Authorized Web Application Penetration Test

From $4,500

Active, authorized testing of one agreed custom application and its primary APIs.

Request scoping review

Starting scope

A bounded starting point, confirmed before payment.

From $4,500 is a starting price, not a fixed price for every application. The signed scope and Rules of Engagement control the actual work.

  • One customer-controlled application in one agreed environment
  • Staging or a production-like environment preferred
  • Production testing only when explicitly approved in the signed scope and Rules of Engagement
  • Unauthenticated testing and authenticated testing for up to two approved user roles
  • Primary APIs used by the application
  • Automated discovery supporting meaningful manual testing and validation
  • Exact assets, techniques, schedule, price, and stop procedures confirmed before payment or testing

What CyberBit tests

Meaningful manual validation within the agreed application boundary.

Automated discovery supports manual review and validation. Exact techniques depend on authorized scope, application behavior, environment, and stop conditions.

Authentication and sessions

Review approved sign-in, session, sign-out, and recovery behavior within the agreed workflows.

Authorization and roles

Validate whether approved roles can reach functions or records outside their intended permissions.

Input and file handling

Assess scoped inputs, uploads, and server-side handling without destructive changes or bulk extraction.

Business workflows

Manually review meaningful application flows for security-relevant logic gaps automated discovery may miss.

Primary APIs

Test named application APIs, including approved authentication and authorization boundaries.

Transport and configuration

Review relevant TLS, browser-security, error-handling, and exposed configuration behavior.

Deliverables

An actionable report, not a pass badge.

The report records tested boundaries, findings, evidence, limitations, and priorities. It does not certify the application or prove every vulnerability was found.

  • Confirmed scope and testing boundaries
  • Testing methodology and limitations
  • Executive summary
  • Technical findings with severity and prioritization
  • Plain-English business-impact explanation
  • Appropriately masked evidence
  • Client-suitable reproduction or validation guidance
  • Recommended remediation
  • Tested and excluded assets
  • Findings-review meeting
  • One focused retest requested within 30 calendar days of final report delivery
  • Updated status for retested findings

Scope and customer responsibilities

  • Identify authorized business and technical contacts.
  • Verify ownership or obtain permission from every asset owner before scope is signed.
  • Provide an accurate asset and dependency list, including third-party boundaries.
  • Provide approved test accounts through an agreed secure transfer method after contracting, if needed.
  • Coordinate staging readiness, backups, monitoring contacts, and maintenance constraints.
  • Notify cloud, platform, payment, or hosting providers when their policies require it.
  • Keep the agreed stop contact and stop procedure available during testing.

Testing stops when a boundary is uncertain.

  • Ownership, authorization, or scope becomes uncertain.
  • Testing reaches an excluded or third-party-controlled system.
  • Unexpected sensitive data is exposed.
  • Instability, service degradation, or business impact occurs.
  • The customer revokes authorization or invokes the agreed stop procedure.

Standard exclusions

Not included unless separately contracted and explicitly authorized.

  • Denial-of-service, DDoS, load, stress, or request-flood testing
  • Phishing, social engineering, physical security, or wireless testing
  • Internal-network, Active Directory, mobile-application, or cloud-control-plane testing
  • Source-code review
  • Malware deployment, persistence, credential harvesting, or destructive changes
  • Bulk data access or extraction
  • Testing third-party systems without verified permission
  • Incident response or digital forensics
  • Compliance certification or guarantees of security or future outcomes

Pricing drivers

Why the service starts at $4,500.

Complexity changes manual validation, evidence handling, reporting, and retest work. Exact scope and price are confirmed before payment.

  • Application size and number of workflows
  • Authentication methods and user roles
  • API size and complexity
  • Tenant and authorization boundaries
  • File upload, payment, or administrative functionality
  • SSO and third-party integrations
  • Data sensitivity
  • Staging versus production constraints
  • Reporting or deadline requirements
  • Retest scope

Report structure

See how the deliverable is organized.

This is a report-contents preview, not fabricated client results. Evidence is masked appropriately and detailed only for the authorized client.

Section 1

Executive summary

Scope, themes, business significance, and highest-priority decisions in plain English.

Section 2

Scope and methodology

Tested and excluded assets, approved roles, environment, methodology, and limitations.

Section 3

Technical findings

Severity, affected scope, impact, masked evidence, client-suitable validation guidance, and remediation.

Section 4

Prioritized action plan

Recommended fix order, responsible owners, and findings that merit focused retesting.

Section 5

Retest update

Resolved, Partially resolved, Not resolved, or Not retested for each requested original finding.

Remediation remains the client's choice.

  • Use the client's internal development or security team.
  • Use the existing developer, agency, hosting provider, or IT provider.
  • Hire another qualified security provider.
  • Request separately scoped CyberBit remediation.

Focused retest policy

One focused retest of original findings is included when requested within 30 calendar days. Statuses are Resolved, Partially resolved, Not resolved, or Not retested.

It is not a new assessment and excludes new functionality, new assets, expanded roles or APIs, and certification that the application is secure or compliant.

Methodology and authorization references

Methodology is informed by NIST SP 800-115 and the OWASP Web Security Testing Guide. These references do not endorse CyberBit or replace the executed agreement, written authorization, or Rules of Engagement.

Service FAQ

Questions to resolve before requesting scope.

How is this different from the $199 Snapshot?

The Snapshot reviews fixed public website, email, domain, DNS, and account-risk signals. The penetration test performs active, authorized testing of one agreed custom application and its primary APIs under signed scope and Rules of Engagement.

Is every website a good penetration-test candidate?

No. A brochure site or ordinary managed WordPress site usually belongs on the Snapshot and Cleanup path. This service is for custom applications, portals, SaaS products, e-commerce applications, and meaningful authenticated workflows.

Do you test production systems?

Staging or a production-like environment is preferred. Production testing is considered only when explicitly approved in signed scope and Rules of Engagement, with agreed constraints and stop procedures.

What authorization is required?

Before testing, CyberBit requires an executed agreement, verified scope, written authorization from an entity able to grant it, and agreed Rules of Engagement. Third-party assets require separately verified permission.

Do you need passwords?

Not in the public form or ordinary email. If approved test accounts are needed after contracting, CyberBit arranges an agreed secure transfer method.

What happens if a critical issue is identified?

CyberBit follows the agreed communication and stop procedures, limits exposure, and notifies the authorized contact according to the Rules of Engagement.

Does the report prove the application is secure?

No. It is a point-in-time assessment of the agreed scope. It cannot prove every vulnerability was found or represent the company's complete security posture.

Can CyberBit fix the findings?

Remediation is optional and separately scoped. The report and findings review do not require the client to purchase implementation work from CyberBit.

Can another provider perform remediation?

Yes. The client may use its internal team, existing developer or IT provider, or another qualified security provider.

What does the retest include?

One focused retest may verify original findings requested within 30 days. It excludes a new assessment, new functionality, new assets, expanded roles or APIs, and certification.

Why does pricing start at $4,500?

Application size, workflows, authentication, roles, APIs, tenant boundaries, integrations, sensitivity, environment constraints, reporting, and retest scope affect the work. Exact scope and price are confirmed before payment.

Does this provide a compliance certification?

No. It provides authorized technical testing and an actionable report. It is not legal advice, independent certification, a compliance guarantee, or approval from an insurer, customer, or regulator.

Ready to qualify the scope?

Start with a non-authorizing scoping request.

Share high-level context without credentials or sensitive records. CyberBit reviews fit and boundaries before offering an agreement or payment step.