Async Pentest
Async Pentest helps busy developers improve application security in a streamlined and cost-effective way.Know you need to check the security of your pre-production web applications and APIs, but not sure where to start?"There is only one way to eat an elephant: a bite at a time."We do bite-sized penetration tests of your higher-risk software features. seamlessly within your development workflow.No boring security reports, just succinct practical video feedback to enhance your code and application security skills.
Avoid cyber indigestion
Security Testing That Fits Your Development Process
Async Pentest is the practical alternative to full-scope penetration tests for developers who want to improve application security in a manageable way.Our service enables you to secure your pre-production web applications and APIs incrementally - feature-by-feature.This focused approach is budget-friendly and provides a rapid security feedback loop essential for continuous integration and deployment.With Async Pentest, you gain the benefit of expert penetration tests when and where you need them, keeping your delivery pipeline flowing smoothly, without the all-or-nothing overhead of traditional security audits.
Resource and Time Limitations: Smaller teams often face challenges with limited resources and time, making comprehensive security testing difficult without impacting development.
Cost and Scope Complexity: Full-scope testing can be expensive and complex, especially for companies without specialised security staff.
Integration and Rapid Development: Integrating extensive test feedback into fast-paced development cycles can be challenging, potentially slowing down progress.
Risk Management and Compliance: Narrowing down critical vulnerabilities in a broad test scope and meeting compliance standards can be overwhelming for smaller teams.
External Reliance: Heavy reliance on external consultants for comprehensive testing can lead to gaps in in-house security expertise and continuity.
Bite-Sized Security Testing
Our service delivery model and payment structure are low-commitment and straightforward.
Only
pay for
penetration
testing features
that you want tested
Async Pentest transforms how you approach independent security testing, enabling early defect detection through a systematic, incremental process focusing on testing specific pre-production features.Control Your Security Timeline: With our pre-production penetration testing, you decide when to tackle potential vulnerabilities, eliminating the need for rushed fixes during production. This proactive strategy keeps your development on track and enhances workflow efficiency.Predictable Pricing: Our simple pricing model based on the scope of the software feature offers clear cost predictability. We do a back-of-the-napkin estimate of the software attack surface, considering the size and complexity of the software features' attack surface. We derive this from your description of the feature, the business rules it should enforce and our testing experience. This translates to quick and transparent pricing, aligned to feature scope.Developer-Centric Feedback: Beyond testing, our service includes post-testing feedback videos tailored to developers. These videos deepen security awareness by dissecting each vulnerability in terms of its discovery, implications, and remediation strategies, fostering a culture of proactive security within your team.Safeguard Your Reputation: Proactively identifying and resolving vulnerabilities before they affect your users significantly mitigates risks to your customers and maintains your brand's integrity.Stakeholder Confidence: Our independent testing of high-risk features reassures investors and partners of your commitment to cybersecurity, enhancing stakeholder trust.
PAYG Feature Security Testing
What's Included
Experience expert security testing streamlined through asynchronous collaboration, eliminating the need for time-consuming meetings.Through our intuitive client portal, you stay fully informed and confidently in control of the penetration testing process.Expect clear, regular updates that fit with your schedule, ensuring you're always up-to-date and engaged at a pace that works best for you.
Expert Penetration Testing of one or more agreed features of your web application or API
A Flexible Start Date with no upfront scheduling required. Use our client portal to inform us when your feature is ready for testing, and we'll place it in our work queue for the upcoming week
Results are typically delivered within five business days after tests commence
Receive a customised video walkthrough highlighting any vulnerabilities in your feature, suggested strategies for effective mitigation and how to catch this bug earlier in development
On request, a PDF download stating the scope and tally of results - suitable for you to share with 3rd parties
Securely manage and track work, review and communicate privately in our client portal
Subsequent feature penetration tests include a complimentary re-test of the fixes implemented from your previous feature test, ensuring thorough validation.
How Does It Work?
We have a well-defined, repeatable engagement workflow process that puts you in control.Each Feature Penetration Test is represented visually as a Card moving across your Tasks board, accessible in your client portal.Read how it works below.
Scope an Async Pentest by adding a card to the scoping column of the Tasks Kanban board within the client portal. On the card, describe the feature and any business security rules so we can size it (feel free to upload a short video/link to Loom). We'll review and reply on the card to agree on the scope and price.
Approve the test by moving the card to the billing column and then we'll send over a payment link.
Pay for the test and on receipt of funds, we move the card to waiting.
Stage the feature for us to test and let us know by moving the card to the queued column. Your feature test is now in our queue.
We'll add it to our testing queue within a business day or two and signal this by moving the card to testing. Once testing starts, turnaround time is typically five business days for small to medium features and up to ten business days for large ones. During active testing, our portal's integrated instant messaging (IM) feature allows for real-time communication, enabling us to collaboratively troubleshoot access issues or discuss high-severity findings as they arise.
After testing completes we'll move the appropriate Card to the done column, and you'll be notified that your feedback video is ready and waiting.
This process ensures that you have full control over what gets tested and when. No testing commences without your explicit approval.Here's a screenshot of our client portal. This is where we centralise all communications, activity and files. You'll have your own dedicated area, private to your organisation.
Got a question? Check our Frequently Asked Questions
Expertise you can Trust
Async Pentest is operated by Craig Balding, former Red Team lead for General Electric and Security CTO for Barclays Group PLC.Numerous startups, SaaS providers, banks and government entities have trusted Craig to security test their applications, systems and private networks.
"Penetration tests drive the most positive outcomes when they are clearly scoped, have a tight feedback loop between penetration tester and developer and are supported by management. In turn, this drives efficient execution, rapid risk remediation and developer awareness.This service was inspired by valuable feedback from developers during numerous feature-level penetration tests, which were conducted as components of wider engagements."The cost of full-scope penetration tests by independent experts can be cost-prohibitive for smaller firms. Async Pentest provides security expertise to developers in an accessible and bite-sized way, on-demand.Our testing methodology involves a combination of human-driven automation and manual testing. We rely heavily on Chrome DevTools, Burp Suite Pro, custom scripts, and extensions to ensure comprehensive coverage. Our approach is backed by over two decades of experience in penetration testing, and we draw on a wide range of techniques from reputable sources such as the OWASP Web Security Testing Guide (WSTG).
walk the talk
Practice Makes Perfect
Over the past five years, we have had the privilege of conducting over 100 penetration tests across a diverse array of industries and sectors. This extensive list showcases not just the volume of our penetration testing work, but more importantly, the trust others have placed in our hands-on cybersecurity skills and experience.From government authorities to innovative tech startups, each test has been a unique challenge, contributing to a rich tapestry of field experience.Below is an anonymised snapshot of these engagements, highlighting the variety and complexity of the environments and systems we have worked with.
Travel Site
HR Platform
Legal Tech Firm
Children's Charity
Nonprofit's Website
Data Center Security
IT Solutions Provider
National Arts Council
Nonprofit's Gift Shop
Real Estate Platform
Hotel Booking Engine
Online Travel Agency
Government Authority
Fuel Retailer Platform
Charitable Organisation
Service Automation Tool
Team Collaboration Tool
Compliance Management
Tax Compliance Software
National Exhibition Centre
Local Government Council
Global Trade Bank's Portal
Mental Health Chatbot App
Maritime Safety Application
Property Management Firm
Financial Services Provider
Financial Analytics Platform
Inventory Management App
Financial Solutions Provider
Financial Counseling Service
Employee Wellbeing Platform
Accounting Software Provider
Customer Service Bot API/Web
Mental Health Support Platform
Private Healthcare Provider App
Local Government Housing App
Multinational Shipping Company
Educational Resources Provider
Employee Engagement Platform
Global Goal-setting Organization
Financial Analytics Platform API
Private Healthcare Provider App
Data Storage Solutions Provider
Global Goal-setting Organization
Email Marketing Service Security
Financial Regulatory Compliance
Virtual Reality Education Platform
Financial Data Solutions Provider
University Single Sign-On System
Maritime Safety Solutions Provider
Real Estate Management Software
HR Management Software Provider
Global Trade Bank's Access Control
Financial Analytics Insights Platform
Healthcare Patient Management App
University Data Management System
Customer Service Automation Platform
Educational Council's Candidate Portal
National Newspaper's Payment System
Telecommunications Pre-billing System
Local Government Management System
University Financial Management System
Global Trade Bank's Customer Onboarding
National Packaging Recycling Organization
University's Financial Management Internal
Service Automation Command Line Interface
Global Trade Bank's Customer Experience Platform
Digital Media Platform - Web & File Transfer Security
Pay by the Feature
The price of a feature penetration test depends primarily on the size and complexity of the feature from a security testing perspective. In short, the more inputs the feature accepts, the more business security rules it is designed to enforce, the bigger the testing scope.To keep pricing simple, Async Pentest uses "T-shirt size pricing", linked to the size and complexity to penetration test your software feature.Each price stated below is per single feature tested.
Small
€300 / $300 / £250
Good for a simple feature with limited user interactions or a minor update with explicit boundaries. For example, adding a new login method or a password reset feature.Typically includes up to 3 user input fields, no more than 2 roles impacted, and up to 3 backend endpoints.
Medium
€600 / $600 / £500
Suitable for features with some complexity, such as a user profile update system that involves multiple fields, or a basic reporting dashboard.Involves 4 to 8 user input fields, more than 2 roles or permission levels, and up to 6 backend endpoints.
Large
€900 / $900 / £750
Fits features that offer considerable functionality, such as an e-commerce checkout process, or a multi-step registration flow with various checks and data processing steps.Includes 9 to 15 user input fields, affects multiple user roles and permissions, and involves up to 10 backend endpoints.Allow up to 10 business days for results.
Extra Large
€1200 / $1200 / £1000
Single feature bigger than large.Allow up to 10 business days for results.
CUSTOM
From our years of expertise, we'll help you through step-by-step. Then we can discuss where you may want to go next.
Scope Your First Feature Penetration Test
Fill out our quick scoping form below.Even better, record a short video walkthrough of the feature, wireframe or user story and share the link below.I'll reply with the estimate and an invite to join the client portal.
Not sure which of your web application or API features to test first? Here's a way to prioritise:
In-House Developed Security Features: Prioritise security functions and features your team has developed internally, as these may pose the highest risk.
Core Security Functions: Focus on critical functions such as handling sensitive data, user authentication, and custom application communications.
Important Business Flows: rank these features by importance to business operations and start with the most critical.
Integrations: consider any third-party components integrated into your system, especially if they play a role in security or data handling.
FAQ
What is Async Pentest offering?Pay-as-you-go Feature-level Penetration Testing of your Web Apps and APIs, before you deploy to production.Post-test, we provide a developer-oriented video, covering the findings, fix suggestions and how to prevent similar issues in future code.Are you testing features already in production?We will, but only in a test or staging environment.Outside of Async Pentest, I conduct full-scope penetration tests of production services. Contact me for an estimate (5K+). I currently do not offer feature penetration tests of production services.How is feature scoping determined?The scope of each feature is determined based on your description and the business rules you specify it should adhere to.We categorise the feature as Small, Medium, or Large on its respective Kanban card, providing our rationale for the classification.We welcome any additional information you might have to refine our understanding. We may respectfully decline the assignment should our perspectives not align.What preparation should we do in advance of the feature penetration test1. Ensure our test IPs can reach your pre-prod environment where the feature will be accessible.2. Create test credentials if authenticated testing is required.In application security, 'east-west' testing focuses on the security of interactions between users within the same tenant, ensuring that one user cannot access or interfere with another user's data. On the other hand, 'north-south' testing deals with privilege escalation within a single tenant, examining whether a user can gain unauthorized access to higher-level privileges or data. To prepare for these tests, clients should provide test accounts that reflect different user roles and permissions within their application, enabling a comprehensive assessment of both user-to-user (east-west) and privilege escalation (north-south) security controls.In addition to the east-west and north-south testing within a single tenant, if your application is multi-tenant, we strongly recommend the setup of two separate test tenants. Each of these tenants should have test users with roles and permissions relevant to the feature being penetration tested. This setup allows us to thoroughly assess the security controls both within each tenant (east-west) and for potential privilege escalation (north-south), as well as between different tenants to ensure strict data segregation and access control in a multi-tenant environment.If this sounds too complicated, start simple and provide test accounts for each user role relevant to the feature. In many cases, this could be just one test account.3. Populate with representative but synthetic test data. Do not include real data if it includes Personally Identifiable Information (PII) as we do not accept liability for potential privacy risks.4. Disable or exempt our test IP from any rate-limiting, Intrusion Prevention or other controls that would limit the efficiency of our testing.What do I get if you don't find any vulnerabilities?When we test a feature, we form security observations. Even if we don't find exploitable vulnerabilities, your post-test feedback video will cover those, plus we'll call out the positive practices that make your feature a challenging target, i.e. practices you should repeat.If we find good security, but poor UX, we'll suggest alternate ways to implement the control objective, but in a more user friendly way.How long is the feedback video?No set length, as each feature test is different. I'm aiming for 10-20 minutes, but it could take longer if there are many findings.What if we have questions after we receive your feedback video?Ask questions underneath the video attachment in your client area and I'll respond there. Please keep questions succint.What does the retest process involve?To encourage repeat business, we offer a complimentary retest of the fixes you've implemented from your previous feature penetration test.This retest involves verifying the security improvements you've made in response to your prior feature test, which should be listed on the Kanban card you create for your new feature test.The retest is conducted concurrently with the penetration test of your next feature, not as a separate event.Our focus is to verify the effectiveness of your fixes and assess if there are any fix bypasses.The results, including confirmation of successful fixes or any new findings, will be detailed in the feedback video provided for the current test.Do you test 3rd party services?No, we do not conduct penetration tests directly against third-party services. Testing any service requires legal consent, which for 3rd parties can be complex and challenging to obtain.To ensure compliance with legal and ethical standards, our focus is solely on the features and components developed and owned by your organization.Can you test our service if it's hosted with a third-party provider?Yes, we can perform penetration testing on services hosted on third-party platforms, subject to your terms and agreements with your hosting provider.Typically, providers allow penetration tests on client-specific workloads, provided they do not threaten the provider's infrastructure or other customers. Our testing focuses on your application or API feature, not the underlying infrastructure, which usually makes such testing permissible.However, your provider might have differing rules or specific requirements, such as advance notification or certain precautions, that you must comply with.You must review your provider's policies regarding penetration testing and communicate any necessary information to us beforehand to ensure compliance and avoid disruptions.Do you guarantee to find all potential vulnerabilities?No, it's not possible to guarantee the identification of all vulnerabilities. Due to software's complex and finite state machine nature, some vulnerabilities may not be detectable within the scope of our testing. Consequently, be wary of any service that promises otherwise.Do you run Denial of Service or Stress TestsNot as part of Async Pentest. We can estimate for this separately. Please contact us for an estimate.Can you guarantee on-time delivery of results for my urgent deadline?We can meet your deadline, provided certain conditions are met. These include:- Confirmation of payment received on our end.
- Ensuring we have consistent and reliable access to test the feature in your pre-production environment.
- Initiating the testing process at least five business days prior to your deadline, or ten days in the case of large features.
Barring any unforeseen circumstances beyond our control, we are committed to delivering your results on time.How unique is each penetration test?As you'd expect, our methodology remains consistent, but the specific attack points and tactics adapt to the feature and the business rules it should enforce. This is not a "vulnerability scan" service; an experienced penetration tester manually engages with the target feature, attempting a wide range of tests and adapting to the responses received.Why should we trust the security of your client portal?The client portal is powered by BaseCamp from 37Signals. They were selected due to their long and strong security track record and transparency around key controls.We recommend you enable 2FA when you sign up for your account.Access to our portal is free of charge via our invite; you do not need to sign up for a paid BaseCamp subscription.If you suspect your account credential is compromised, please inform us immediately.What forms of payment do you accept?Bank transfers. We have local EUR, GBP and USD accounts. This means you should incur no international transfer costs.We do not accept PayPal or Credit Card payments at this time. If that's a deal breaker, get in touchCan I receive a refund if I cancel my test?Yes, you can receive a refund if you cancel before testing begins. However, a 10% fee will be deducted from your refund to cover pre-testing expenses. Please note that once testing has commenced, refunds are not available.Do you offer discounts?As a service business operating on a PAYG basis, it's tough to see how we can discount our service. If you have a high volume of features, get in touch and describe your scenario.
Threatspotting Kft. Company #01-09-384530.
Registered office: 1112 Budapest, Brassó út 19, Hungary
© Threatspotting Kft. 2023-2024