Expert testing

Web app & API
specialists

Thorough testing of web applications and APIs requires deep knowledge of how applications are written, configured, and integrated, and modern testing standards require access to source code. This is where we specialise.

Precision pen testing
services that fit

Specialist expertise and experience

We have a particular focus and specialisation in web apps and APIs, including e-commerce web stores. From modern apps that leverage frameworks, IaaS, and aPaaS, to very large legacy systems, in any deployment configuration.

phew

Source code supported testing

Modern app testing standards require that testers have access to application and IaC source code, and for good reason. We have extensive experience working across all leading languages and frameworks, and produce superior testing ROI as result.

phew web penetration testing

Web app & mobile standards

Whether testing to a formal standard, or searching for common vulnerabilities to a fixed budget, we have extensive experience with leading testing standards, which facilitate clear assurance levels and a deep knowledge of testing coverage requirements.

phew penetration pen testing

Privacy is our business

Almost all our web app & API testing engagements involve access to customer source code, and we have strong policies and practices across the business that give our customers total confidence in the privacy of their closed-source repos.

Web & Mobile Testing Standards

OWASP ASVS and MASVS offer the most comprehensive and widely-recognised standards for testing web & mobile apps & APIs, and we are experts in testing to these standards

ASVS

Application Security
Verification Standard

Originally launched in 2008 through a global community collaboration, the ASVS defines a comprehensive set of security requirements for designing, developing, and testing modern web applications and services.

Following the release of ASVS 4.0 in 2019 and its minor update (v4.0.3) in 2021, the recently released v5.0 represents a significant milestone, modernised to reflect the latest advances in software security.

  1. Pen testing available from Level 1 “Hybrid” to Level 3
  2. ASVS Level 2 and 3 certifications also available

MASVS

Mobile Application Security
Verification Standard

The OWASP Mobile Application Security Verification Standard (MASVS) is the industry standard for mobile
application security.

Providing a comprehensive set of security controls used to assess the security of mobile apps across various platforms (Android, iOS), it is currently in v2.1.

  1. Pen testing available from Level 1 to Level 2
  2. Nam libero tempore, cum soluta

Service packages

Flexible engagements to suit your testing and budget requirements

Standards-based service

Our top-tier pen testing service delivers expert security across platforms. Backed by certified testers, against an agreed level of an accepted global testing standard, this testing provides tailored assurance for business-critical systems

INCLUDES

  1. Expert pen testing for websites, apps, APIs, and eCommerce
  2. Security assurance when it matters most
  3. Thorough testing based on globally recognised standards like OWASP ASVS, MASVS, and OSSTMM
  4. Tailored testing to match your specific requirements
  5. Certified testers with top industry credentials
  6. The highest levels of threat detection and assurance
  7. Ideal for business-critical web applications and systems
  8. Essential for e-commerce web stores, financial services, and healthcare

Essentials service

Testing for the most common and impactful vulnerabilities to an agreed budget, with reference to OWASP Top 10 and related enumerations

INCLUDES

  1. Testing by the same experienced, certified testers
  2. Referencing OWASP Top 10 and SANS/CWE Top 25 latest lists
  3. Suitable for marketing/CMS websites, or when cost is key
  4. This is what most other pen testers service providers offer
  5. So, compare us on this service only

PTaaS

Pen Testing as a Service is a useful addition to a traditional periodic pen testing programme, offering more frequent mini-tests to a fixed budget

INCLUDES

  1. Testing to a nominated PTaaS budget and testing frequency per year
  2. We pen test requested features or functionality on agree schedules
  3. Useful for rapidly evolving web sites, web apps, and APIs
  4. Can operate as outsourced red teaming in collaboration with your in-house DevSecOps
  5. Can optionally replace Essentials testing where more frequent mini-tests are considered optimal for the target

Bug Bounty

Crowd-sourced vulnerability discovery, incentivisation, and responsible disclosure are important additions to periodic service provider pen testing engagements. Our Bug Bounty service is tailored to just the right size and cost profile based on the needs of your business.

INCLUDES

  1. Plan and specify the parameters of your Bug Bounty programme
  2. Publish a responsible disclosure policy and framework
  3. Incentivise a wide range of diverse testers and researchers
  4. phew’s pen testers triage reports and intermediate with participants
  5. Providing insulation from false positive reports and beg bounty speculators
  6. Creating a sufficient structure and service to learn about vulnerabilities rapidly

Types of vulnerabilities

Web app & API common weaknesses

Most vulnerabilities are created in the application's source code and IaC, and we're particularly good at finding those and recommending remediations. Common categories include:

Broken Access Control (BAC)

Insecure Direct Object Reference (IDOR)

SQL Injection (SQLi)

Cross-site Scripting (XSS)

Sensitive Information Disclosure

Frequency of Testing

At least annually

All frameworks and standards that require pen testing expect that testing will be performed at least annually. However, the most appropriate testing frequency depends on various considerations, including:

How business-critical is the target?

How rapidly is the target changing?

What assurance/confidence level is required?

What is the stakeholder risk appetite?

Pen testing budget, with PTaaS, Bug Bounty?

Outputs

We take pride not just in our testing but also in the quality and usefulness of our reporting outputs and engagement

Details

Full depth reporting

Our primary output is an in-depth report covering of all aspects of the in-scope targets, testing standards, discovered vulnerabilities, recommended remediations, and other systems hardening advice

Actionable

Enumerated findings

Each type and instance of vulnerability is enumerated to assist with understanding, planning and tracking remediations, within a testing cycle and between periodic tests over time

Summarised

Stakeholder reporting

We understand that pen test reporting is typically too technical and too sensitive to share with non-technical or external stakeholders, so our engagements include reporting specifically for this purpose

More

Advisory support

We are also available to support remediation as well as secure architecture planning, drawing on our extensive experience across many examples of secure design, implementation, and SSDLC

“...consistently excellent across every round of testing... always helpful and highly collaborative”
VP Engineering
Commercial Property Management SaaS

Better Penetration Testing

Get clear insights on your current risks, what to fix, and what matters most to keep your business secure, stable, and scalable

Get started
logo_footer

Copyright © 2025 phew Limited. All rights reserved.

Scroll to Top