Quality and expertise
Raising standards
in pen testing
Our team of certified experts deliver quality penetration testing engagements to meet the most demanding standards of testing, reporting, service, and assurance.
Trusted by our global customers since 2017, we work with teams who want more than a box-ticking exercise, who care about quality engagements and stronger security standards.
Why phew?
phew was deliberately built as a specialist practice, and our reputation rests on our professional approach, transparency, and an ability to stand behind work that really matters.
Our focus is on higher standards in testing and delivery. Because rigorous, standards-based testing delivers real assurance, not just a box-ticking exercise.
We believe this leads to safer, better products and stronger
trust in the tech ecosystem.
Right-sized pen testing that fits
Target types
Our experienced testers are web app and API specialists, with the highest industry credentials, skilled at testing all types of targets and systems to the most stringent global testing standards
Our specialisation
Source code supported web app & API testing
Our trusted team have wide experience across all major web application languages, frameworks and deployment environments, to support the most in-depth testing and efficient use of testing time and budget
Highest assurance
Testing to global standards
We are experts in methodical, audit-style pen testing against internationally recognised standards, including OSAWP ASVS and MASVS, to provide the highest assurance level. Ideal for business-critical targets and trusted by high demand industries such as financial services and healthcare
Web app experts
Web sites and apps of all types
Our testers have extensive experience across the full range of web sites and web application platforms, from sites based on all the leading CMS solutions to framework-based and fully customised applications and APIs
API experts
Web API testing
However your API services are delivered and authenticated, our team has direct and extensive experience with exactly your approach, from complex OAuth 2.0, OIDC and SAML 2.0 based custom implementations to SSO and IDaaS integrations with claim and scope reliance models
Secure online shopping
E-commerce stores
Our extensive experience with the full range of e-commerce solutions, PaaS and aPaaS platforms, across diverse payment gateway integrations, will help strengthen the security and robustness of your webstore, including:
- Adobe Commerce Cloud (Magento) specialist testing
- Payment gateways integration assurance
- PCI DSS compliance testing
Native application testing
Mobile applications
We provide standards-based testing of mobile front-end applications and back-end API services of all types, with particular expertise in:
- iOS/iPadOS
- Android
- Flutter
- React Native
We're also really good at
- Complex Active Directory corporate and enterprise networks
- Azure Active Directory (Entra ID) hybrid networks
- Citrix VDI SOE solutions
- Azure Virtual Desktop (AVD) infrastructures
Methodology types
We offer flexibility with testing methodology according to your security goals and budget, from traditional standards-based testing through to PTaaS and Bug Bounty related services, and everything in between
- Standards-based OWASP ASVS, MASVS
- Essentials OWASP Top 10 & SANS/CWE Top 25
- PTaaS to your timings and budget
- Bug Bounty services managed by phew
Results focussed
Our professional, detailed reporting outputs not only enable your technical teams to understand and remediate issues quickly, but also clearly define the type and scope of testing and provide evidence of your testing programme and security posture for regulatory, compliance, sales, and customer relationship purposes
Industry & government
Regulatory compliance
Testing outputs to satisfy diverse regulatory compliance needs, such as industry-specific or government regulations that increasingly require independent verification of application and network security
Service providers
SOC 2 pen testing
We provide pen testing engagements that are ideal for satisfying the requirements of SOC 2 Type I and II compliance and audits, whether the goal is to meet the minimum requirements for assessment, or achieve a higher assurance level
Framework compliance
ISO 27001:2022 pen testing
Pen testing of public and private networks, as well as all web facing services, is a requirement of a strong ISMS for ISO purposes, and we deliver testing engagements to suit the specific needs of both initial and surveillance audits
Payment card network
PCI DSS audit pen testing
phew has strong experience with fitting pen testing engagements to the specific PCI-DSS requirements, from detailed Cardholder Data Environment (CDE) pen testing to payment gateway integration testing
Sales & customer success
Customer & sales assurance
Our professional reporting includes high quality outputs specifically intended for sharing with prospects and customers to demonstrate a strong pen testing programme and security posture, without sharing more than is optimal
MSPs, SaaS providers
Vendor/service provider testing
Leading IT and software MSPs and SaaS providers can build stability and demonstrate their robust approach to security and privacy through a programme of proactive, periodic pen testing of their services and infrastructure
Data breach risks
Privacy breach risk testing
Data and privacy regulation breaches increasingly present reputational as well as direct financial and other sanctions on organisations, and regular pen testing is a key layer of defence against costly headlines and penalties
Governance reporting
Director & board assurance
Our accessible engagements and understandable reporting provide directors and governance teams with assurance and confidence that your organisation is taking all reasonable steps to avoid and mitigate risks
Frequently Asked Questions
Penetration testing can be confusing and feel inaccessible.
Here’s a clear breakdown of what matters, so you can choose the right approach and keep moving on your security journey.
When should we choose Standards-based vs Essentials testing?
It depends on the assurance level you require and the risk profile of the targets being tested.
Standards-based testing is crucial for critical systems, sensitive data, compliance requirements, or simply high assurance scenarios.
Essentials testing is for focussed, budget-conscious risk reduction, focussing on OWASP Top 10 and SANS/CWE Top 25, covering the most common and highest-impact vulnerabilities at a lower cost.
Both use the same experienced team, the difference is in depth and scope, not quality.
Why is source code supported testing better than black box testing?
Source code supported testing gives testers direct visibility into how an application is constructed, allowing them to design more targeted test cases that cover internal logic, edge cases, and code paths that black box testing might never reach.
This leads to faster defect identification, higher code coverage, and greater confidence that the software has been thoroughly validated, not just at the surface level, but deep within its core logic.
Source code supported testing generally means the available testing time is used far more efficiently. So you get deeper coverage for the same budget. It is also a strict requirement of standards-based testing, because the standards understand the comprehensiveness this adds.
Our source code is extremely sensitive - How do I know it is safe during a pen test?
phew operates under the strictest practices.
Source code access is granted to a single human who places the code within a single sandboxed environment for visual inspection and analysis by other assigned testers (with no access to or from the internet, no copy-paste, and screen watermarked, for example).
Code is never accessed by or copied to any other location (no PCs, cloud storage, or public AI tools), and is always permanently and irretrievably deleted after each round of testing.
We’re also happy to discuss specific security arrangements, including NDA terms, before you engage.
What do we actually get at the end of a test?
You get a comprehensive report setting out all identified vulnerabilities in summary and in full, along with clear, actionable remediation advice, and wider hardening recommendations.
We show you what the issue is, provide expert advice on why it matters, how to reproduce it, how to fix it, and we communicate proactively throughout. All findings are accompanied by severity ratings and evidence.
How is pen testing different from automated scanning tools?
Automated tools are good for finding known patterns, but like any tool they are only part of the story. They can also produce a lot of false positive findings and a lot of overall ‘noise’ which can be hard for teams to sieve through.
Pen testing remains a skilled, manual process that simulates real attackers, finding logic flaws or authentication weaknesses, chaining issues together, and identifying how your system could actually be compromised using human judgement. That’s where real risks live.
Will testing impact our systems or customers?
No. We work exclusively in staging or equivalent non-production environments, which is actually a core part of what makes our testing more thorough: without the risks and constraints associated with production systems, we can test offensively and comprehensively.
We define scope, timing, and testing methods with you upfront to minimise disruption, and communicate clearly throughout, so there are no surprises.
Expert pen testing
Get clear insights into your current risks, what to fix, and how to minimise repeat offending
Help keep your organisation secure, stable, and focused on what matters most
