Skip to content

Methodology

How we test, mapped check by check.

Every grey-box engagement we deliver follows the Penetration Testing Execution Standard (PTES), the OWASP Web Security Testing Guide v4.2, and the OWASP Application Security Verification Standard Level 2. The table below is the canonical reference our lead testers work from — you'll see the same coverage in your final report.

OWASP WSTG v4.2OWASP ASVS Level 2PTES (Penetration Testing Execution Standard)OWASP API Security Top 10MITRE ATT&CK Enterprise
Start an engagement briefRead a sample report

The seven PTES phases

Every engagement walks through the same sequence. We never skip a phase; we may, with your written agreement, shorten one (e.g. when a production-equivalent staging environment is available, intelligence gathering becomes lighter than it would be for a black-box test).

Phase 1
Pre-engagement Interactions
Phase 2
Intelligence Gathering
Phase 3
Threat Modelling
Phase 4
Vulnerability Analysis
Phase 5
Exploitation
Phase 6
Post-Exploitation
Phase 7
Reporting

Coverage by OWASP WSTG family

Each row below shows a single check we run, the PTES phase it lives in, the WSTG section it implements, and the ASVS L2 control it verifies. Your engagement brief drives which categories are included; we never quietly drop coverage you ticked.

Authentication

WSTG-ATHN

Validates every credential-entry path — password, magic link, WebAuthn, MFA, SSO — for byp passes, replay, fixation, and credential-stuffing resistance.

CheckPTES phasesOWASP WSTGOWASP ASVS L2
Password & credential-stuffing resistance
Rate-limit verification, breach-list checks, account-lockout / unlock semantics, generic error messaging.
P4 · Vuln. AnalysisP5 · Exploitation
WSTG-ATHN-01WSTG-ATHN-02WSTG-ATHN-03
V2.1.1V2.1.2V2.2.1
Magic-link / passwordless flows
Token entropy, single-use enforcement, expiry, scoping, replay via cached link.
P4 · Vuln. AnalysisP5 · Exploitation
WSTG-ATHN-04
V2.2.2V2.2.4
WebAuthn / passkey flows
Registration ceremony, attestation handling, RP-ID binding, authenticator selection, downgrade attacks.
P4 · Vuln. AnalysisP5 · Exploitation
WSTG-ATHN-04
V2.2.5
TOTP MFA enrol + verify
Secret generation, QR-leak risks, rate-limited verification, recovery-code reuse.
P4 · Vuln. AnalysisP5 · Exploitation
WSTG-ATHN-09
V2.8.1V2.8.2
Session JWT issuance / rotation / fixation
Token signing, kid pinning, rotation on privilege change, sign-out-everywhere semantics.
P4 · Vuln. AnalysisP5 · Exploitation
WSTG-SESS-01WSTG-SESS-07
V3.2.1V3.3.1V3.5.3

Authorization & Multi-tenancy

WSTG-ATHZ

Validates that workspace, role, and per-field boundaries hold under every realistic vector — direct object reference, cross-tenant API call, scope upgrade, role swap.

CheckPTES phasesOWASP WSTGOWASP ASVS L2
Role-based access enforcement
Direct-object-reference probes across every role pair, including silent privilege gain via stale tokens.
P3 · Threat ModellingP4 · Vuln. AnalysisP5 · Exploitation
WSTG-ATHZ-01WSTG-ATHZ-02WSTG-ATHZ-04
V4.1.1V4.1.3
Workspace / tenant boundary
Cross-tenant read & write probes against every list, fetch, mutation, and webhook endpoint.
P3 · Threat ModellingP4 · Vuln. AnalysisP5 · Exploitation
WSTG-ATHZ-04
V4.2.1V4.2.2
API key scope enforcement
Read / read_draft / write / management scope boundary tests; management-key shortcut paths.
P4 · Vuln. AnalysisP5 · Exploitation
WSTG-ATHZ-04
V4.1.5

Input Validation

WSTG-INPV

Classic injection family — exercised on every named user-influenced parameter, JSON body, query string, header, and uploaded file.

CheckPTES phasesOWASP WSTGOWASP ASVS L2
XSS (reflected, stored, DOM)
Entry-title XSS, schema-field-name XSS, visual-edit overlay attribute interpolation.
P4 · Vuln. AnalysisP5 · Exploitation
WSTG-INPV-01WSTG-INPV-02
V5.3.3V5.3.4
SQLi / NoSQLi
Parameterised query coverage, ORM bypass via raw fragments, search-builder boundaries.
P4 · Vuln. AnalysisP5 · Exploitation
WSTG-INPV-05WSTG-INPV-06
V5.3.4V5.3.5
XXE / SSTI / command injection
Template engines (Mustache, Handlebars, Liquid), shell-out paths, XML parsers.
P4 · Vuln. AnalysisP5 · Exploitation
WSTG-INPV-07WSTG-INPV-12
V5.3.6V5.5.1
Path traversal
File-serving routes, archive-extraction surfaces, blob URL builders.
P4 · Vuln. AnalysisP5 · Exploitation
WSTG-INPV-11
V5.1.4V12.3.1

Cryptography

WSTG-CRYP

Validates TLS, password hashing, JWT signing keys, and stored-secret crypto against current OWASP / NIST guidance.

CheckPTES phasesOWASP WSTGOWASP ASVS L2
TLS configuration
Cipher suites, downgrade resistance, HSTS, OCSP stapling, certificate chain.
P2 · Int. GatheringP4 · Vuln. Analysis
WSTG-CRYP-01
V9.1.1V9.1.2V9.2.1
Password hashing / KDF
Algorithm choice, parameterisation, pepper handling, upgrade path on hashing-algorithm change.
P4 · Vuln. AnalysisP5 · Exploitation
WSTG-CRYP-03
V2.4.1V2.4.3
Key management / rotation
KMS scoping, secret rotation cadence, in-application caching, expired-key handling.
P4 · Vuln. AnalysisP5 · Exploitation
WSTG-CRYP-04
V6.4.1V6.4.2

Business Logic

WSTG-BUSL

Non-injection bypasses — workflow skipping, race conditions, IDOR through legitimate business operations, free-trial abuse, coupon stacking.

CheckPTES phasesOWASP WSTGOWASP ASVS L2
Workflow bypass
Skipping required steps via direct API calls; revisiting completed workflows.
P3 · Threat ModellingP4 · Vuln. AnalysisP5 · Exploitation
WSTG-BUSL-03
V11.1.1V11.1.2
Race conditions / TOCTOU
Double-spend, double-invite, balance-deduct race, instalment-paid race.
P3 · Threat ModellingP4 · Vuln. AnalysisP5 · Exploitation
WSTG-BUSL-04
V11.1.7
IDOR via business operations
Object ownership bypass via accept-invite, share-link, export, or webhook payload.
P3 · Threat ModellingP4 · Vuln. AnalysisP5 · Exploitation
WSTG-BUSL-08
V4.1.1

File Handling & SSRF

WSTG-INPV

Validates the image-proxy, file-upload endpoints, archive extraction, and any fetcher that touches a remote URL.

CheckPTES phasesOWASP WSTGOWASP ASVS L2
File upload validation
Content-type sniffing, polyglot files, ZIP slip, oversize, name-collision.
P4 · Vuln. AnalysisP5 · Exploitation
WSTG-BUSL-09
V12.1.1V12.2.1
SSRF via image proxy / fetcher
Cloud metadata, internal address space, DNS rebinding, redirect chains, URL signing bypass.
P4 · Vuln. AnalysisP5 · Exploitation
WSTG-INPV-19
V12.6.1

API Surface

WSTG-APIT

REST and GraphQL surfaces under /v1, including webhook delivery and signature verification.

CheckPTES phasesOWASP WSTGOWASP ASVS L2
REST endpoints
OWASP API Top-10 sweep on every documented endpoint — BOLA, BFLA, broken auth, mass assignment.
P2 · Int. GatheringP4 · Vuln. AnalysisP5 · Exploitation
WSTG-APIT-01
V13.1.1V13.2.1
GraphQL endpoints
Introspection exposure, query depth/complexity, batched-query attacks, alias-based bypass.
P2 · Int. GatheringP4 · Vuln. AnalysisP5 · Exploitation
WSTG-APIT-01
V13.3.1
WebSocket / SSE
Origin checks, authentication on upgrade, per-message authorization.
P4 · Vuln. AnalysisP5 · Exploitation
WSTG-CLNT-10
V13.4.1

Infrastructure

WSTG-CONF

External-only review of the deployed surface: DNS, TLS, security headers, CSP, CORS, subdomain takeover risks.

CheckPTES phasesOWASP WSTGOWASP ASVS L2
Security headers & CSP
HSTS, X-Content-Type-Options, frame-ancestors, CSP including report-only mode strictness.
P2 · Int. GatheringP4 · Vuln. Analysis
WSTG-CONF-07
V14.4.1V14.4.2
DNS / subdomain takeover
Dangling CNAMEs to deprovisioned vendors, dangling A records, MX consistency.
P2 · Int. GatheringP4 · Vuln. Analysis
WSTG-CONF-10
V14.1.1
Cloud IAM (read-only review)
Over-broad role bindings, public buckets, exposed metadata endpoints, secret-in-env detection.
P2 · Int. GatheringP4 · Vuln. Analysis
WSTG-CONF-11
V14.2.1

Webhook Security

WSTG-APIT

Bidirectional signature integrity — inbound provider webhooks (Stripe, etc.) and outbound delivery to customer endpoints.

CheckPTES phasesOWASP WSTGOWASP ASVS L2
Outbound signature integrity
Replay-window enforcement, key rotation, signature algorithm strength.
P4 · Vuln. AnalysisP5 · Exploitation
WSTG-APIT-01
V13.2.5
Inbound signature verification
Stripe-style HMAC validation, timing-safe comparison, raw-body capture timing.
P4 · Vuln. AnalysisP5 · Exploitation
WSTG-APIT-01
V13.2.5

Billing & Entitlements

WSTG-BUSL

Coupon stacking, free-trial loops, subscription-bypass via race, invoice or receipt tampering.

CheckPTES phasesOWASP WSTGOWASP ASVS L2
Checkout / coupon abuse
Stacking, expiry bypass, first-time-only enforcement, currency-swap arbitrage.
P3 · Threat ModellingP4 · Vuln. AnalysisP5 · Exploitation
WSTG-BUSL-06
V11.1.4
Subscription / entitlement bypass
Downgrade-on-renew, gift code redemption races, lifetime tier promotion.
P3 · Threat ModellingP4 · Vuln. AnalysisP5 · Exploitation
WSTG-BUSL-04
V11.1.5
Invoice / receipt tampering
PDF signature integrity, server-side total recomputation, immutable line items.
P3 · Threat ModellingP4 · Vuln. AnalysisP5 · Exploitation
WSTG-BUSL-09
V11.1.6

Audit Trail Integrity

WSTG-ERRH

Log integrity, audit-chain tamper-evidence (e.g. hash-chained event streams), retention enforcement.

CheckPTES phasesOWASP WSTGOWASP ASVS L2
Log / event-stream integrity
Privileged-write paths, no-log holes, structured event coverage.
P4 · Vuln. AnalysisP6 · Post-Exp.
WSTG-ERRH-02
V7.1.1V7.1.3
Audit-chain tampering
Hash-chained rows, replay/insert/delete detection, signed snapshots.
P4 · Vuln. AnalysisP5 · ExploitationP6 · Post-Exp.
WSTG-ERRH-02
V7.3.1

Reporting standard

Every engagement produces an executive summary (board-ready), a technical findings document with replayable proof-of-concept per finding, and a remediation roadmap with effort estimates. On request we also produce a framework-mapping deliverable (SOC 2 / ISO 27001 / PCI DSS / DORA / NIS2) and a letter of attestation. One re-test of remediated findings within 90 days is included by default.

Ready to scope an engagement?

The intake form takes about 10 minutes and produces an indicative tester-day and price range you can take to procurement.

Start engagement briefTalk to sales