Pospíšil Petr | CyberPOPE Independent Consultant | Cybersecurity Architect & vCISO
Web & API Security Testing

Web & API
Penetration Testing

Find vulnerabilities in your application before attackers do.
Manual testing of web apps and APIs. Fixed price after scoping. Retest always included.

Send a Question Encrypted Call
Supportive service · part of the retainer

Engagement Model

Engagement options

Every formal web and API pentest I conduct strictly follows the OWASP Testing Methodology. You receive a rigorous, compliance-ready report to confidently share with your customers and stakeholders.

Option A

Official Penetration Test

Best for compliance, vendor audits, and major deployments.

  • Priced in advance from the approximate size of the application
  • Higher cost, with a dedicated testing window booked ahead
  • Needs planning so testing time can be allocated
  • Rigorous, methodology-backed report you can share

Option B

Fast-Track Consultation

Best for active development and quick reviews.

  • Fast and ad-hoc, with quick response
  • Billed by the hour, very flexible scope
  • Backed by immediate NDA signing
  • Simple, read-only system access
Inside a retainer: with a Retained Security Partner retainer you do not have to pick. I choose the right option and schedule it for you at the best time and budget, so the heavier official pentest lands when it genuinely adds value and the fast-track review covers everything in between.

Scope

What's in scope

Browser-facing web applications and the APIs behind them. We confirm which of these apply during scoping.

Web Applications

Authentication bypass, broken access control, XSS, SQL injection, and business logic flaws in browser-facing apps.

REST APIs

Auth bypass, BOLA, BFLA, injection, mass assignment attacks.

GraphQL

Introspection abuse, batching attacks, authorization bypasses, complexity limits.

WebSocket APIs

Message injection, CSRF, authentication persistence, per-message authorization checks.

Microservices

Service-to-service trust, gateway bypass, JWT flaws. On request.

Findings mapped to: OWASP Web Top 10 OWASP API Top 10

Requirements

Access and accounts I need

Required inputs
Application URL and access

For web applications: the URL and one test account per role. A non-production environment is preferred.

OpenAPI / Swagger specification

For APIs: or equivalent REST documentation. If none exists, I treat it as an undocumented API and scope accordingly.

Application logic overview

What does each endpoint do? What business process does it support? What data does it handle?

Role & permission matrix

List every user role and what each can access, modify, create, and delete. Example:

# role_matrix.txt
Role Read Write Admin
Guest public none none
Reader own data none none
Editor own data own data none
Admin all all full
Multi-tenancy boundaries (if applicable)

Which data is isolated per organisation or user? What must never cross tenant boundaries?

Preferred (reduces testing time)
  • Non-production environment access
  • One test account per role (pre-created)
  • Sample test data that can be safely manipulated

Why role definitions matter

Authorization flaws (BOLA, BFLA) are the most common critical findings in API testing. I find them by knowing what each role should access - then proving it can access things it shouldn't.

Without a role matrix, I spend time guessing your access model instead of testing vulnerabilities. That time increases the price.

Documentation quality affects price

A well-structured OpenAPI spec + role matrix = I test vulnerabilities, not map your API. Undocumented or non-standard API = additional discovery work → reflected in the final quote.

Pricing

Indicative pricing

There is one offering - a full web and API pentest. The price depends on the scope we define together. Final quote issued after a free scoping call.

Starting from
€1,900
exact quote after scoping
Always included
Full OWASP Web & API Top 10 coverage
Business logic & auth flow testing
BOLA / BFLA / mass assignment checks
Executive summary for management
Technical findings with reproduction steps
Full retest after remediation - no extra charge
Debrief call with your dev team
Optional: remediation consulting (retainer)

What affects the final price

Application & API Surface

Number of pages, endpoints, roles, and protocols (web, REST, GraphQL, WebSocket). More surface = more time = higher price.

Documentation

Swagger / OpenAPI spec significantly reduces scoping time. Undocumented APIs require more reconnaissance and are priced higher.

Saves money

Lead Time

Booking a slot at least 3 weeks in advance allows better planning and is reflected in the quote. Urgent engagements carry a premium.

Send a Question Encrypted Call

Fixed-price quote issued after the call. No surprises.

Process

How We Collaborate

01
Scoping call + documentation review

We review your API docs, role matrix, and architecture. I issue a fixed-price quote. No surprises.

02
Environment setup

You provide non-production access and one test account per role. I confirm scope and rules of engagement.

03
Manual testing

I test your API against the OWASP API Top 10 and custom scenarios derived from your role matrix and business logic.

04
Report delivery

Executive summary for management. Technical findings with reproduction steps and remediation guidance for your dev team.

05
Debrief call + full retest

We walk through findings together. After you remediate, I retest every finding at no extra charge.

A one-off assessment answers a single question. A Retained Security Partner retainer schedules these assessments for you at the best time and budget, so testing keeps pace with how your business changes.

Scope a test

Start with a free 30-minute scoping call. I'll tell you what I need, what I'll test, and what it will cost - before you commit to anything.

Send a Question Encrypted Call

Have questions? See the FAQ →

Prefer a steady monthly rhythm over one-off invoices? See the Retained Security Partner retainer.