Planned scope
When our first engagement commences, the scope will cover:External application pentest
Black-box testing of the production web application and public API endpoints, focused on the OWASP Top 10.
Authentication testing
Login, 2FA, passkeys, OAuth, magic links, session handling, account enumeration, timing attacks.
Authorization testing
IDOR, broken object-level authorization, privilege escalation, tenancy isolation.
Infrastructure review
Terraform review, network segmentation, IAM bindings, Workload Identity Federation configuration, CMEK and Secret Manager access.
Cadence (planned)
| Activity | Cadence |
|---|---|
| External pentest | Annually |
| Remediation validation retest | 30 days after each pentest |
| Internal red-team exercise | Annually (post first-pentest) |
| Ad-hoc pentest after major changes | Within 30 days of architecture changes |
What we’ll publish
- Executive summary (on this page) — scope, methodology, high-level findings count by severity.
- Remediation status — every high/critical tracked here until closed.
- Detailed report (under NDA) available to customers on request.
Our defensive testing today (without a pentest)
We don’t consider automated tooling a substitute for adversarial testing, but it’s what we run in the interim:- Brakeman SAST — every commit, blocking merge on medium+ severity.
- bundler-audit + npm audit — every CI run.
- Trivy config scan — every Terraform change.
- ESLint security plugins and
no-unsafe-*rules — every PR. - gitleaks — every commit.
- License compliance scanning — every PR.
- Test coverage requirements — 90% backend, 80% frontend.
- Global Pundit authorization enforcement — 48 policy files.
- Cloud Armor WAF (OWASP CRS v3.3) — at the edge in production.