Web application pentesting
Review of web applications and corporate portals against OWASP Top 10 and OWASP ASVS, with focus on business logic, access control, session management and sensitive data exposure.
OWASP · ASVS · PTES · MITRE ATT&CK · NIS2 · ENS
Penetration testing in Barcelona technical audit with regulatory rigor
Hard2bit delivers penetration testing services to companies operating in Barcelona and the rest of Catalonia: web applications, APIs, cloud, external and internal infrastructure, Microsoft 365, WiFi and mobile review when applicable. The service is designed to validate real impact, prioritize exploitable risk and deliver a remediation plan useful for both engineering teams and leadership, mapped to NIS2, ENS, ISO 27001 and DORA.
Spanish cybersecurity company founded in 2013. The security audit service is part of Hard2bit's own certified scope under ENS High category (Royal Decree 311/2022) and ISO/IEC 27001:2022, audited by an ENAC-accredited body. We apply real frameworks — OWASP Top 10, OWASP ASVS, OWASP API Security Top 10, OWASP MASVS, PTES, NIST SP 800-115 and MITRE ATT&CK — and map findings to the regulatory framework that applies to each client.
Web applications and APIsCloud (AWS, Azure, GCP)External and internal infrastructureMicrosoft 365 and Entra IDCorporate WiFiMobile (iOS/Android) on demandNIS2 · ENS · ISO 27001 · DORA
13 years in cybersecurity
ENS High + ISO 27001 own certification
OWASP · PTES · MITRE applied frameworks
Retest included of critical and high
Types of pentesting
Modalities we cover
Not every company needs the same scope. The choice depends on architecture, accepted risk and applicable regulation. This is the catalog of common modalities and when they apply. For deeper methodology see also the pentesting pillar page.
API pentesting
Audit of REST, GraphQL and gRPC APIs following the OWASP API Security Top 10. Authentication, object-level authorization, rate limiting, error handling and excessive data exposure.
Cloud pentesting (AWS, Azure, GCP)
Review of cloud configuration, IAM, network segmentation, secrets management, bucket/object exposure and overall posture (CSPM). Aligned with CIS benchmarks and vendor guidance.
External infrastructure
Identification of internet-facing attack surface: services, vulnerabilities, certificates, exposed management panels, shadow-IT services and third-party dependencies.
Internal infrastructure
Pentesting from an internal foothold (assumed breach): effective segmentation, Active Directory exposure, privilege escalation, lateral movement and paths to critical assets.
Microsoft 365 and Entra ID
Review of identity configuration, MFA and conditional access, Exchange Online, SharePoint, Teams, Defender and Purview. Detection of insecure default configurations.
Corporate WiFi
Audit of WPA2/WPA3 Enterprise, guest network segmentation, captive portals, EAP and credential exposure. Validation of isolation between corporate and guest networks.
Mobile (iOS/Android) on demand
Static and dynamic analysis of in-house mobile apps following OWASP MASVS and MSTG: communications, local storage, cryptography, authentication and obfuscation.
Why Barcelona
Why companies in Barcelona need pentesting
Barcelona concentrates technology companies, SaaS, e-commerce, manufacturing, healthcare, education and professional services with growing digital exposure. In this context a pentest cannot just be running automated tools: it has to validate real impact, prioritize exploitable risks and deliver a remediation plan useful to both engineering teams and business owners. The 22@ district, Pier01, Tech Barcelona and the network of corporate hubs have put the city on the European software map, raising the threat level along with it.
The difference between a pentest that pays off and one that sits in a drawer comes down to methodological rigor, human validation of every finding and the quality of the remediation plan. That is what we are audited against every year under our own ENS High and ISO/IEC 27001 scope, and what we apply to every project.
Why Hard2bit
What makes us competent for pentesting
Spanish company with ENS High + ISO 27001 in scope
The security audit service is part of Hard2bit's own certified scope under ENS High category (Royal Decree 311/2022) and ISO/IEC 27001:2022, audited by an ENAC-accredited body. The methodology we apply to clients is the one we are audited against every year.
Same team for pentesting, audit and response
Pentesting, vulnerability management, incident response and digital forensics are delivered by the same team. That removes inter-vendor handovers and means a critical finding gets contained in hours, not weeks.
Real frameworks, no marketing
OWASP Top 10, OWASP ASVS, OWASP API Security Top 10, OWASP MASVS, PTES, MITRE ATT&CK and NIST SP 800-115. Connected with NIS2, ENS, ISO 27001 and DORA where applicable. We document which controls we validate and how.
Service to companies across Catalonia
We deliver pentesting to companies operating in Barcelona and the rest of the Catalan territory, with the same methodology and deliverables we apply to regulated clients nationwide.
Methodology
How we run a project
Scope and rules of engagement
Inventory of in-scope assets, testing windows, technical and escalation contacts, sensitive data that must not be touched, success criteria and depth level (black, grey or white box).
Reconnaissance and passive analysis
OSINT, attack-surface discovery, technology identification, dependencies and prior exposure before active testing. Reduces noise and focuses effort on what has real impact.
Exploitation and impact validation
Technical testing with OWASP, ASVS, MASVS and MITRE ATT&CK. Every finding is validated in depth to distinguish theoretical vulnerability from real exploitable risk, avoiding the typical false positives from automated scanning.
Technical report, executive report and remediation plan
Technical report with evidence, executive report for leadership and a remediation plan prioritized by impact, effort and technical dependencies. Closing session, online or on-site, to align actions with the client team.
Retest after remediation
Free retest of critical and high findings after remediation within the agreed window. Formal closure when residual risk falls inside the leadership-defined appetite.
Pentesting vs. scanning: scanning is an automated tool that produces long lists with high false-positive rates. Pentesting is a professional service with human validation, prioritization by real impact and an actionable plan. One is the starting point; the other is the serious evaluation.
Frameworks and references
Applied standards
The service draws on international frameworks with real weight before an auditor or regulator. That methodological base is what makes the report defensible and the plan resilient to the next NIS2 inspection, ISO audit or DORA supervision.
OWASP Top 10 and OWASP ASVS
International references for web application auditing. Top 10 lists the critical vectors; ASVS defines L1/L2/L3 verification levels with auditable requirements.
OWASP API Security Top 10 (2023)
Specific framework for auditing REST, GraphQL and gRPC APIs. Covers typical risks around object-level authorization, mass assignment, rate limiting and excessive data exposure.
OWASP MASVS and MSTG
Mobile Application Security Verification Standard and Testing Guide. Reference standard for iOS/Android app audits, covering communications, local storage and cryptography.
PTES and NIST SP 800-115
Penetration Testing Execution Standard and the NIST guide to technical security assessment. They define the process phases (reconnaissance, modeling, exploitation, post-exploitation, reporting).
MITRE ATT&CK
Matrix of adversarial tactics and techniques. Used to model realistic threats, justify test depth and map findings to known attacker behaviors.
NIS2 · ENS · ISO 27001 · DORA
Regulatory frameworks requiring periodic technical testing for essential entities, classified public systems, certified organizations and European financial entities.
Sectors
Sectors with a Barcelona footprint where we deliver pentesting
These are the verticals with the strongest concentration in Catalonia and where demand for technical testing is most explicit through regulation, customer pressure or operational exposure.
SaaS and technology
SaaS product companies, B2B platforms, fintech and startups with corporate customers that need to demonstrate maturity through pentests with auditable contractual scope.
E-commerce and retail
E-commerce platforms, marketplaces and omnichannel retail with massive customer-data exposure, payment gateways and operational dependency on 24/7 availability.
Industry and manufacturing
Industrial plants with IT/OT convergence, control systems connected to corporate networks and NIS2 obligations for manufacturing sectors classified as essential or important.
Healthcare and private health
Hospitals, private healthcare groups, diagnostic centers and clinical research with special-category personal data and growing exposure to sector-specific ransomware.
Higher education and research
Universities and research centers with complex exposure surface, federated identity management and sensitive data from research or academic records.
Financial services and fintech
Entities subject to DORA, fintechs with European passport, neobanks and payment platforms with specific obligations for technical testing (TLPT when applicable) and operational resilience.
When it makes sense
Typical scenarios
- Before pushing an application or API to production
- After major architectural changes
- As an annual assurance exercise
- After an incident, to confirm containment
- When a customer, auditor or regulator asks for evidence
- To meet NIS2, ENS, ISO 27001 or DORA requirements
FAQ
Frequently asked questions about pentesting in Barcelona
What is a pentest and when does it make sense to commission one?
A pentest is a controlled technical exercise in which professionals reproduce the actions of a real attacker to identify exploitable vulnerabilities, validate their impact and deliver a remediation plan. It makes sense before putting an application into production, after major architectural changes, as an annual assurance exercise, after an incident, or when a customer, auditor or regulator requires evidence of technical testing.
Is pentesting the same as a vulnerability scan?
No. A vulnerability scan is an automated tool that produces long lists of findings without validating impact, with a high false-positive rate. A pentest is a professional service where a human team validates each vulnerability, chains failures, prioritizes by real exploitable risk and delivers an actionable plan. The scan is a starting point; the pentest is the serious evaluation.
Does Hard2bit serve companies in Barcelona and the rest of Catalonia?
Yes. We deliver pentesting and other cybersecurity services to companies operating in Barcelona and across Catalonia, with the same methodology, documentary scope and deliverables we apply to regulated clients nationwide. The service combines remote work with online or on-site closing sessions depending on project needs.
How long does a pentesting project take?
Depends on scope. A focused web application usually takes 2 to 4 weeks, including fieldwork, validation, reporting and a closing session. A broad pentest combining external, internal, web, APIs and M365 can run 6 to 10 weeks. Scope is agreed with the client before sign-off so the calendar is realistic, not commercial.
Does the report work as evidence for NIS2, ENS, ISO 27001 or DORA?
Yes. The report documents scope, methodology (OWASP, ASVS, PTES, NIST SP 800-115, MITRE ATT&CK), technical evidence collected, prioritized findings and remediation plan. It is designed to integrate with an existing management system (ISO 27001, ENS) and serve as evidence of technical testing required by NIS2 (Art. 21), ENS (MP.SW.1 onwards), DORA (Art. 24-27, including TLPT when applicable).
Is there a risk of impacting service availability during the test?
Minimal when properly planned. The most invasive tests (denial of service, aggressive brute force) run in agreed windows or pre-production environments. A direct contact channel is available during the testing window to stop immediately if unexpected behavior appears. The default policy is don't break, validate.
What's the difference between black, grey and white box?
Black box: the team gets no prior information, simulating an external attacker without credentials. Grey box: receives user credentials and partial documentation, simulating an attacker with limited access or a curious employee. White box: receives privileged credentials, source code and architecture, maximizing technical depth. The choice depends on the goal: external coverage, post-access validation or in-depth audit.
How does a pentest differ from a Red Team engagement?
A pentest focuses on finding and validating technical vulnerabilities within a defined scope, with broad coverage and exhaustive reporting. A Red Team simulates a targeted attack with specific objectives (exfiltrate concrete data, compromise a domain) over weeks or months, measuring the defensive team's (Blue Team) detection and response capability. Hard2bit delivers both and combines them when the client needs both perspectives.
Is retesting included after remediation?
Yes. We include free retest of critical and high findings after remediation within the contracted window. The goal is to formally close the highest-impact vulnerabilities before archiving the project, leaving signed evidence that mitigated risks are effectively mitigated.
Next step
Talk to Hard2bit about your pentesting project
If you need to audit an application, an API, a cloud environment or a full perimeter in Barcelona or the rest of Catalonia, we can review your context and propose a scope proportionate to risk and to the applicable regulatory framework.