Applications
Web / API Pentest
Simple public app, authenticated app, REST/GraphQL APIs, complex business logic.
from €1,490
One-off · VAT not included
View web packs →
Offensive Security · Pentesting · Web · API · Infrastructure · AD · Cloud
ENS HIGH · ISO 27001
Pentesting: think like an attacker.
Close real gaps.
Automated scanning is not a pentest. We deliver penetration testing with manual validation, controlled exploitation, and actionable reporting including a remediation plan and re-test.
Reference practices: OWASP Web Security Testing Guide (WSTG) and PTES to structure scoping, execution, reporting and closure.
The most requested penetration tests
Real coverage across web, APIs, infrastructure, Active Directory and cloud—focused on impact and closure.
Web App Pentest
OWASP Top 10, access control, auth, sessions, SSRF, insecure deserialization, etc.
API Security Testing
Authorization (BOLA/IDOR), rate-limits, JWT/OAuth, enumeration and abuse-cases.
External Infrastructure
Perimeter exposure, services, configuration and compromise paths.
Internal Infrastructure
Lateral movement, segmentation, credentials and privilege escalation.
Active Directory
Misconfigurations, delegation, Kerberos, paths to DA, controls and hardening.
Cloud
IAM, storage, secret sprawl, networking, workloads, containers and serverless.
Web & APIs
Web Application & API Penetration Testing
OWASP-driven testing, business logic, authentication (SSO/JWT/OAuth), authorization, SSRF, IDOR/BOLA, etc. We prioritize real impact and exploitability.
OWASP WSTG API Security Business Logic
Infrastructure & AD
Network / Infrastructure & Active Directory Assessments
External/internal exposure, privilege escalation, AD misconfigurations, compromise paths, segmentation checks and actionable evidence for hardening.
External/Internal Privilege Esc. AD Assessment
Cloud
Cloud Pentesting & Security Posture Review (AWS/Azure/GCP)
IAM review, exposed storage, credentials/secrets, escalation paths, containers and serverless. Focus on business risk.
IAM Misconfig Containers
Fix Verification
Remediation Plan + Re-test
Executive + technical reporting, prioritized backlog, practical recommendations, and re-validation to confirm closures.
Backlog Evidence Re-test
Methodology
Full cycle: scoping, execution, evidence, remediation plan and re-test.
OWASP WSTG and PTES help keep testing and reporting consistent across engagements.
01
Scope & Rules of Engagement (RoE)
Define objectives, assets, exclusions, windows and safety thresholds. Agree reporting cadence and escalation channels for critical findings.
02
Reconnaissance & threat modeling
Map the real attack surface (external/internal), authentication flows, roles, integrations and dependencies to identify compromise paths.
03
Execution: manual validation & controlled exploitation
Validate findings with expert judgment to minimize false positives. Chain vulnerabilities when relevant to demonstrate real impact with evidence.
04
Actionable report + readout session
Executive and technical reporting: severity, impact, PoC, evidence, quick wins and a remediation plan by team/owner.
05
Re-test & closure evidence
Re-validate prioritized findings to confirm fixes and update evidence—ideal for audits and compliance programs.
Deliverables that drive closure
The value of pentesting is not “the report”—it’s faster decisions and remediation. We deliver clear evidence, an actionable backlog, and re-testing to verify fixes.
Technical report (PoC + evidence)
Reproducible details, impact, traces, endpoints, parameters, screenshots and concrete recommendations.
Executive report (risk & decisions)
Domain-level summary, top risks, exposure, quick wins and remediation roadmap.
Prioritized backlog (actionable)
List by criticality/exposure, suggested owner, dependencies and verification steps (re-test).
Readout session
Workshop with your engineers and stakeholders to align on fixes and prevent regressions.
What we look for “as an attacker”
Common real-world paths: broken access control, injection, crypto misuse, SSRF, insecure design— validated manually to reduce noise and false positives.
Broken Access Control / IDOR CRITICAL
Injection (SQL/NoSQL/OS) CRITICAL
SSRF / Internal pivot HIGH
Auth/JWT/OAuth misuse HIGH
Misconfig + secrets exposure MEDIUM
We combine automation with expert manual validation and remediation-oriented reporting to help teams close findings.
Plans & pricing
Pentesting with transparent "from" pricing
Unlike automated scans or web-only pentests, we assess real exposure from the Internet and from a controlled internal position, identifying attack paths, weak configurations, exploitable vulnerabilities and remediation priorities. All packs include retest and explanation workshop.
Professional manual + automated pentesting, not a SaaS platform scan. Every engagement is executed by a senior engineer using OWASP, OSSTMM and CVSS methodologies. Key difference vs automated SaaS platforms (from €149/scan): human analyst, context, real exploitability validation and an audit-grade report — not a script-generated PDF.
Perimeter
External Pentest
Internet-exposed surface: public IPs, services, VPN, firewalls, panels, insecure configurations.
from €3,500
Up to 25 IPs / 50 services
See details →Internal network
Internal Pentest
Realistic scenario: attacker with internal access (standard user or VPN). Active Directory, lateral movement.
from €4,500
Essential to Advanced (AD)
View internal packs →Combined
External + Internal
Most requested pack: external perimeter + coordinated internal scenario, single report, joint workshop.
from €7,500
One-off · VAT not included
Request proposal →Provider's operating framework
We execute pentesting inside our own ISMS audited at ENS HIGH category and ISO/IEC 27001:2022, plus four additional ISOs (22301, 20000-1, 9001, 14001). Documented rules of engagement, evidence custody and traceability usable by clients subject to NIS2, DORA or ENS in their own audit. The ENS HIGH certification belongs to Hard2bit as a provider; it does not replace the client's own certification.
Plan details
8 modalities, indicative "from" pricing
Prices excluding VAT. Retest and explanation workshop included in all packs. Multi-site, operational-impact scenarios or complex cloud (multi-account AWS/Azure/GCP) sized in proposal.
| Pack | Scope | Mode | Includes | Price |
|---|---|---|---|---|
| Pentest Web Essential | 1 simple app / bounded URL | Black / grey box | Manual + automated testing, technical report, executive summary, retest and explanation workshop included. | from €1,490 |
| Pentest Web/API Advanced | Authenticated app · API · complex logic | Grey / white box | Deep manual validation, roles, business logic, REST/GraphQL APIs. Retest and workshop included. | from €4,950 |
| External Perimeter Pentest | Up to 25 public IPs / 50 services | Black box | Internet-exposed surface: public IPs, VPN, firewalls, portals, vulnerable versions. Retest and workshop included. | from €3,500 |
| Internal Pentest Essential | Up to 50 assets / 1-2 VLANs | Grey box (standard user / VPN) | Discovery, internal services, segmentation, shared resources, credential exposure and basic escalation paths. Retest and workshop included. | from €4,500 |
| Internal Pentest Advanced | AD, multiple VLANs, deeper testing | Grey box (realistic scenario) | Active Directory, lateral movement, privilege escalation in depth. Up to 100-150 assets / 3-5 VLANs. Retest and workshop included. | from €6,900 |
| External + Internal Pentest Top | Bounded combined scope | Coordinated external + internal | External perimeter + realistic internal scenario, single report, joint workshop. Most popular pack. Retest and workshop included. | from €7,500 |
| Audit-Ready Pentest (ENS/ISO) | For ENS / ISO 27001 certification | Adapted to regulatory scope | Technical + executive report + remediation plan + auditable evidence aligned with ENS / ISO 27001. Retest and workshop included. | from €5,500 |
| Red Team / Adversary Simulation | Realistic adversary emulation | Custom | Advanced threat actor simulation with contractual objectives (impact-based), MITRE ATT&CK TTPs. No fixed public price. | Custom |
All prices are shown excluding VAT. The applicable VAT will be added on the invoice according to current regulations. Indicative "from" amounts; final terms — scope, sizing, timelines, rules of engagement and contractual conditions — will be set out in the signed commercial proposal.
Product vs service
Hard2bit Scanner vs Professional Pentest
If you need a passive external snapshot of your domain, our SaaS scanner gives it in 60 seconds. If you need to validate whether weaknesses are exploitable and get audit-grade evidence, the professional pentest is the right fit. They're not substitutes: the Scanner is usually the previous step.
| Feature | Hard2bit Scanner | Professional Pentest |
|---|---|---|
| Model | Self-service SaaS | Professional service executed by senior engineer |
| Analysis | Passive, public domain | Active, manual + automated, with controlled exploitation |
| Exploitability validation | No (signals) | Yes (real proof with evidence) |
| Methodologies | Own checks | OWASP, OSSTMM, OWISAM, OpenSAMM, CVSS |
| Active Directory | Not applicable | Yes, in Internal Advanced packs |
| Executive + technical report | PDF report | Technical + executive report + workshop |
| Post-remediation retest | No | Included in all packs |
| Audit evidence (ENS/ISO) | PDF report | Full evidence + remediation plan |
| Indicative price | Free · from €19/mo | from €1,490 |
Scope and exclusions
What the service does not include (by default)
The following exclusions can be contracted separately or combined with other Hard2bit services (red team, vulnerability management, digital forensics). Making them explicit avoids misunderstandings and sizes the engagement correctly.
- Technical remediation, systems administration or configuration changes (quoted separately).
- Denial-of-service tests, social engineering, phishing, vishing, smishing and physical testing (separate service under contract).
- Extensive hardening, deep code review (SAST/DAST/SCA) and mobile pentest (per app) not included by default — complementary services.
- Pentest on domains or systems without formal owner authorization. All activity requires signed rules of engagement.
- Scenarios with operational impact or complex cloud (multi-account AWS/Azure/GCP) may require additional sizing.
Frequently asked questions
How long does a pentest take?
It depends on scope. A web/API pentest typically takes 5–15 days; infrastructure/AD can take 2–4 weeks. We adjust by criticality, number of assets and complexity.
Do you provide audit-ready evidence?
Yes. We include evidence and traceability, plus an executive summary that supports audits and frameworks like NIS2/DORA/ENS/ISO 27001.
What makes you different from “commodity” vendors?
Less noise, more impact: manual validation, business logic analysis, vulnerability chaining when relevant, and an actionable backlog with re-test.
Can you coordinate with our SOC/MDR?
Yes. We can work jointly to validate detections (use cases, alerts) and improve rules and response workflows.
Do you offer pentesting in Madrid?
Yes. We regularly work with organizations in Madrid and across Spain. When it makes sense, we coordinate on-site sessions for kick-off, findings review or final handover with the client's team. See the dedicated pentesting in Madrid page for the local angle.
And in Barcelona and the rest of Catalonia?
Yes. We deliver pentesting to companies operating in Barcelona and across Catalonia, with the same methodology and deliverables we apply to regulated clients nationwide. See the dedicated pentesting in Barcelona page for the local angle and Catalan-language blocks.
Related terms
Concepts from our cybersecurity glossary that connect directly with this service.
Need a pentest that leads to fixes?
We scope properly, test with evidence, and deliver an actionable backlog with re-testing to verify closure.
Talk to a specialist