Your enterprise prospect asks for a pentest report. Your SOC 2 auditor needs evidence of security testing. Your investor’s technical advisor wants to know if your application has been tested by someone other than your own team.
You need a penetration test. Here is what that actually means, what happens during one, and how to decide what you need.
What Is a Penetration Test?
A penetration test is a structured security assessment where a certified tester (OSCP, CREST, CompTIA PenTest+) simulates real attacker behavior against your application. The tester studies how your product works, identifies where security controls are weak or missing, and attempts to exploit those weaknesses the same way an attacker would.
The difference between a pentest and running a scanner: a scanner checks for known vulnerabilities using pattern matching. A pentester understands your business logic and tests whether your access controls, payment flows, role permissions, and API boundaries actually enforce what they should.
Scanners find outdated libraries. Pentesters find that your API returns any user’s billing data if you change the user ID in the URL.
What Gets Tested
The scope depends on what you need. Most SaaS startups start with one or two of these:
Web Application Pentest Your main product. The tester maps every endpoint, tests authentication flows, checks authorization on every API call, and looks for injection vulnerabilities, XSS, CSRF, and business logic flaws specific to your application.
API Pentest REST, GraphQL, or gRPC. Focuses on authentication, authorization between endpoints, rate limiting, input validation, and data exposure. If your product is API-first, this is where most vulnerabilities live.
Mobile Application Pentest Android or iOS. Covers local data storage, certificate pinning, reverse engineering, runtime manipulation, and how the app communicates with your backend.
Cloud Security Assessment AWS, GCP, or Azure. Reviews IAM policies, storage bucket permissions, network segmentation, logging configuration, and whether your infrastructure follows least-privilege principles.
What Happens During a Pentest
Here is the actual process, start to finish:
1. Scoping (before the engagement starts) We agree on what gets tested: which application, which environments (staging or production), which user roles, and what is out of scope. You provide test accounts and access credentials.
2. Reconnaissance and mapping The tester studies your application architecture, maps all endpoints, identifies user roles, and understands how data flows through your system. This is where a manual tester adds value over a scanner. Understanding your product means testing it like someone who wants to break it, not someone running a checklist.
3. Testing (the core engagement) The tester works through your application systematically, following OWASP WSTG v5.0 methodology:
- Authentication: can login be bypassed? Are password reset flows secure?
- Authorization: can a regular user access admin functions? Can user A see user B’s data?
- Input validation: SQL injection, XSS, command injection, file upload abuse
- Business logic: can pricing rules be bypassed? Can workflows be executed out of order?
- Session management: are tokens secure? Do sessions expire properly?
- API security: are all endpoints authenticated? Is rate limiting enforced?
4. Reporting You get a detailed report with every finding documented: what was found, how it was reproduced (exact HTTP requests), what the business impact is, and how to fix it. Findings are rated by severity (Critical, High, Medium, Low, Informational) and mapped to SOC 2 and ISO 27001 controls.
5. Remediation support and retest Your developers fix the findings using the reproduction steps in the report. We retest to confirm the fixes work. Both our pentest plans include a free retest.
When Your Startup Needs a Pentest
Not every startup needs a pentest on day one. Here is when it becomes necessary:
- An enterprise prospect asks for one. This is the most common trigger. No pentest report means no deal.
- SOC 2 or ISO 27001 audit. Your auditor needs evidence of independent security testing. An automated scan report usually does not satisfy this. See what SOC 2 auditors specifically expect.
- Investor due diligence. Technical advisors check for pentest reports, especially Series A and beyond. Security gaps that surface during due diligence can delay or kill rounds.
- Major release or new product launch. You shipped a new payment flow, a new API, or a new user role system. These are where access control bugs hide.
- You have never had one. If your application handles user data and has never been tested by someone outside your team, you have an untested attack surface.
What a Pentest Report Looks Like
Every report we deliver includes:
- Executive summary that a CTO or founder can read in 5 minutes
- Detailed findings with exact reproduction steps, HTTP request/response evidence, and screenshots
- Business impact statements explaining what each vulnerability means in plain language, not just CVSS scores
- Remediation guidance specific to your codebase and stack
- SOC 2 and ISO 27001 control mapping so you can hand the report directly to your auditor (Growth plan)
- Brand Protection Snapshot checking for typosquatting domains, fake apps, and leaked credentials (both plans)
See a sample pentest report to understand exactly what you receive.
Penetration Test vs Vulnerability Assessment
These are different things, and the difference matters when an auditor or investor asks for one:
| Vulnerability Assessment | Penetration Test | |
|---|---|---|
| Method | Automated scanning tools | Human-led, manual testing |
| Finds | Known CVEs, misconfigurations, missing headers | Business logic flaws, access control bypasses, chained exploits |
| Misses | Application-specific logic, authorization issues | Nothing a scanner would catch (scanners run as part of the process) |
| Output | Tool-generated report with generic fix suggestions | Custom report with reproduction steps and code-level fixes |
| Accepted by auditors | Usually not for SOC 2/ISO 27001 | Yes, standard audit evidence |
| Time | Hours | 7-10 calendar days |
Most engagements include automated scanning as part of the process. The pentest adds the manual, human-led analysis that scanners cannot do. For a deeper comparison, read manual penetration testing vs automated scanning.
How Much Does a Pentest Cost in India?
| Plan | Scope | Duration | Price |
|---|---|---|---|
| Startup Pentest | 1 scope (web app, API, or mobile) | 7 days | INR 74,999 |
| Growth Pentest | 2 scopes | 10 days | INR 1,79,999 |
| Additional scope | +1 scope added to either plan | +3 days | INR 44,999 |
Both plans include a detailed report, executive summary, free retest, and Brand Protection Snapshot. The Growth plan adds SOC 2 + ISO 27001 audit prep evidence and real-world attack simulation beyond OWASP Top 10.
For a deeper breakdown of what drives pentest pricing, read penetration testing cost in India.
Our Penetration Testing Services
We test across every application type SaaS startups ship:
- Web Application Penetration Testing: OWASP Top 10, business logic, authentication flaws
- API Penetration Testing: REST, GraphQL, gRPC security assessment
- Android Application Penetration Testing: APK analysis, runtime manipulation
- iOS Application Penetration Testing: Keychain, jailbreak bypass, binary analysis
- Cloud Penetration Testing: AWS, Azure, GCP misconfigurations
- AI Application Penetration Testing: Prompt injection, model security
Every engagement is founder-led. Rathnakara (OSCP, CompTIA PenTest+, M.Sc Cyber Security) personally leads every pentest. No juniors, no handoffs, 6 clients per month maximum.
View pricing | See a sample report | Get a free security snapshot