Cybercraft
← In a Box Testing

Could your web application be breached? Find out before an attacker does.

Three tiers of web application penetration testing — from a non-intrusive configuration review through to full ASVS compliance testing. A report your board and insurer will accept.

Three clear tiers Board-ready evidence MSP-ready remediation Retest included (Silver & Gold)
Choose your tier

The right level of testing for your situation

Your enterprise client, insurer, or board drove this conversation. Pick the tier that matches what they need to see — and what your application actually requires.

🥉 Bronze

Configuration & Exposure Review

Your first pen test, a pre-launch sanity check, or an insurer asking for evidence of a basic security review.

What it covers

  • Security headers and SSL/TLS configuration
  • Exposed admin interfaces and login panels
  • Known software vulnerabilities on public-facing services
  • Subdomain exposure and DNS security
  • Public data disclosure (error messages, directory listings)

Non-intrusive — review and analysis only. No exploitation.

Book Bronze
🥈 Silver

OWASP Top 10 Assessment

A client-facing application, booking system, or SaaS product where a breach would have direct business or reputational impact.

What it covers

  • Authentication and session management weaknesses
  • Injection vulnerabilities (SQL, command, LDAP)
  • Cross-site scripting (XSS) and CSRF
  • Broken access control and privilege escalation
  • Sensitive data exposure and misconfiguration
Book Silver
🥇 Gold

ASVS Level 1 Compliance

ISO 27001 certification, enterprise client requirements, or regulated industries (finance, health, legal) that need compliance-grade evidence.

What it covers

  • Full OWASP ASVS Level 1 verification
  • Authentication, session, and access control requirements
  • Input validation and cryptography controls
  • Requirement-level compliance mapping
  • Auditor-ready evidence pack
Book Gold

What you get from every engagement

Every tier delivers a structured report with findings your board can understand and your MSP can action. No translation required — just a clear list of what was found, how serious it is, and what to do about it.

Silver and Gold engagements include a retest window after remediation, so you can go back to your client, insurer, or auditor with confirmation that the issues have been closed.

  • Executive summary — board and insurer ready
  • Technical findings with severity ratings (critical / high / medium / low)
  • Proof-of-concept evidence for each finding
  • MSP-ready remediation guide with prioritised actions
  • Retest report confirming remediation (Silver and Gold)
  • Compliance evidence pack for ISO 27001, E8, or insurer requirements (Gold)
Bronze

Configuration review report — rated findings, no exploitation. Suitable for a first security review or pre-launch validation.

Silver

OWASP-referenced findings report with proof-of-concept evidence, severity ratings, and an MSP-ready remediation guide. Retest included.

Gold

ASVS compliance report with requirement-level findings, an auditor-ready evidence pack, and a phased remediation roadmap. Retest included.

Not sure which tier is right?

Tell us about your application and what's triggered this conversation — we'll give you an honest recommendation on where to start.

Get a tier recommendation

Kaurna Acknowledgement

We acknowledge and pay our respects to the Kaurna people, the traditional custodians of the ancestral lands on which we work. We acknowledge the deep feelings of attachment and relationship of the Kaurna people to country and we respect and value their past, present and ongoing connection to the land and cultural beliefs.