Vulnerability Assessment & Penetration Testing

Find Vulnerabilities
Before Attackers Do

VAPT engagements aligned to CREST CHECK, NIST SP 800-115 and PTES. Web, API, mobile, network and cloud — every finding manually validated, mapped to OWASP ASVS and shipped with a working proof of concept and a free 30-day retest.

5: asset classes covered
100%: findings human-validated
CVSS v3.1 + v4.0: severity scoring
30 days: free retest window

Service overview

An AxVeil VAPT engagement is two disciplines layered together. The vulnerability assessment uses authenticated scanning, configuration review and template-driven discovery — we ship the upstream Nuclei binary against your perimeter, run Burp Suite Pro's active scanner against authenticated user journeys, and pull a software bill of materials so we can correlate dependency CVEs against published exploit code. The penetration test then takes those candidate weaknesses and proves which ones an attacker can actually chain into impact: account takeover, tenant boundary breach, data exfiltration, lateral movement into the corporate network.

Every finding is human-validated before it enters the report. Scanner output is an input, not a deliverable. A CISO presenting the PDF to the audit committee should be able to defend each line item — we do not pad reports with informational chaff to inflate finding counts. The 2024 Verizon Data Breach Investigations Report attributes 14% of breaches to vulnerability exploitation, nearly tripling year over year, with stolen credentials and phishing the dominant other vectors. Our scope reflects that reality: technical vulnerabilities, identity controls, and the trust boundaries between them.

Engagements are scoped to the standard you need to satisfy. Series-A SaaS targeting SOC 2 Type 2 typically asks for ASVS L2 across the production app and a perimeter network test. Payment processors handling card data ask for PCI DSS v4.0 Requirement 11.4.x coverage with quarterly external and annual internal segmentation testing. RBI-regulated entities in India ask for the cyber security framework's annual penetration test plus a CERT-In-aligned report format. We deliver against the framework you specify, not a generic template.

Scope by asset class

Web applications

Authenticated and unauthenticated testing across all user roles. OWASP Top 10 (2021) plus the full ASVS v4.0.3 control set at L1, L2 or L3. Business-logic flaws — race conditions, IDOR, workflow bypass, multi-tenant boundary breaks. SSRF with cloud metadata exploitation. SAML / OAuth2 / OIDC misconfiguration. Burp Suite Pro is the primary harness; manual exploit development for anything custom.

APIs (REST, GraphQL, gRPC)

Mapped to the OWASP API Security Top 10 (2023). BOLA / BFLA enumeration, mass assignment, broken authentication, excessive data exposure, GraphQL introspection abuse, query depth and alias-based denial of service, gRPC reflection where exposed. Schema-driven fuzzing where OpenAPI / Swagger / Protobuf definitions are available; black-box discovery where they are not.

Mobile (iOS + Android)

OWASP MASVS v2 plus the OWASP Mobile Security Testing Guide. Static analysis of the IPA / APK, runtime instrumentation with Frida, certificate pinning bypass, biometric auth bypass, IPC / deep-link abuse, insecure local storage (Keychain / Keystore misuse), and backend API testing under the mobile threat model.

Network infrastructure

External and internal penetration testing per NIST SP 800-115. Service enumeration, version-based vulnerability identification, exploit validation, and Active Directory attack-path mapping (Kerberoasting, AS-REP roasting, ADCS misconfiguration, NTLM relay). Wireless and VLAN segmentation testing on request.

Cloud (AWS / Azure / GCP)

Control-plane review against CIS Benchmarks. IAM privilege-escalation pathing, role assumption chains, public S3 / Blob / GCS exposure, Lambda / Function trigger abuse, Kubernetes RBAC and admission-controller bypass. MITRE ATT&CK Cloud matrix used to structure the report.

Out of scope by default

Denial-of-service against production, social-engineering of staff (covered separately under the red team service), physical intrusion, third-party SaaS where written authorisation cannot be obtained, and any test that risks customer data integrity without an agreed rollback plan. All exclusions are documented in the Rules of Engagement before kickoff.

Methodology

Six phases derived from PTES and NIST SP 800-115, calibrated to a typical four-to-six-week web + API engagement. Network and cloud engagements use the same phase boundaries with discipline-specific tooling.

Pre-engagement & scoping

Asset inventory, Rules of Engagement, allowlisted source IPs, test accounts at every role, written authorisation for invasive checks, escalation contacts. ASVS level (L1/L2/L3) confirmed in writing.

Reconnaissance & surface mapping

Passive OSINT, DNS and certificate-transparency enumeration, subdomain discovery, technology fingerprinting, JavaScript route-mining for SPA endpoints, OpenAPI / GraphQL schema extraction.

Automated discovery

Nuclei templates against the perimeter, Burp Suite Pro active scanner against authenticated journeys, dependency CVE correlation against the SBOM. Output is a candidate list — none of it ships to the report unvalidated.

Manual testing & exploitation

The bulk of the engagement. Tester walks every authenticated workflow, exercises business logic, validates each scanner candidate, develops PoC exploits, and chains findings into impact paths (auth → IDOR → tenant breach, SSRF → IMDS → role escalation, etc.).

Post-exploitation & impact analysis

Where in-scope, demonstrate downstream impact: pivot from web compromise into the supporting cloud account, enumerate accessible data, map the blast radius. Findings rated against CVSS v3.1 and v4.0 with environmental modifiers applied.

Reporting & retest

Draft report walkthrough call, written report with executive summary and full technical detail, remediation guidance per finding, and one free retest within 30 days of remediation. Letter of Attestation issued on PASS.

Deliverables

A single PDF report (typically 60–120 pages) plus machine-readable artefacts. Every finding is reproducible from the report alone — no follow-up call required to understand impact or remediation.

Executive summary

Two-to-three pages. Risk posture in business language, top five findings ranked by exploitability and blast radius, remediation themes, comparison to industry baseline. Designed for board / audit-committee consumption.

Technical findings

Each finding contains: title, CVSS v3.1 + v4.0 vector strings, CWE classification, ASVS / API-Top-10 mapping, affected endpoints, step-by-step reproduction, raw request / response captures, screenshots, business impact narrative, remediation steps with code samples.

Remediation guidance

Per-finding fix recommendations written for engineers, not just security teams. Includes safer code patterns, configuration snippets, library upgrade paths, and reference links to vendor advisories or NIST guidance.

Compliance mapping appendix

Each test case mapped to SOC 2 (CC7.1, CC8.1), ISO 27001:2022 (A.8.8, A.8.29), PCI DSS v4.0 (Req 11.4.x, 6.2.x), and any other framework requested in scope. Auditor-ready evidence pack included.

Free retest within 30 days

One full retest of every Critical, High and Medium finding marked remediated. Retest report appended to the original PDF; Letter of Attestation issued on full PASS.

Machine-readable export

JSON export of all findings (schema documented) for import into your vulnerability management platform — DefectDojo, Jira, ServiceNow, GitHub Security.

Sample finding (JSON export)

{
  "id": "AXV-2026-0014",
  "title": "IDOR on /api/v1/invoices/{id} permits cross-tenant invoice read",
  "severity": "High",
  "cvss_v3_1": "AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
  "cvss_score": 8.5,
  "cwe": ["CWE-639"],
  "owasp_asvs_v4": ["V4.1.3", "V4.2.1"],
  "owasp_api_top_10_2023": ["API1:2023"],
  "endpoints": ["GET /api/v1/invoices/{id}"],
  "validated_by": "manual",
  "remediation": "Enforce tenant-scoped authorisation in the data layer; reject any invoice_id whose owning tenant_id does not match the JWT sub claim.",
  "retest_status": "pending"
}

Frameworks & standards

Methodology and reporting align to the standards your auditor will check.

OWASP ASVS v4.0.3 (L1 / L2 / L3)OWASP API Security Top 10 (2023)OWASP MASVS v2OWASP Top 10 (2021)NIST SP 800-115PTESCREST CHECKCVSS v3.1 + v4.0CWE taxonomyMITRE ATT&CK Enterprise + CloudCIS Benchmarks (AWS / Azure / GCP)

Engagement timeline

Calendar weeks for a typical web + API engagement. Network, cloud and mobile slot into the same shape; complex multi-asset engagements run phases in parallel.

Week 0Scoping call, Rules of Engagement, test-account provisioning

Week 1Reconnaissance, automated discovery, candidate-finding triage

Week 2-3Manual testing, exploit development, business-logic abuse

Week 4Post-exploitation, draft-report walkthrough, written report delivered

Week 4-8Remediation window owned by your engineering team

Week 8 (target)Free retest, Letter of Attestation, report sign-off

Frequently asked questions

What is the difference between a vulnerability assessment and a penetration test?+

A vulnerability assessment enumerates known weaknesses using authenticated scanning, configuration review and template-driven discovery (we use the upstream Nuclei binary plus Burp Suite Pro). A penetration test goes further: a tester chains those weaknesses into a working exploit path, validates real-world impact, and proves data, identity or service compromise. AxVeil VAPT engagements always include both — the scan is the floor, manual testing is the ceiling.

Which standards do you map findings to?+

Every finding is mapped to OWASP ASVS v4.0.3 (L1, L2 or L3 as agreed in scope), the OWASP API Security Top 10 (2023), CWE for taxonomy, CVSS v3.1 and v4.0 for severity, and NIST SP 800-115 for methodology. Mobile work additionally references OWASP MASVS v2 and the MSTG. Cloud findings map to the CIS Benchmarks for AWS, Azure or GCP and to MITRE ATT&CK Cloud (Enterprise matrix).

What does a PASS look like?+

A PASS for an ASVS L2 web app means: zero unresolved Critical or High findings, no exploitable authentication, session, access control or injection issues, all Mediums either remediated or risk-accepted in writing by an asset owner, and a free retest verifying remediation within the 30-day window. We issue a signed Letter of Attestation referencing the engagement scope, the ASVS level achieved, and the report hash so auditors can verify integrity.

Will testing impact production?+

Default posture is non-disruptive: read-only payloads, throttled request rates, no destructive Burp Intruder runs against production, no automated exploits that write to user data without written authorisation. Where load or denial-of-service testing is in scope, we run it in a staging environment or in a pre-agreed maintenance window with rollback procedures documented.

How do you handle false positives from automated scanners?+

Every Nuclei or Burp Suite Pro finding above Informational is manually validated by a human tester before it enters the report. Findings that fail validation are either removed or downgraded to Informational with reasoning recorded. The final PDF only contains validated, reproducible findings — each with a step-by-step PoC, request/response capture and CVSS vector string.

Can you align the engagement to SOC 2, ISO 27001 or PCI DSS evidence requirements?+

Yes. We tag each test case to the source control: SOC 2 CC7.1 / CC8.1, ISO 27001:2022 Annex A.8.8 / A.8.29, PCI DSS v4.0 Requirement 11.4.x. The deliverable pack includes a control-mapping appendix that drops directly into your auditor's evidence request list, plus a Letter of Attestation referencing scope, dates and the lead tester's CREST registration number where applicable.

Scope your VAPT engagement

Send the asset inventory, target ASVS level and audit deadline. We respond with a fixed-fee proposal, lead-tester biography and a sample report from a comparable engagement.

Request a scoping call →

Find VulnerabilitiesBefore Attackers Do