ImmuniWeb® AI PlatformContinuous

ImmuniWeb® Continuous
Continuous Penetration Testing Made Simple

ImmuniWeb® Continuous monitors your web applications and APIs for new code or modifications. Every change is
rapidly tested, verified and dispatched to your team with a zero false-positives SLA. Unlimited 24/7 access to
our security analysts for customizable and threat-aware pentesting is included into every project.

Quality. Simplicity. Speed.

In-Depth Testing

Business logic testing, SANS Top 25,
PCI DSS & OWASP coverage

Zero False-Positives SLA

Money-Back Guarantee for
a single false positive

Actionable Reporting

Tailored remediation guidelines
and 24/7 access to analysts

24/7 Just-in-time Testing

Once your code is changed, our
experts will promptly test it

DevSecOps Tailored

One-click WAF virtual patching,
SDLC & CI/CD integration

How it works

Customize testing and
scope monitoring
Get instant alerts on
new vulnerabilities
Re-test patched findings
in one click

Free Demo

Actionable Reporting. Simple Remediation.

DevSecOps Native

WAF Integrations

Continuous Penetration Testing for Any Need

Internal & External Web Apps

Virtual Appliance technology for
internal applications testing

Cloud Security Testing

Check if attackers can pivot to
other systems in your cloud

APIs & Web Services

API (REST/SOAP/GraphQL)
security & privacy testing

Black & White Box

Authenticated (including MFA/SSO)
or Black Box testing

Open Source Security

Software Composition Analysis (SCA)
tests for 20,000+ known CVE-IDs

Red Teaming

Breach and attack simulation per
MITRE ATT&CK® Enterprise

OWASP Web Security Testing Guide (WSTG)
NIST SP 800-115 Technical Guide to Information Security Testing and Assessment
PCI DSS Information Supplement: Penetration Testing Guidance
MITRE ATT&CK® Matrix for Enterprise
FedRAMP Penetration Test Guidance
ISACA’s How to Audit GDPR

OWASP Application Security Verification Standard (ASVS v4.0.2) Mapping
Common Vulnerabilities and Exposures (CVE) Compatible
Common Weakness Enumeration (CWE) Compatible
Common Vulnerability Scoring System (CVSS v3.1)

A1: Broken Access Control
A3: Injection
A5: Security Misconfiguration
A7: Identification and Authentication Failures
A9: Security Logging and Monitoring Failures

A2: Cryptographic Failures
A4: Insecure Design
A6: Vulnerable and Outdated Components
A8: Software and Data Integrity Failures
A10: Server-Side Request Forgery

Injection Flaws
Many Other "High" Risk Vulnerabilities
Buffer Overflows
Cross-Site Scripting (XSS)
Insecure Cryptographic Storage

Improper Access Control
Insecure Communications
Cross-Site Request Forgery (CSRF)
Improper Error Handling
Broken Authentication and Session Management

CWE-787: Out-of-Bounds Write
CWE-79: Improper Neutralization of Input During Web Page Generation
CWE-125: Out-of-Bounds Read
CWE-20: Improper Input Validation
CWE-78: Improper Neutralization of Special Elements used in an OS Command

CWE-89: Improper Neutralization of Special Elements used in an SQL Command
CWE-416: Use After Free
CWE-22: Improper Limitation of a Pathname to a Restricted Directory
CWE-352: Cross-Site Request Forgery (CSRF)
CWE-434: Unrestricted Upload of File with Dangerous Type

CWE-306: Missing Authentication for Critical Function
CWE-190: Integer Overflow or Wraparound
CWE-502: Deserialization of Untrusted Data
CWE-287: Improper Authentication
CWE-476: NULL Pointer Dereference

CWE-798: Use of Hard-coded Credentials
CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-862: Missing Authorization
CWE-276: Incorrect Default Permissions
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CWE-522: Insufficiently Protected Credentials
CWE-732: Incorrect Permission Assignment for Critical Resource
CWE-611: Improper Restriction of XML External Entity Reference
CWE-918: Server-Side Request Forgery (SSRF)
CWE-77: Improper Neutralization of Special Elements used in a Command

API1: Broken Object Level Authorization
API3: Excessive Data Exposure
API5: Broken Function Level Authorization
API7: Security Misconfiguration
API9: Improper Assets Management

API2: Broken User Authentication
API4: Lack of Resources & Rate Limiting
API6: Mass Assignment
API8: Injection
API10: Insufficient Logging & Monitoring

ImmuniWeb® Continuous Setup and Packages

1 Customize testing and
scope monitoring

2 Get instant alerts on
new vulnerabilities

3 Re-test patched findings
in one click

ImmuniWeb® Continuous Packages for any need	Corporate Pro Designed for one web application of large size and complexity, located on multiple subdomains or having several user roles.	Corporate Designed for one web application of medium size and complexity, located on several subdomains or having a couple of user roles.	Express Pro Designed for one web application of small size and complexity, located on one or two subdomains and having one user role.	Express Designed for one web application of very small size and complexity, located on one domain and having one simple user role.
AI-Enabled Vulnerability Scanning Our award-winning Deep Learning AI technology accelerates and intelligently automates over 10,000 checks of your web application security, which usually require human labor and cannot be performed by traditional vulnerability scanners due to complexity.	24/7	24/7	24/7	24/7
Manual Penetration Testing Our CREST-accredited security experts conduct advanced security testing of your web application’s business logic, perform chained exploitation of sophisticated vulnerabilities, and run other security and privacy checks that require human intelligence due to high complexity.	5 days / month	3 days / month	1 day / month	½ day / month
OWASP ASVS Testing Our combination of AI technology and CREST-accredited security experts covers OWASP ASVS Levels 1-3 testing requirements.	Level 3	Level 2	Level 1	Level 1

24/7 Penetration Testing

OSINT Search of Stolen Credentials
Detection of Changes and New Code
Continuous Penetration Testing
- SANS Top 25 Full Coverage
- OWASP Top 10 Full Coverage
- PCI DSS 6.5.1-6.5.10 Full Coverage
- AI Augments Human Testing and Analysis
- Machine Learning Accelerates Testing
- Authenticated Testing (MFA / SSO)
- REST/SOAP/GraphQL API Testing
- Business Logic Testing
Full Customization of Testing
Privacy Review

24/7 Reporting

Instant SMS Alerts
Instant Email Alerts
Threat-Aware Risk Scoring
Step-by-Step Instructions to Reproduce
Web, PDF, JSON, XML and CSV Formats
PCI DSS and GDPR Compliances
CVE, CWE and CVSS Scores
OWASP ASVS Mapping
Zero False-Positives SLA Money back

Contractual money-back guarantee for one single false positive.

24/7 Remediation

Unlimited Patch Verifications
Tailored Remediation Guidelines
One-Click Virtual Patching via WAF
24/7 Access to Our Security Analysts
DevSecOps & CI/CD Tools Integration
Multirole RBAC Dashboard with 2FA
Penetration Test Certificate

Get a Quote Talk to Sales

Trusted by 1,000+ Global Customers

We believe ImmuniWeb platform would definitely address the common weaknesses seen in manual assessments. The AI-assisted platform not only automates the assessments, but also, executes them in a continuous, consistent and reliable fashion. Admittedly, the platform would definitely add quick wins and great ROI to its customers on their investment.

Abuhaneefa Fayaz
Information Security Officer

ImmuniWeb is a great innovative service that brings unbeatable ROI. It is undoubtedly the best way to quickly and easily guarantee your customers that their data is safe with you - and yours too by the way! Efficient and effective!

Jean-Michel Beylard-Ozeroff
Head of IT

ImmuniWeb provides accurate assessment on the security posture of our cloud-based applications. The report provided is concise and easy to read with sound advisories on the necessary steps to fix the issues. What impressed me most was that no false positive was listed and the vulnerabilities are real. ImmuniWeb certainly gives us the right level of assurance that our cloud-based applications are safe and "good-to-go" before we deploy them out to production

Lee Chye Seng
Director, Learning Systems and Applications

ImmuniWeb is an invaluable tool for iPresent with both automated and manual penetration testing. The fantastic manual testing has found even the most hidden and complicated bugs in our security and ImmuniWeb has delivered first class knowledge. The self-service interface also gives us great control to schedule and monitor tests when we need them

Neil Bostrom
Chief Technical Officer

ImmuniWeb is the best and simplest way to secure your business online. It's really fantastic experience to get report with zero false positive with detailed actions how to resolve problems and remove vulnerabilities. I think ImmuniWeb is definitely the best alternative to pen testers. As well as a way to save on staff and other costs. I am glad that I can get it all without any hidden costs and without complicated licensing schemes

Nika Vachridze
Senior Information Security Officer

ImmuniWeb is an efficient and very easy-to-use solution that combines automatic and human tests. The results are complete, straightforward and easy to understand. It’s an essential tool for the development of the new digital activities

Didier Ramella
CISO

Why Choosing ImmuniWeb® AI Platform

Reduce Your Costs

Up to 90% of operational
costs reduction

Accelerate Your Tasks

Up to x5 faster detection
and remediation

Simplify Your Processes

One platform for 20 synergized
use cases

Frequently Asked Questions

Q

How many URLs and domains can I include into one package?

A

There is no hard limit on the number of URLs or domains per package. All targets should, however, belong to the same business application. For example, an e-commerce platform may be located across several (sub)domains, APIs or third-party managed web services. They can normally all be included into one package. If you also wish to test your e-banking system, you will need a second package.
Q

How can I scope and customize my testing requirements?

A

At the first step of project creation, you can scope and configure special requirements for continuous penetration testing. For example, you can select authenticated (White Box) testing with 2FA/SSO for some (sub)domains, exclude testing for some specific vulnerabilities (e.g. self-XSS) or areas of the web application, or refrain from testing during weekends. Later, while your subscription is valid, you can update your testing requirements.
Q

What is the difference between the packages?

A

Packages (from right to left) include gradually more human time and other resources that will be allocated for the penetration test. Generally, the bigger your scope is, the bigger package you need to comprehensively test your web application for all know web application vulnerabilities and attack vectors. Please reach out to us for a quote tailored for your specific needs and scope.
Q

Can you test my applications in Microsoft Azure, AWS or GCP?

A

Yes, we can test your web applications, cloud-native apps, microservices or APIs hosted in AWS, Azure, GCP and any other public cloud service providers. Aside from detecting OWASP Top 10, OWASP API Top 10 and SANS Top 25 vulnerabilities, we also detect cloud-specific misconfigurations and try cloud pivoting and privilege escalation attacks by exploiting excessive access permissions, IMDS flaws or default IAM policies in your cloud environment.
Q

How are you different from other penetration testing companies?

A

ImmuniWeb® Continuous leverages our award-winning Machine Learning technology for acceleration and intelligent automation of laborious and time-consuming testing tasks and processes, eventually saving a considerable amount of human time on our side. Eventually, compared to traditional penetration testing, you may expect to get your penetration testing report much faster and to get higher vulnerability detection rate, as our security experts will spend their valuable time to meticulously reverse engineer your application and try the most sophisticated attack vectors instead of wasting time on routine or automatable security checks.