ImmuniWeb® Continuous
Continuous Penetration Testing Made Simple
ImmuniWeb® Continuous monitors your web applications and APIs for new code or modifications. Every change is
rapidly tested, verified and dispatched to your team with a zero false-positives SLA. Unlimited 24/7 access to
our security analysts for customizable and threat-aware pentesting is included into every project.
Quality. Simplicity. Speed.
In-Depth Testing
Business logic testing, SANS Top 25,
PCI DSS & OWASP coverage
Zero False-Positives SLA
Money-Back Guarantee for
a single false positive
Actionable Reporting
Tailored remediation guidelines
and 24/7 access to analysts
24/7 Just-in-time Testing
Once your code is changed, our
experts will promptly test it
DevSecOps Tailored
One-click WAF virtual patching,
SDLC & CI/CD integration
How it works
- 24/7 continuous
security testing - 24/7 verified alerts
on new vulnerabilities - 24/7 patch status
verification
Continuous Penetration Testing for Any Need
Internal & External Web Apps
Virtual Appliance technology for
internal applications testing
Cloud Security Testing
Check if attackers can pivot to
other systems in your cloud
APIs & Web Services
API (REST/SOAP/GraphQL)
security & privacy testing
Black & White Box
Authenticated (including MFA/SSO)
or Black Box testing
Open Source Security
Software Composition Analysis (SCA)
tests for 20,000+ known CVE-IDs
Red Teaming
Breach and attack simulation per
MITRE ATT&CK® Enterprise
Proven Methodology and Global Standards
- OWASP Web Security Testing Guide (WSTG)
- NIST SP 800-115 Technical Guide to Information Security Testing and Assessment
- PCI DSS Information Supplement: Penetration Testing Guidance
- MITRE ATT&CK® Matrix for Enterprise
- FedRAMP Penetration Test Guidance
- ISACA’s How to Audit GDPR
- OWASP Application Security Verification Standard (ASVS v4.0.2) Mapping
- Common Vulnerabilities and Exposures (CVE) Compatible
- Common Weakness Enumeration (CWE) Compatible
- Common Vulnerability Scoring System (CVSS v3.1)
-
A3: Injection
-
Injection Flaws
-
Many Other "High" Risk Vulnerabilities
-
Buffer Overflows
-
Cross-Site Scripting (XSS)
-
Insecure Cryptographic Storage
-
Improper Access Control
-
Insecure Communications
-
Cross-Site Request Forgery (CSRF)
-
Improper Error Handling
-
Broken Authentication and Session Management
-
CWE-20: Improper Input Validation
-
CWE-125: Out-of-Bounds Read
-
CWE-22: Improper Limitation of a Pathname to a Restricted Directory
-
CWE-352: Cross-Site Request Forgery (CSRF)
-
CWE-862: Missing Authorization
-
CWE-476: NULL Pointer Dereference
-
CWE-287: Improper Authentication
-
CWE-190: Integer Overflow or Wraparound
-
CWE-502: Deserialization of Untrusted Data
-
API1: Broken Object Level Authorization
-
API3: Broken Object Property Level Authorization
-
API5: Broken Function Level Authorization
-
API7: Server Side Request Forgery
-
API9: Improper Inventory Management
-
API2: Broken Authentication
-
API4: Unrestricted Resource Consumption
-
API6: Unrestricted Access to Sensitive Business Flows
-
API8: Security Misconfiguration
-
API10: Unsafe Consumption of APIs
ImmuniWeb® Continuous Setup and Packages
1 24/7 continuous
security testing
2 24/7 verified alerts
on new vulnerabilities
3 24/7 patch status
verification
ImmuniWeb® Continuous Packages for any need | Corporate Pro | Corporate | Express Pro |
---|---|---|---|
Manual Penetration Testing Our security experts conduct advanced security testing of your web application’s business logic, perform chained exploitation of sophisticated vulnerabilities, and run other security and privacy checks that require human intelligence due to high complexity. | Daily | Weekly | Bi-weekly |
OWASP ASVS Testing Level The higher OWASP ASVS testing level is, the higher number of advanced security tests and checks are performed. | Level 3 | Level 2 | Level 1 |
Access to Security Analysts Our security experts are at your service for any questions about remediation, exploitation or analysis of the detected vulnerabilities. | 24/7 | 24/7 | 24/7 |
AI-Enabled Vulnerability Scanning Our award-winning Deep Learning AI technology accelerates and intelligently automates over 10,000 checks of your web application security, which usually require human labor and cannot be performed by traditional vulnerability scanners due to complexity. | 24/7 | 24/7 | 24/7 |
Continuous Automated Red Teaming Our AI-enabled technology automatically detects and prioritizes testing of your web infrastructure against the most recent hacking techniques and real-life payloads. | 24/7 | 24/7 | - |
Continuous Breach & Attack Simulation Our security experts will carefully exploit detected vulnerabilities trying to bypass security controls, avoid detection mechanisms and exfiltrate data simulating a real attack. | 24/7 | - | - |
- OSINT Search of Stolen Credentials
- Detection of Changes and New Code
- Continuous Penetration Testing
- SANS Top 25 Full Coverage
- OWASP Top 10 Full Coverage
- PCI DSS 6.5.1-6.5.10 Full Coverage
- AI Augments Human Testing and Analysis
- Machine Learning Accelerates Testing
- Authenticated Testing (MFA / SSO)
- REST/SOAP/GraphQL API Testing
- Business Logic Testing
- Full Customization of Testing
- Privacy Review
- Instant SMS Alerts
- Instant Email Alerts
- Threat-Aware Risk Scoring
- Step-by-Step Instructions to Reproduce
- Web, PDF, JSON, XML and CSV Formats
- PCI DSS and GDPR Compliances
- CVE, CWE and CVSS Scores
- OWASP ASVS Mapping
- Zero False-Positives SLA Money back
Contractual money-back guarantee for one single false positive.
- Unlimited Patch Verifications
- Tailored Remediation Guidelines
- One-Click Virtual Patching via WAF
- 24/7 Access to Our Security Analysts
- DevSecOps & CI/CD Tools Integration
- Multirole RBAC Dashboard with 2FA
- Penetration Test Certificate
Frequently Asked Questions
- QHow many URLs and domains can I include into one package?AThere is no limit on URLs and domains per package, moreover, in each package you can setup two levels of testing: primary and secondary. Primary applications will be manually tested for all checks and tests included in your package. Secondary applications will be automatically tested for all automated checks and tests included in your package. This approach provides you with the best value for money and ensures that all your applications are continually tested to the extend needed.
- QHow can I scope and customize my testing requirements?AAt the first step of project creation, you can scope and configure special requirements for continuous penetration testing. For example, you can select authenticated (White Box) testing with 2FA/SSO for some (sub)domains, exclude testing for some specific vulnerabilities (e.g. self-XSS) or areas of the web application, or refrain from testing during weekends. Later, while your subscription is valid, you can update your testing requirements.
- QWhat is the difference between the packages?AThe key difference is the amount human time and other resources that will be allocated for continuous security testing of your scope. The bigger the package is, the higher number of vulnerabilities are able to timely detect and report for remediation. Please reach out to us for a quote tailored for your specific needs and scope.
- QCan you test my applications in Microsoft Azure, AWS or GCP?AYes, we can test your web applications, cloud-native apps, microservices or APIs hosted in AWS, Azure, GCP and any other public cloud service providers. Aside from detecting OWASP Top 10, OWASP API Top 10 and SANS Top 25 vulnerabilities, we also detect cloud-specific misconfigurations and try cloud pivoting and privilege escalation attacks by exploiting excessive access permissions, IMDS flaws or default IAM policies in your cloud environment.
- QHow are you different from other penetration testing companies?AImmuniWeb® Continuous leverages our award-winning Machine Learning technology for acceleration and intelligent automation of laborious and time-consuming testing tasks and processes, eventually saving a considerable amount of human time on our side. Eventually, compared to traditional penetration testing, you may expect to get your penetration testing report much faster and to get higher vulnerability detection rate, as our security experts will spend their valuable time to meticulously reverse engineer your application and try the most sophisticated attack vectors instead of wasting time on routine or automatable security checks.