ImmuniWeb® MobileSuite leverages our award-winning AI and Machine Learning technology to augment and accelerate mobile penetration testing. We deliver scalable, rapid and DevSecOps-enabled mobile app
and backend testing with tailored remediation guidelines and zero false-positives SLA.
Mobile Penetration Testing Made Simple
Zero False-Positive SLA
Money-Back Guarantee for
a single false-positive
Rapid Delivery SLA
Guaranteed schedule of execution
and report delivery
Business logic testing, SANS Top 25,
PCI DSS & OWASP coverage
Tailored remediation guidelines
and 24/7 support
SDLC and CI/CD tools integration,
WAF for mobile backend flaws
How It Works
- Pick up a mobile
- Customize, pay and
schedule the test
- Download your
Mobile Penetration Testing For Any Need
Ultimate Mobile App Testing
Static, dynamic and interactive
security testing with SCA
Backend Security Testing
Manual security testing of
Web Services and APIs
Intelligent Behavioral Analysis
Machine learning technology enhanced
with manual security testing
Black & White Box
Authenticated (including 2FA/MFA)
or Black Box testing
Threat-aware testing scenarios and
attack vectors upon request
Proven Methodology and Global Standards
- OWASP Mobile Security Testing Guide
- NIST SP 800-115 Technical Guide to Information Security Testing and Assessment
- PCI DSS Information Supplement: Penetration Testing Guidance
- FedRAMP Penetration Test Guidance
- ISACA’s How to Audit GDPR
- Common Vulnerabilities and Exposures (CVE) Compatible
- Common Weakness Enumeration (CWE) Compatible
- Common Vulnerability Scoring System (CVSSv3)
Many other "High" Risk Vulnerabilities
Cross-Site Scripting (XSS)
Insecure Cryptographic Storage
Improper Access Control
Cross-Site Request Forgery (CSRF)
Improper Error Handling
Broken Authentication and Session Management
CWE-22: Path Traversal
CWE-89: SQL Injection
CWE-78: Command injection
CWE-89: Blind SQL Injection
CWE-79: Stored XSS
CWE-94: Code Injection
CWE-113: HTTP Response splitting
CWE-94: AJAX Injection
CWE-200: Information Exposure
CWE-94: JSON Injection
CWE-502: Deserialization of Untrusted Data
CWE-521: Weak Password Requirements
CWE-601: Open Redirect
CWE-613: Insufficient Session Expiration
ImmuniWeb MobileSuite Packages and Pricing
SMB package is best suited for small mobile apps, such as games or news apps with up to 5 systems in the mobile backend (e.g. web services, APIs, etc).
Corporate Pro package is best suited for business critical apps handling sensitive data of your clients, such as e-banking or e-payments apps with 15 or more systems in the mobile backend (e.g. web services, APIs, etc).
Corporate package is best suited for business applications that process data of your clients or partners, such as online booking, basic e-commerce or document processing apps with up to 10 systems in the mobile backend (e.g. web services, APIs, etc).
- Rapid Delivery SLA
- Mobile App Testing (iOS / Android)
- Mobile App Backend Testing (APIs)
- Mobile Application Penetration Testing:
- SANS Top 25 Full Coverage
- OWASP Top 10 Full Coverage
- OWASP Mobile Top 10 Full Coverage
- PCI DSS 6.5.1-6.5.11 Full Coverage
- AI to Augment Human Testing and Analysis
- Machine Learning to Accelerate Testing
- Full Customization of Testing
- Zero False-Positive SLA
- Threat-Aware Risk Scoring
- Tailored Remediation Guidelines
- Web Interface, PDF and XML Formats
- PCI DSS and GDPR Compliances
- CVE, CWE and CVSSv3 Scores
- 24/7 Access to Our Security Analysts
- DevSecOps & CI/CD Tools Integration
- One-Click Virtual Patching via WAF
- Multirole Dashboard
Testimonials and Customer References
ImmuniWeb is an efficient and very easy-to-use solution that combines automatic and human tests. The results are complete, straightforward and easy to understand. It’s an essential tool for the development of the new digital activities
ImmuniWeb is the best and simplest way to secure your business online. It's really fantastic experience to get report with zero false positive with detailed actions how to resolve problems and remove vulnerabilities. I think ImmuniWeb is definitely the best alternative to pen testers. As well as a way to save on staff and other costs. I am glad that I can get it all without any hidden costs and without complicated licensing schemes
Senior Information Security Officer
ImmuniWeb significantly enhanced our vulnerability assessment capacity. It's an indispensable tool for continuous auditing of web based systems
Chief Security Officer
ImmuniWeb provides accurate assessment on the security posture of our cloud-based applications. The report provided is concise and easy to read with sound advisories on the necessary steps to fix the issues. What impressed me most was that no false-positive was listed and the vulnerabilities are real. ImmuniWeb certainly gives us the right level of assurance that our cloud-based applications are safe and "good-to-go" before we deploy them out to production
Lee Chye Seng
Director, Learning Systems and Applications
ImmuniWeb is an invaluable tool for iPresent with both automated and manual penetration testing. The fantastic manual testing has found even the most hidden and complicated bugs in our security and ImmuniWeb has delivered first class knowledge. The self-service interface also gives us great control to schedule and monitor tests when we need them
Chief Technical Officer
ImmuniWeb is a great innovative service that brings unbeatable ROI. It is undoubtedly the best way to quickly and easily guarantee your customers that their data is safe with you - and yours too by the way! Efficient and effective!
Head of IT
Frequently Asked Questions
The main difference is the amount of human time spent on a project to detect the most sophisticated, untrivial and novel security vulnerabilities. All other technical and reporting capacities and features are the same.
Considering a wide spectrum of platform-specific attacks and weaknesses, each mobile app requires a separate package. However, if your mobile backend is the same, we will gladly provide you with a discount, please contact our Sales team for this.
The project scope includes the provided mobile application and its backend (API and microservices). We conduct penetration testing only on web applications, APIs and web services without testing network layer.
Yes, if necessary, you can request a specific timeframe for your project. Please, indicate the preferred testing period in “Special Requirements” field during the first step of project creation. By default, all projects start at 9:00 AM CET of the scheduled day.
When creating a project, just specify in plain English any special requirements for testing and remediation, from scope and methodology to reporting. For example, you may command to spend additional time on sophisticated 2FA bypass techniques, avoid reporting low-risk XSS or provide in-depth remediation guidelines for PHP developers, and we will do so.
We provide actionable remediation guidelines for each of the detected vulnerabilities. Moreover, you have unlimited access to our security analysts might you have any further questions about remediation. Furthermore, we offer one-click virtual patching via WAF by F5, Imperva, Fortinet, Barracuda, Qualys and DenyAll.
It is a binding contractual clause for every project with no exception. The clause clearly stipulates that for one single false positive in your report you will get back the entire amount paid for the project.
All exploitable and confirmed vulnerabilities will receive a CVSSv3 Base score. Moreover, we assess and indicate such important criteria as public availability of exploit, ongoing exploitation campaigns in the wild or vendor-supplied solution for the vulnerability. Issues that cannot be exploited or confirmed (e.g. a security flaw presumably affecting your Admin area where we do not have an access), will be added separately as security warnings without a CVSSv3 score.
In addition to our DevSecOps-enabled, multi-role dashboard you can download a report in PDF and XML formats. Likewise, we offer one-click integration with the most popular developers, CI/CD and DevSecOps tools, such as Jira or Mantis. Likewise, you can securely access your report data via our API.
All ImmuniWeb customers get unlimited access to our security analysts via ImmuniWeb Portal. You can ask questions about exploitation, remediation or any other project-related topics.
All penetration testing data is securely stored in our ISO 27001:2013 infrastructure in Canada and Switzerland (both recognized by the European Commission as countries providing an adequate level of data protection for the purpose of GDPR). For most of the projects we automatically and securely delete the data in 90 days after report delivery. Upon your request all data can be securely deleted at any moment.
Our award-winning Machine Learning technology, based on Artificial Neural Networks (ANN), considerably reduces the testing time. Differently from automated scanners that penetration testers use to conduct basic testing, our proprietary technology delivers a superior quality of testing and sends less HTTP requests. While our AI technology, based on various Deep Learning algorithms, is used for intelligent automation of the testing processes thereby ensuring that all possible attack vectors and exploitation techniques are properly tested. Eventually, what a traditional penetration testing delivers in a week, our team of penetration testers will likely deliver in a couple of days or even faster.