Web Application Penetration Testing

Simple. Reliable. Pay as You Go.

ImmuniWeb® On-Demand leverages our proprietary Multilayer Application Security Testing technology for rapid, reliable and DevSecOps-enabled web penetration testing. It combines our award-winning Machine
Learning and AI technology with scalable and cost-effective manual web security testing.

ImmuniWeb® On-Demand

Reducing complexity and costs
In-Depth Testing
In-Depth Testing

coverage & business logic testing

Accurate Reporting
Accurate Reporting

Zero false-positive SLA and actionable remediation guidelines

DevSecOps Tailored
DevSecOps Tailored

One-click WAF virtual patching,
SDLC & CI/CD integration

How It Works

  1. Pick up a web
    application or API
  2. Customize, pay and
    schedule the test
  3. Download your
    remediation report

Standards & Methodologies

We leverage in-house Application Security Testing methodologies in combination with:

  • OWASP Testing Guide
  • NIST SP 800-115 Technical Guide to Information Security Testing and Assessment
  • PCI DSS Information Supplement: Penetration Testing Guidance
  • FedRAMP Penetration Test Guidance
  • ISACA’s How to Audit GDPR
NIST SP 800-115 Technical Guide to Information Security Testing and Assessment
PCI DSS Information Supplement: Penetration Testing Guidance
FedRAMP Penetration Test Guidance
OWASP Testing Guide

We follow international standards to report security vulnerabilities:

  • Common Vulnerabilities and Exposures (CVE) Compatible
  • Common Weakness Enumeration (CWE) Compatible
  • Common Vulnerability Scoring System (CVSSv3)
Common Vulnerabilities and Exposures (CVE) Compatible Common Weakness Enumeration (CWE) Compatible Common Vulnerability Scoring System (CVSSv3)

Comprehensive Penetration Testing

Internal & External Web Apps

Virtual Appliance technology for
internal applications testing

APIs and Web Services

Comprehensive coverage of API &
Web Services (REST/SOAP)

Open Source Security

Software Composition Analysis (SCA)
tests for 20,000+ known CVE-IDs

Vulnerability Coverage Datasheet

  • Injection Flaws

  • Many other "High" Risk Vulnerabilities

  • Buffer Overflows

  • Cross-Site Scripting (XSS)

  • Insecure Cryptographic Storage

  • Improper Access Control

  • Insecure Communications

  • Cross-Site Request Forgery (CSRF)

  • Improper Error Handling

  • Broken Authentication and Session Management

DevSecOps Integrations

Developers Environment

Jira DevSecOps Integration HP DevSecOps Integration Bugzilla DevSecOps Integration Splunk DevSecOps Integration Mantis DevSecOps Integration Defectdojo DevSecOps Integration

Web Application Firewalls

Testimonials and Customer References

Crédit Agricole next bank (Suisse) SA
eBay Classifieds Group
Haymarket Media, Inc.
Swissquote Bank SA
University Hospitals of Geneva (HUG)
SIX Group Services AG
International Telecommunication Union (ITU)
Banca dello Stato del Cantone Ticino
SIM University
Arab Bank (Switzerland) Ltd.
Legal Vision

ImmuniWeb® On-Demand Pricing

Web Application Penetration Testing
Small dynamic website
Small e-commerce website
Corporate Pro
Multirole critical application
Midsized CRM, ERP or HRM
Three simple steps of each package:
1 Testing
  • Rapid delivery SLA
  • Multilayer Application Security Testing:
    • SANS Top 25 Full Coverage
    • OWASP Top 10 Full Coverage
    • PCI DSS 6.5.1-6.5.11 Full Coverage
    • AI to augment human testing and analysis
    • Machine Learning to accelerate testing
    • Authenticated testing (2FA / SSO)
    • REST/SOAP API testing
  • Full customization of testing
2 Reporting
  • Zero False-Positive SLA
  • Threat-Aware Risk Scoring
  • Tailored Remediation Guidelines
  • Web Interface, PDF and XML Formats
  • PCI DSS and GDPR compliances
  • CVE, CWE and CVSSv3 scores
3 Remediation
  • 24/7 Access to Our Security Analysts
  • Integration With SDLC & CI/CD Tools
  • One-Click Virtual Patching via WAF
  • Unlimited Patch Verifications
  • Multirole Dashboard
Instant start, report in 1 day
Buy Now
Instant start, report in 2 days
Buy Now
Instant start, report in 4 days
Buy Now
Instant start, report in 6 days
Buy Now

ImmuniWeb disrupts traditional application security testing by
delivering web and mobile application testing augmented with
proprietary machine-learning technology and human testing

Frequently Asked Questions

The main difference is the amount of human time spent on a project to detect the most sophisticated, untrivial and novel security vulnerabilities. All other technical and reporting capacities and features are the same.

Our award-winning Machine Learning technology, based on Artificial Neural Networks (ANN), considerably reduces the testing time. Differently from automated scanners that penetration testers use to conduct basic testing, our proprietary technology delivers a superior quality of testing and sends less HTTP requests. While our AI technology, based on various Deep Learning algorithms, is used for intelligent automation of the testing processes thereby ensuring that all possible attack vectors and exploitation techniques are properly tested. Eventually, what a traditional penetration testing delivers in a week, our team of penetration testers will likely deliver in a couple of days or even faster.

We recommend grouping different URLs in one package only if they belong to the same business application. For example, your ERP or e-banking system may be located across several (sub)domains and have APIs on different URLs - all of them are suitable to be group into one package at the first step of project creation. Contrariwise, it will be inappropriate to group your CRM and unrelated Partner Portal in one package.

Yes, we will provide you with ImmuniWeb Virtual Appliance (VA) for this purpose. Being a Virtual Machine (VM) image composed of open source software only, the VM is always under your full control (root access). The VM will securely route ImmuniWeb testing traffic to your internal web applications and APIs. It usually takes just a few minutes to deploy the VM internally. We recommend deploying the VM in an isolated VLAN with access only to the applications to be tested.

All projects are performed in accordance with OWASP Testing Guide, version 4. For every project we have at least two security analysts conducting advanced manual testing on top of intelligently automated and accelerated vulnerability scanning by our award-winning AI technology. Additionally, we may enhance the methodology with NIST SP 800-115 Technical Guide to Information Security Testing and Assessment, PCI DSS Information Supplement: Penetration Testing Guidance, FedRAMP Penetration Test Guidance and ISACA’s How to Audit GDPR guide.

The main URL provided at the first step of project creation will be the main target. All web application directories and subdirectories (e.g. /ebanking/trial) will be automatically included into the scope unless you indicate otherwise on the first step of project creation (e.g. you may exclude /admin/ directory). If you select “Allow subdomains” option at the first step of project creation, we may include all subdomains into the scope as well. We conduct penetration testing only on web applications, APIs and web services without testing network layer.

Yes, if necessary, you can request a specific timeframe for your project. Please, indicate the preferred testing period in “Special Requirements” field during the first step of project creation. By default, all projects start at 9:00 AM CET of the scheduled day.

When creating a project, just specify in plain English any special requirements for testing and remediation, from scope and methodology to reporting. For example, you may command to spend additional time on sophisticated 2FA bypass techniques, avoid reporting low-risk XSS or provide in-depth remediation guidelines for PHP developers, and we will do so.

We provide actionable remediation guidelines for each of the detected vulnerabilities. Moreover, you have unlimited access to our security analysts might you have any further questions about remediation. Furthermore, we offer one-click virtual patching via WAF by F5, Imperva, Fortinet, Barracuda, Qualsy and DenyAll.

It is a binding contractual clause for every project with no exception. The clause clearly stipulates that for one single false positive in your report you will get back the entire amount paid for the project.

All exploitable and confirmed vulnerabilities will receive a CVSSv3 Base score. Moreover, we assess and indicate such important criteria as public availability of exploit, ongoing exploitation campaigns in the wild or vendor-supplied solution for the vulnerability. Issues that cannot be exploited or confirmed (e.g. a security flaw presumably affecting your Admin area where we do not have an access), will be added separately as security warnings without a CVSSv3 score.

In addition to our DevSecOps-enabled, multi-role dashboard you can download a report in PDF and XML formats. Likewise, we offer one-click integration with the most popular developers, CI/CD and DevSecOps tools, such as Jira or Mantis. Likewise, you can securely access your report data via our API.

All ImmuniWeb customers get unlimited access to our security analysts via ImmuniWeb Portal. You can ask questions about exploitation, remediation or any other project-related topics.

You can run unlimited re-assessments at no additional cost to verify whether all previously detected vulnerabilities are properly patched. Available within 60 days after the initial report delivery.

All penetration testing data is securely stored in our ISO 27001:2013 infrastructure in Canada and Switzerland (both recognized by the European Commission as countries providing an adequate level of data protection for the purpose of GDPR). For most of the projects we automatically and securely delete the data in 90 days after report delivery. Upon your request all data can be securely deleted at any moment.

Any other questions? Contact Sales

Gartner Peer Insights Recommends

Gartner Peer Insights
Quick Start
Get a Demo