Web Application Penetration Testing
ImmuniWeb® On-Demand leverages our proprietary Multilayer Application Security Testing technology for rapid, reliable and DevSecOps-enabled web penetration testing. It combines our award-winning Machine
Learning and AI technology with scalable and cost-effective manual web security testing.
SANS Top 25, PCI DSS and OWASP
coverage & business logic testing
Zero false-positive SLA and actionable remediation guidelines
One-click WAF virtual patching,
SDLC & CI/CD integration
How It Works
- Pick up a web
application or API
- Customize, pay and
schedule the test
- Download your
Standards & Methodologies
We leverage in-house application security testing methodologies in combination with:
- OWASP Testing Guide
- NIST SP 800-115 Technical Guide to Information Security Testing and Assessment
- PCI DSS Information Supplement: Penetration Testing Guidance
- FedRAMP Penetration Test Guidance
- ISACA’s How to Audit GDPR
We follow international standards to report security vulnerabilities:
- Common Vulnerabilities and Exposures (CVE) Compatible
- Common Weakness Enumeration (CWE) Compatible
- Common Vulnerability Scoring System (CVSSv3)
Comprehensive Penetration Testing
Internal & External Web Apps
internal applications testing
APIs and Web Services
Web Services (REST/SOAP)
Open Source Security
tests for 20,000+ known CVE-IDs
Vulnerability Coverage Datasheet
Many other "High" Risk Vulnerabilities
Cross-Site Scripting (XSS)
Insecure Cryptographic Storage
Improper Access Control
Cross-Site Request Forgery (CSRF)
Improper Error Handling
Broken Authentication and Session Management
CWE-22: Path Traversal
CWE-89: SQL Injection
CWE-78: Command injection
CWE-89: Blind SQL Injection
CWE-79: Stored XSS
CWE-94: Code Injection
CWE-113: HTTP Response splitting
CWE-94: AJAX Injection
CWE-200: Information Exposure
CWE-94: JSON Injection
CWE-502: Deserialization of Untrusted Data
CWE-521: Weak Password Requirements
CWE-601: Open Redirect
CWE-613: Insufficient Session Expiration
Testimonials and Customer References
ImmuniWeb is an efficient and very easy-to-use solution that combines automatic and human tests. The results are complete, straightforward and easy to understand. It’s an essential tool for the development of the new digital activities
ImmuniWeb is the best and simplest way to secure your business online. It's really fantastic experience to get report with zero false positive with detailed actions how to resolve problems and remove vulnerabilities. I think ImmuniWeb is definitely the best alternative to pen testers. As well as a way to save on staff and other costs. I am glad that I can get it all without any hidden costs and without complicated licensing schemes
Senior Information Security Officer
ImmuniWeb significantly enhanced our vulnerability assessment capacity. It's an indispensable tool for continuous auditing of web based systems
Chief Security Officer
ImmuniWeb provides accurate assessment on the security posture of our cloud-based applications. The report provided is concise and easy to read with sound advisories on the necessary steps to fix the issues. What impressed me most was that no false-positive was listed and the vulnerabilities are real. ImmuniWeb certainly gives us the right level of assurance that our cloud-based applications are safe and 'good-to-go' before we deploy them out to production
Lee Chye Seng
Director, Learning Systems and Applications
ImmuniWeb is an invaluable tool for iPresent with both automated and manual penetration testing. The fantastic manual testing has found even the most hidden and complicated bugs in our security and ImmuniWeb has delivered first class knowledge. The self-service interface also gives us great control to schedule and monitor tests when we need them
Chief Technical Officer
ImmuniWeb is a great innovative service that brings unbeatable ROI. It is undoubtedly the best way to quickly and easily guarantee your customers that their data is safe with you - and yours too by the way! Efficient and effective!
Head of IT
ImmuniWeb® On-Demand Pricing
- Instant Start
- Suits to test several domains / URLs
- Multilayer Application Security Testing:
- Threat-aware testing scenarios
- AI to reduce human testing and analysis
- Machine Learning to accelerate testing
- REST/SOAP API testing
- Authenticated testing
- 2FA & SSO support
- Full customization of testing
- Rapid delivery SLA
- Zero False-Positive SLA
- Threat-Aware Risk Scoring
- Tailored Remediation Guidelines
- Web Interface, PDF and XML Formats
- PCI DSS and GDPR compliances
- CVE, CWE and CVSSv3 scores
- 24/7 Access to Our Security Analysts
- Integration With SDLC & CI/CD Tools
- One-Click Virtual Patching via WAF
- Unlimited Patch Verifications
- Multirole Dashboard
Frequently Asked Questions
The main difference is the amount of human time spent on a project to detect the most complicated, untrivial and novel security vulnerabilities. All other options and features are the same.
For every project we have several security analysts conducting advanced manual testing. Thanks to our AI-enabled multilayer application security testing technology, our security analysts spend their time only when and where it is truly needed due to complexity (e.g. bypassing WAF, running a chained exploitation or analyzing business logic flaw).
You can include as many of them as practical. We recommend aggregating URLs only if they belong to the same application, for example, your ERP or e-banking system may be located across several (sub)domains and have numerous APIs - all of them can be included into one package. Likewise, it will be inappropriate to group your CRM and unrelated Partner Portal in one package.
It is a contractual clause for every project. The following delivery schedule is guaranteed upon start:
- 2 business days for Express and SMB
- 4 business days for Corporate
- 6 business days for Corporate Pro
It is a contractual clause for every project. It clearly stipulates that for one single false positive in your report you will get back the amount paid for the assessment.
When creating a project you can specify in plain English any special requirements for testing and remediation. Just say to focus on 2FA bypass, avoid reporting low-risk XSS or provide in-depth remediation for PHP developers – and we will do so.
We provide actionable remediation guidelines for each of the detected vulnerabilities. Moreover, you have unlimited access to our security analysts might you have any further questions. We also offer one-click virtual patching via WAF of F5, Imperva, Fortinet, Barracuda, DenyAll and many others. All this at no additional cost.
In addition to interactive, multi-role dashboard you can get your report in PDF and XML formats. Available XML schemas are export-ready for all popular developers tools such as Jira.
All ImmuniWeb customers get unlimited access to our security analysts via ImmuniWeb Portal. You can ask questions about exploitation, remediation or any other project-related topics.
You can run unlimited re-assessments at no additional cost to verify whether all previously detected vulnerabilities were properly patched. Available 60 days after report delivery.
All penetration testing data is securely stored in our ISO 27001 infrastructure in Canada and Switzerland (both recognized by the European Commission as countries providing an adequate level of data protection for the purpose of GDPR). For most of the projects we automatically delete the data 90 days after report delivery. Upon request all data can be deleted at any moment.
You may create as many user accounts as practical and grant them flexible, role-based access permissions.
Yes, please just specify in special requirements to your project that your website was hacked and will try to investigate how it happened in addition to security testing.
You can start right now, we accept all types of online payments – PayPal, Credit Cards and Bank Wire (usually takes 2-3 business days). If your project is urgent, please create a support ticket and will try to start it immediately.