Black-box Web Pentest
Black-box web penetration test, no access to the code. The exact position of an external attacker.
An OSWE-certified pentester attacks your application from the internet, with no access to the code or the architecture. Real exploitation of the flaws within the limits of your authorization, not an automated scan dumped into a PDF. We cover the OWASP Top 10 and your APIs (REST, GraphQL, SOAP), we chain vulnerabilities all the way to real impact, and we deliver a two-tier report: an executive summary for management, and the technical detail with PoC, CVSS score and prioritized remediation. Non-destructive tests, on staging or preprod by default. Retest included to check that your fixes hold. The pentest is the human depth that complements EASM (external attack surface monitoring) and SecAI (continuous AI SAST).
How an engagement runs
An engagement builds up in stages, from scoping to the re-test: reconnaissance, exploitation backed by proof of each flaw, real-world impact assessment, then a remediation-focused report. We come back to verify your fixes once they are in place.

Des tarifs lisibles, sans surprise.
- Day rate €450 net, VAT not applicable (art. 293 B CGI)
- External black-box penetration test of a web application
- OWASP Top 10, REST/GraphQL/SOAP APIs, real exploitation within authorization
- Executive and technical report (PoC, CVSS, prioritized remediation)
- 1 retest included to validate the fixes
- Report delivered within 5 to 10 business days
- Day rate €450 net, VAT not applicable (art. 293 B CGI)
- Broader scope or complex application (multi-role, multi-API)
- In-depth research into business logic and exploitation chains
- Executive and technical report (PoC, CVSS, prioritized remediation)
- 2 retests included to validate the fixes
- Report delivered within 5 to 10 business days
- Day rate €450 net, VAT not applicable (art. 293 B CGI)
- Duration tailored to your scope after scoping
- Several applications, environments or specific constraints
- Number of retests defined in the quote
- OSWE-certified pentester, OWASP/OSSTMM/PTES methodology
- Scope defined before pricing
Fonctionnalités
Tout ce qu'il faut pour sécuriser, sans le superflu.
Real exploitation, not detection
We don't just list alerts. We chain vulnerabilities to concrete impact (data access, account takeover, authentication bypass), within the limits of your written authorization.
External attacker position
No access to the source code or the architecture. We start from zero, like an attacker on the internet: reconnaissance, enumeration, then attacks on what is actually exposed.
Coverage of modern APIs
REST, GraphQL and SOAP tested specifically. That's often the real way in, the one generic scans miss: exposed objects, broken access control, API-side injection.
OWASP Top 10, OSSTMM, PTES
A structured, repeatable methodology, defensible in a compliance audit. No opaque in-house recipe: a recognized framework, traced phases, verifiable results.
Executive and technical report
Two deliverables in a single document. A risk summary for management, and the technical detail with reproducible PoC, CVSS score and prioritized remediation for your teams.
Manual triage of false positives
Tooling (scanners, proxies) is a support, never a deliverable. Every reported vulnerability is confirmed by hand. You get what is exploitable, not raw tool output.
Comment ça marche
From scoping to the re-test.
- 01
Scoping and authorization
We define the scope, the target environments (staging or preprod by default), the testing windows and any test accounts. Audit agreement and written authorization signed before any action.
- 02
Reconnaissance and enumeration
Mapping the surface exposed from the internet: subdomains, entry points, technologies, REST/GraphQL/SOAP APIs. We identify the attack paths without knowing anything about the internals.
- 03
Controlled exploitation
Manual attacks on vulnerabilities following the OWASP Top 10, OSSTMM and PTES. We exploit for real to measure impact, we chain flaws, we confirm every finding and we discard false positives.
- 04
Report and retest
Delivery within 5 to 10 business days of the executive and technical report (PoC, CVSS, prioritized remediation). After your fixes, the included retest checks that the vulnerabilities are properly closed.
Bénéfices
L'impact concret pour vos équipes.
You know what is actually exploitable
A scanner lists symptoms. The black-box pentest demonstrates the path to your data and clears out the noise. You prioritize on confirmed flaws, not on 200 lines of automated report.
The price is written down, not negotiated
Day rate €450 net stated up front, engagements priced (5 days = €2,250, 10 days = €4,500). You budget without a mandatory sales call. VAT not applicable, article 293 B of the CGI, so no +20%.
Your production stays undisturbed
Non-destructive tests, on staging or preprod by default. Scope and testing windows agreed in writing before we start. And a retest included to confirm that your fixes actually close the flaw.
Questions fréquentes
Ce que vous voulez probablement savoir.
Parlons de votre besoin.
Démo, devis ou question technique : réponse sous 48 h ouvrées.
