Skip to main content
own2pwn

Black-box Web Pentest

Black-box web penetration test, no access to the code. The exact position of an external attacker.

An OSWE-certified pentester attacks your application from the internet, with no access to the code or the architecture. Real exploitation of the flaws within the limits of your authorization, not an automated scan dumped into a PDF. We cover the OWASP Top 10 and your APIs (REST, GraphQL, SOAP), we chain vulnerabilities all the way to real impact, and we deliver a two-tier report: an executive summary for management, and the technical detail with PoC, CVSS score and prioritized remediation. Non-destructive tests, on staging or preprod by default. Retest included to check that your fixes hold. The pentest is the human depth that complements EASM (external attack surface monitoring) and SecAI (continuous AI SAST).

How an engagement runs

An engagement builds up in stages, from scoping to the re-test: reconnaissance, exploitation backed by proof of each flaw, real-world impact assessment, then a remediation-focused report. We come back to verify your fixes once they are in place.

Web blackbox pentest diagram: testing the application as a black box from the outside (recon, attack, exploitation), leading to a report.
Reconnaissance, exploitation with proof, impact assessment, then a report. We come back to verify the fixes.

Des tarifs lisibles, sans surprise.

Recommandé
5-day engagement
€2,250
  • Day rate €450 net, VAT not applicable (art. 293 B CGI)
  • External black-box penetration test of a web application
  • OWASP Top 10, REST/GraphQL/SOAP APIs, real exploitation within authorization
  • Executive and technical report (PoC, CVSS, prioritized remediation)
  • 1 retest included to validate the fixes
  • Report delivered within 5 to 10 business days
Request a quote
10-day engagement
€4,500
  • Day rate €450 net, VAT not applicable (art. 293 B CGI)
  • Broader scope or complex application (multi-role, multi-API)
  • In-depth research into business logic and exploitation chains
  • Executive and technical report (PoC, CVSS, prioritized remediation)
  • 2 retests included to validate the fixes
  • Report delivered within 5 to 10 business days
Request a quote
Custom
On request
  • Day rate €450 net, VAT not applicable (art. 293 B CGI)
  • Duration tailored to your scope after scoping
  • Several applications, environments or specific constraints
  • Number of retests defined in the quote
  • OSWE-certified pentester, OWASP/OSSTMM/PTES methodology
  • Scope defined before pricing
Contact us

Fonctionnalités

Tout ce qu'il faut pour sécuriser, sans le superflu.

Real exploitation, not detection

We don't just list alerts. We chain vulnerabilities to concrete impact (data access, account takeover, authentication bypass), within the limits of your written authorization.

External attacker position

No access to the source code or the architecture. We start from zero, like an attacker on the internet: reconnaissance, enumeration, then attacks on what is actually exposed.

Coverage of modern APIs

REST, GraphQL and SOAP tested specifically. That's often the real way in, the one generic scans miss: exposed objects, broken access control, API-side injection.

OWASP Top 10, OSSTMM, PTES

A structured, repeatable methodology, defensible in a compliance audit. No opaque in-house recipe: a recognized framework, traced phases, verifiable results.

Executive and technical report

Two deliverables in a single document. A risk summary for management, and the technical detail with reproducible PoC, CVSS score and prioritized remediation for your teams.

Manual triage of false positives

Tooling (scanners, proxies) is a support, never a deliverable. Every reported vulnerability is confirmed by hand. You get what is exploitable, not raw tool output.

Comment ça marche

From scoping to the re-test.

  1. 01

    Scoping and authorization

    We define the scope, the target environments (staging or preprod by default), the testing windows and any test accounts. Audit agreement and written authorization signed before any action.

  2. 02

    Reconnaissance and enumeration

    Mapping the surface exposed from the internet: subdomains, entry points, technologies, REST/GraphQL/SOAP APIs. We identify the attack paths without knowing anything about the internals.

  3. 03

    Controlled exploitation

    Manual attacks on vulnerabilities following the OWASP Top 10, OSSTMM and PTES. We exploit for real to measure impact, we chain flaws, we confirm every finding and we discard false positives.

  4. 04

    Report and retest

    Delivery within 5 to 10 business days of the executive and technical report (PoC, CVSS, prioritized remediation). After your fixes, the included retest checks that the vulnerabilities are properly closed.

Bénéfices

L'impact concret pour vos équipes.

01

You know what is actually exploitable

A scanner lists symptoms. The black-box pentest demonstrates the path to your data and clears out the noise. You prioritize on confirmed flaws, not on 200 lines of automated report.

02

The price is written down, not negotiated

Day rate €450 net stated up front, engagements priced (5 days = €2,250, 10 days = €4,500). You budget without a mandatory sales call. VAT not applicable, article 293 B of the CGI, so no +20%.

03

Your production stays undisturbed

Non-destructive tests, on staging or preprod by default. Scope and testing windows agreed in writing before we start. And a retest included to confirm that your fixes actually close the flaw.

Questions fréquentes

Ce que vous voulez probablement savoir.

Parlons de votre besoin.

Démo, devis ou question technique : réponse sous 48 h ouvrées.