White-box Web Pentest
The code tells the truth. We read it line by line.
A white-box web penetration test, run by an OSWE-certified pentester with access to your source code, your architecture and ideally your infrastructure. Manual source-code review, SAST tooling triaged by hand, code-guided DAST, architecture review, configuration audit of servers, databases and cloud, cryptographic analysis. We surface the business-logic flaws, race conditions and broken crypto that black-box testing never sees. Strict NDA, code analysed in an isolated environment and deleted after the engagement. Executive and technical report with PoC, CVSS and prioritised remediation, retests included. This is the human depth that complements EASM (external surface) and SecAI (continuous AI SAST).
How an engagement runs
An engagement builds up in stages, from scoping to the re-test: reconnaissance, exploitation backed by proof of each flaw, real-world impact assessment, then a remediation-focused report. We come back to verify your fixes once they are in place.

Des tarifs lisibles, sans surprise.
- Day rate €600 net, VAT not applicable (art. 293 B CGI)
- Code review + architecture + configs + crypto
- Executive and technical report, PoC, CVSS, prioritised remediation
- 1 retest included to validate the fixes
- Non-destructive, staging or pre-production by default
- Day rate €600 net, VAT not applicable (art. 293 B CGI)
- Wider scope: several modules, full architecture, infrastructure
- Executive and technical report, PoC, CVSS, prioritised remediation
- 2 retests included to validate the fixes
- Debrief session and knowledge transfer
- On request, day rate €600 net
- For a monorepo, multi-repos or a large scope
- Number of days and retests adapted to the scope
- Fix implementation as an option, separate package
- Post-remediation attestation for compliance
Fonctionnalités
Tout ce qu'il faut pour sécuriser, sans le superflu.
Manual source-code review
An OSWE pentester reads your code, not a scanner. We look for the logic flaws, exploitation chains and design mistakes that tools can't follow. The code is analysed read-only, in an isolated environment.
SAST tooling, false positives triaged by hand
We run static analysis tools to cover the volume, then triage every result manually. You get confirmed vulnerabilities with their real impact, not a raw list of 200 alerts where half is noise.
Code-guided DAST
Dynamic testing is driven by what reading the code revealed. We go straight to the sensitive endpoints and paths instead of probing blind, which makes exploitation faster and deeper than in black-box.
Architecture review
We look at how components talk to each other, where the trust boundaries sit, how authentication and authorisation are designed. Many serious flaws come from the architecture, not from a single line of code.
Configuration audit
Web servers, databases, cloud services. We check hardening, permissions, exposed secrets, headers, needless exposure. A default config left in place is often enough to open the door.
Cryptographic analysis
Review of how crypto is used in the code: algorithms, key management, randomness generation, password storage, signatures and tokens. Crypto mistakes are invisible from the outside and cost dearly in a breach.
Finding flaws invisible to black-box
Abused business logic, race conditions, inconsistent access controls, hard-coded secrets, vulnerable third-party dependencies. With the code in front of us, we find what an external test misses by design.
Comment ça marche
From scoping to the re-test.
- 01
Scoping and audit agreement
We define the scope, the repositories involved, the access needed and the engagement windows. NDA signed. Everything is bounded in writing before a single line is read. Scoping with no commitment.
- 02
Reading the code and mapping
Manual review of the source code, architecture and configurations, backed by SAST tools whose results we triage by hand. We reconstruct how the application really works and where the risk concentrates.
- 03
Code-guided exploitation
Dynamic tests targeted at the identified paths, manual exploitation within the written authorisation. Non-destructive, on staging or pre-production by default. We push through to real impact to qualify severity.
- 04
Report, debrief and retest
Executive and technical report delivered within 5 to 10 business days, with PoC, CVSS score and prioritised remediation. Debrief session, then retests included to verify the fixes hold.
Bénéfices
L'impact concret pour vos équipes.
You see the costliest flaws, not just the most visible ones
The vulnerabilities that hurt in production are rarely in a scanner's top 10. They are business-logic flaws, broken access controls, badly implemented crypto. Access to the code surfaces them before an attacker does.
Your code stays confidential and under control
NDA signed before the engagement, read-only access to the repository, analysis in an isolated environment, code deleted after the report is delivered. A CTO's number-one objection is handled in writing, not by a verbal promise.
Your developers level up
Debrief sessions and knowledge transfer are available: your teams understand where the flaws come from and how to avoid them. Implementing the fixes is offered as an option, as a separate package, if you want to go all the way.
Questions fréquentes
Ce que vous voulez probablement savoir.
Parlons de votre besoin.
Démo, devis ou question technique : réponse sous 48 h ouvrées.
