Skip to Content

Manual
Precision
Vulnerability
Research.

Automated scanners find what is known. Our team finds what is unique to your architecture. With 25 years of offensive security experience behind every engagement, we go where tools cannot reach.

OSSTMM
OWASP
NIST
ISO 27001 Ready
SOC 2
Initiate scoping call Our capabilities
bithost-vapt-engine v3.2.1 target: client.corp [ PHASE 2 — VULNERABILITY RESEARCH ] active session · 4h 12m Web Application VAPT · REST API Surface · Auth Module [CRITICAL] IDOR — BOLA on /api/v2/users/:id/orders Auth bypass via object reference manipulation · CVSS: 9.1 GET /api/v2/users/4392/orders → 200 OK (should be 403) [HIGH] SQL Injection — /api/v1/search?q= parameter Unsanitised input reaches ORM · CVSS: 8.3 Payload: ' OR '1'='1'; -- confirmed blind SQLi [HIGH] JWT None-Algorithm Accepted — token forgery alg:none bypass bypasses signature verification · CVSS: 8.1 Forged token accepted on all protected endpoints [MEDIUM] Missing Rate Limiting — /api/auth/login Brute force possible · 1000 req/s accepted · CVSS: 5.4 No lockout, no CAPTCHA, no exponential backoff Progress: ████████████░░░░░░░░ 62% 2 CRITICAL 4 HIGH 7 MED ATTACK SURFACE MAP Endpoints discovered: 147 Auth-protected: 89 Unauthenticated: 11 Admin endpoints exposed: 3 3rd-party integrations: 14 PROOF OF CONCEPT GET /api/v2/users/1/orders Authorization: Bearer ─────────────────────── HTTP/1.1 200 OK {"orders":[...], "pii": "exposed"}
Findings this session
13
2 critical · 4 high · 7 medium
Report status
Findings documented
PoC validated
Remediation pending
Web Application VAPT OWASP Top 10 API Security Audit Business Logic Testing Mobile App Security SSL Pinning Bypass Cloud Configuration Audit IAM Policy Review Thick Client Testing Memory Forensics ISO 27001 Readiness SOC 2 Evidence DPDP Act Compliance Attestation Certificate Web Application VAPT OWASP Top 10 API Security Audit Business Logic Testing Mobile App Security SSL Pinning Bypass
BREACH
"An automated scanner is like a metal detector at an airport. It will flag a knife in a bag. It will not notice the person who has memorised the emergency exit codes and knows which fire door is left unlatched every morning. That is the gap we were built to close."

Security tools cover the known. Your most serious vulnerabilities are the ones that only become visible when a human who thinks like an attacker sits down and spends time inside your application. A logic flaw in how your payment flow handles refunds is not in any CVE database. It will never appear in a scanner report. But it is there, and someone with enough patience will find it before you do.

Why manual testing matters

What scanners
will never find.

These are the categories of vulnerability that exist in nearly every production application and that automated tools reliably miss because they require human reasoning to identify.

Business logic
Authorisation flaws hidden in workflow

Your access controls work correctly when tested in isolation. But when a user completes step 3 before step 1, or submits a request with a role they held last month, or calls endpoints in an order your team did not anticipate — the controls collapse. A scanner follows the happy path. It does not invent attack sequences.

API surface
BOLA and mass assignment at scale

Broken Object Level Authorisation is the most common serious API vulnerability and among the least likely to be caught by a tool. It requires testing every object reference against every role and understanding which data relationships make cross-account access meaningful. That reasoning cannot be scripted.

Architecture
Trust boundary assumptions in microservices

In a microservices environment the internal network is often implicitly trusted. Services talk to each other without re-validating identity. If an attacker compromises one service they can often move laterally to others that assume internal traffic is safe. This is an architectural pattern not a code defect and scanners have no way to reason about it.

State and time
Race conditions and time-of-check flaws

A user submits two simultaneous withdrawal requests each within the balance threshold. Both pass the balance check. Both succeed. The balance goes negative. This class of vulnerability requires understanding the timing and state implications of concurrent operations — something that requires a human to model correctly and reproduce deliberately.

Core capabilities

Six threat
vectors.
One team.

Each capability below is delivered by the same offensive operations team rather than outsourced to a different vendor for each discipline. Context carries across your engagement.

01

Web Application VAPT

Deep manual testing that goes well beyond the OWASP Top 10. We focus on complex business logic, multi-step authorisation flows, second-order injection, and data integrity issues that automated tools cannot reason about.

OWASPAuth bypassLogic flawsSQLiXSS
02

Mobile App Security

Full-spectrum audit of iOS and Android applications. We test local storage encryption, SSL pinning implementation, inter-process communication security, binary protection, and the server-side API surface that mobile clients expose.

iOSAndroidSSL pinningIPCReverse eng.
03

API Security Audits

Comprehensive security review of REST, GraphQL, and gRPC interfaces. We identify BOLA, mass assignment, unauthenticated endpoint exposure, excessive data exposure, and rate limiting gaps across the full API surface including undocumented endpoints.

RESTGraphQLgRPCBOLARate limits
04

Thick Client Testing

Specialised security analysis of legacy and modern desktop applications. We perform binary reverse engineering, memory forensics, DLL hijacking analysis, inter-process communication audits, and local privilege escalation testing on Windows and Linux clients.

Reverse eng.Memory analysisDLL hijackPriv esc
05

Cloud Configuration Audit

Infrastructure-as-Code and runtime audit across AWS, Azure, and GCP. We review IAM policies for least-privilege compliance, network perimeter configurations, S3 bucket exposure, secrets management, and logging gaps that would allow undetected lateral movement.

AWSAzureGCPIAMIaC review
06

Compliance Readiness

Technical gap analysis mapped against ISO 27001, SOC 2, and the DPDP Act. We translate compliance requirements into concrete security controls, produce evidence-based audit trail documentation, and issue a formal Attestation of Security upon re-validation completion.

ISO 27001SOC 2DPDP ActAttestation
Technical methodology

Four phases.
No shortcuts.

Every engagement follows a strict adversarial framework built on OSSTMM, OWASP, and NIST standards. The order of phases is not arbitrary. Each builds on the intelligence gathered in the one before it.

01
Reconnaissance and surface analysis

Passive and active mapping of the entire digital footprint. We identify all domains and subdomains, enumerate exposed endpoints and APIs, map third-party integrations, and surface shadow IT that the organisation may not know exists. Nothing is in scope until we understand the boundaries.

OSINTDNS enumPort scanJS analysisShodan review
02
Vulnerability research

The core manual phase. Our engineers use custom tooling alongside deep manual analysis to uncover vulnerabilities in business logic, authorisation flows, and implementation. We do not run a scanner and report what it finds. We follow chains of logic the way an attacker would.

Logic testingAuth bypassInjectionRace conditions
03
Exploitation and proof of concept

Every significant finding is validated with a working proof of concept demonstrating the real-world impact. We show what an attacker could actually do with each vulnerability — not just that it exists. This changes the conversation from theoretical risk to demonstrated business impact.

PoC developmentImpact chainSafe exploitation
04
Strategic remediation guide

Not a bug list. We provide architectural guidance and specific code-level fixes for each finding. After your team implements the remediations we conduct a re-validation phase to confirm each vulnerability has been correctly closed. The engagement ends with a formal Attestation of Security document.

Code-level fixesArchitecture guidanceRe-validationAttestation
Phase 1 — Reconnaissance output Example report view
Attack Surface — Initial Mapping
Critical
3 admin endpoints publicly accessible without authenticationExpected to be internal-only based on architecture diagram
9.1
High
14 subdomains discovered not listed in security scopeShadow IT — staging.internal.client.com exposed to internet
7.8
High
API version 1 still live and functional alongside v2v1 lacks all security controls added in v2 migration
7.2
Medium
CORS misconfiguration on 6 endpoints accepts arbitrary originsReflected Origin header without validation
5.4

Immediate action required. Three unauthenticated admin endpoints can be reached from the internet with no authentication challenge. This was the first finding in recon and was escalated to the client before the formal vulnerability research phase began.

Vulnerability Research — Finding Summary
Critical
IDOR — BOLA on /api/v2/users/:id/ordersAny authenticated user can read any other user's order history
9.1
Critical
JWT none-algorithm accepted — token forgeryForged unsigned tokens accepted on all protected endpoints
9.0
High
Blind SQL injection via /api/v1/search?q= parameterTime-based extraction confirmed. ORM input unsanitised
8.3
High
Refund logic race condition — negative balance exploitConcurrent requests bypass single-use validation on refund flow
7.5

13 findings total across 2 critical, 4 high, 7 medium severity. The BOLA and JWT vulnerabilities were identified through manual logic testing. Neither appears in automated scan output from the client's existing tooling. Full report delivered with working proof of concept for every finding.

Exploitation — Proof of Concept (IDOR Finding)
# CVE-equivalent: BOLA / IDOR on order resource
# Authenticated as user_id=8812 (low-privilege)

GET /api/v2/users/4392/orders
Authorization: Bearer eyJ...

# Response: HTTP 200 OK (should be HTTP 403)
{
  "user_id": 4392, // victim account
  "orders": [...], // 47 order records
  "pii": "name, email, address, card_last4"
}

Business impact demonstrated. Any authenticated user can read the complete order history, PII, and partial payment data of any other user by iterating the user ID parameter. The object reference is sequential and predictable. Full account enumeration is possible.

Strategic Remediation — Priority Actions
Implement server-side object ownership validation — confirm requesting user owns the resource before returning data on every endpoint Immediate
Reject JWT tokens with algorithm set to none. Enforce RS256 or ES256 with strict algorithm allowlisting in the validation middleware Immediate
Parameterise all search queries via prepared statements. Remove v1 search endpoint or apply the same input sanitisation from v2 This week
Implement database-level idempotency key on refund transactions to prevent race condition exploitation This week
Deprecate API v1 entirely after migrating remaining consumers. Add CORS validation to reject arbitrary origins on flagged endpoints Planned

Re-validation scheduled at week 4. All critical and high findings must be remediated before we issue the Attestation of Security document. We will verify each fix with a targeted test rather than a full re-run so your team is not blocked for two weeks.

25yr
Combined offensive security
experience behind every audit
100%
Of engagements include re-validation
and formal attestation
2–4
Week standard engagement
from scoping to attestation
0
PII captured or stored during
any production engagement
What we find in the field

The threat landscape
in production applications.

Distribution of findings across Bithost VAPT engagements in the past two years. Business logic and authorisation issues consistently represent the highest-severity category and the one automated tools miss most reliably.

Finding Severity Distribution
Across all engagements in the past 24 months.
Vulnerability Categories — Manual vs Automated Detection Rate
How many findings in each category an automated scanner would have caught vs our manual approach.
Manual audit
Automated scanner
Mean Time to Detect by Vulnerability Class
How long a business logic or architecture flaw typically goes undetected without a manual VAPT programme in place.
Engagement FAQ

Before you
reach out.

Scanners are built for breadth. We are built for depth. An automated tool will check for known CVEs, common injection patterns, and missing headers. It cannot understand that your user profile API is accidentally allowing access to admin settings through a specific sequence of requests, or that your refund flow is vulnerable to a race condition that requires two simultaneous API calls to exploit. We find the vulnerabilities that are architecturally significant and specific to your application rather than generic patterns that apply to every application of the same type.
A comprehensive engagement typically spans two to four weeks. This covers the reconnaissance and surface mapping phase, the core manual vulnerability research phase, delivery of the draft report with proof-of-concept demonstrations for every finding, and the re-validation phase after your team has implemented the remediation guidance. We do not close the engagement until the re-validation is complete and the formal Attestation of Security has been issued.
Yes. Upon successful completion of the re-validation phase, Bithost issues a formal Attestation of Security. This document confirms that a manual VAPT was conducted by Bithost's offensive operations team, that identified vulnerabilities were remediated and re-validated, and that the application was assessed against OSSTMM, OWASP, and NIST standards at the time of testing. It is designed to be shared with enterprise clients, insurers, investors, or as evidence in a compliance audit.
We strongly prefer testing in staging environments that mirror production closely. If production testing is required because there is no suitable staging environment, we use masking and strictly manual methods to ensure no real customer PII is captured, stored, or included in our reports. All proof-of-concept demonstrations use synthetic test accounts where possible. Our engagement terms include an explicit data handling agreement that defines what we can access, what we can store, and how findings are transmitted and retained.
We are equally comfortable with both. Microservices environments present a specific and often underappreciated set of security challenges around inter-service trust, service mesh configuration, and the implicit assumption that internal network traffic is safe. We scope each service as a separate assessment target with its own API surface while also evaluating how the services interact with each other from an attacker's perspective. The lateral movement potential in a compromised microservices environment is frequently much larger than in a well-segmented monolith.
Yes. We explicitly scope our reports to map findings against ISO 27001 Annex A controls and SOC 2 trust service criteria where relevant. We produce evidence documentation in the format required by most auditors and certification bodies. The Attestation of Security we issue at the end of the engagement is written to satisfy the penetration testing evidence requirement in both frameworks. If you are working toward the DPDP Act compliance posture we can additionally map findings to the relevant data protection obligations.
Re-validation sometimes surfaces secondary vulnerabilities that were obscured by a higher-severity finding or that were introduced by the remediation itself. This is normal and expected. We do not charge for finding new issues during re-validation of original findings. If the re-validation uncovers significant new attack surface unrelated to the original scope we will discuss it with you and agree on how to handle it before proceeding. The goal is an accurate picture of your security posture at close of engagement, not a clean report achieved by stopping testing early.

If a vulnerability exists,
we will find it before
someone else does.

A 30-minute scoping call is enough to define the engagement surface, discuss any constraints, and give you a timeline and cost estimate. No obligation to proceed beyond the call.

Initiate scoping call
Manual VAPT only. No automated scan-only engagements. Staging or production, your choice.