Pentest.

Every engagement starts with clear scope, written authorization and a defined window. Always. Without that, no test.

• Web Application Pentest — OWASP Top 10, business logic, authentication, authorization, injections, deserialization.
• API Security Testing — REST and GraphQL, BOLA, mass assignment, rate limiting, token abuse.
• Network Pentest — external perimeter, internal networks, segmentation, AD, privilege escalation.
• Mobile — static and dynamic analysis of iOS/Android, certificate pinning, local storage, communication.
• Hardening & Code Review — security-focused code review, configuration and infra recommendations.

I follow OWASP Testing Guide and PTES as the foundation, complementing with automation where it accelerates and manual exploitation where automation fails (which is where most real flaws live).

You receive an executive report (one page, for managers) and a detailed technical report with each vulnerability, reproducible proof of concept, CVSS severity and step-by-step remediation.

Includes a readout session with the technical team to clarify questions, and re-testing of fixes within 30 days — just to confirm it's actually resolved.

I work only with explicit written authorization and within the agreed scope. None of "check out this cool vulnerability I found without telling you". Confidentiality and accountability are in the contract — and in practice.