Web Application Testing
We test web applications of all sizes. From simple websites to complex multi-tenant platforms. Our approach is based on established standards like the OWASP Testing Guide, the OWASP Top 10, and the OWASP API Security Top 10. We focus especially on the areas where real-world incidents most frequently occur.
Our web penetration test follows a structured, practical workflow that mirrors how real attackers operate. The 16 testing phases at Hackeroo:
Passive information gathering
Analysis of underlying IT systems
Active information gathering on the target
Configuration review of web servers and applications
Authentication testing
Identity management & registration
Password handling
Secure data transmission
Session management
Authorization testing
Tenant isolation testing
Input validation (Injection, XSS, …)
File upload security
“Low and Slow” DoS techniques
Error handling
Vulnerability exploitation
We don’t rely on tool output alone. Automated scans are just the starting point. The real work is done manually, using real-world attack techniques and hands-on experience.
Qualifications
The testers at Hackeroo know what they are doing and they can prove it. Our team consists of experienced ethical hackers with hands-on certifications such as the OSCP (Offensive Security Certified Professional) or the BACPP (Binsec Academy Certified Pentest Professional). Both stand for real attacks against real systems under realistic conditions and not for theory or multiple choice exams.
For our customers this means manual security testing on eye level with real attackers. No pure tool scans and no checklist audits but in depth analysis with technical depth experience and clear results. We think like attackers and that is exactly how we test.
Typical Questions
Our daily rate is €1,120 net.
Based on that, we agree on a fixed package price upfront, derived from the scope we define together. No surprise invoices, no last-minute renegotiation.
Then the total cost depends on what we’re testing and how deep we go. A lean web app is very different from a complex platform with APIs, authentication flows, role models, and a cloud setup. Black box vs. grey box, one target vs. ten, a few days vs. multiple weeks — that’s what drives the effort.
We price by time, not by findings. Automated tools are the starting point, not the deliverable. The meaningful findings come from manual analysis, experience, and thinking like a real attacker.
Bottom line: A clear scope, transparent effort, a fixed price and results that are more than a compliance checkbox.
