Web Application Pen Testing
Black-box and grey-box web app pen testing: authentication testing (brute force resistance, account enumeration, session fixation, token predictability, insecure "remember me", MFA bypass), authorisation testing (IDOR can user A access user B's resources by modifying IDs?), injection testing (SQL injection manual + automated with SQLMap, XSS reflected/stored/DOM-based, SSTI, command injection), business logic testing (discount code abuse, premium feature access bypass, checkout manipulation), session management (token randomness, invalidation on logout, HttpOnly cookie protection).
REST & GraphQL API Pen Testing
API-specific penetration testing: authentication bypass (JWT algorithm confusion alg:none attack, weak secret brute force, expired token acceptance), GraphQL-specific attacks (introspection enabled in production exposes full schema, unbounded query depth DoS via deeply nested queries, batch query abuse many mutations in single request), mass assignment (API accepts unexpected fields that modify sensitive properties is_admin, price, balance), rate limiting bypass (per-IP limits bypassed with IP rotation, auth rate limits bypassed with different attack patterns), API versioning (deprecated versions still accessible with relaxed security controls).
Cloud Infrastructure Pen Testing
AWS pen testing within AWS's Penetration Testing Policy (EC2, RDS, Lambda, ECS, API Gateway, CloudFront, Lightsail, Aurora pre-approved; S3 bucket access testing, IAM privilege escalation): IAM privilege escalation (can low-privilege IAM role assume higher-privilege role through chain of allowed IAM actions Pacu for AWS attack simulation), metadata service abuse (SSRF leading to EC2 instance metadata access can attacker retrieve IAM credentials from metadata endpoint?), exposed services (any services listening on 0.0.0.0 that should only be accessible within VPC?), S3 bucket access testing (any S3 buckets publicly accessible that should not be?).
Findings Report & CVSS Scoring
Professional pen test deliverables: executive summary (non-technical overview overall security posture, number of critical/high/medium/low findings, business risk narrative), technical findings (per-vulnerability: CVSS 3.1 score, description, proof-of-concept reproduction steps, affected endpoint/system, impact statement, remediation recommendation), CVSS scoring (Common Vulnerability Scoring System base score considering attack vector, complexity, privileges required, user interaction, CIA impact), remediation verification (re-test of remediated findings confirm fixes are effective included as single re-test round within 30 days).
Compliance-Oriented Pen Testing
Pen tests structured for specific compliance frameworks: PCI DSS (annual pen test requirement for card data processors internal and external pen test, segmentation test, application and network layer), SOC 2 (pen test as evidence for CC6.1, CC6.8 control criteria authenticated app pen test, cloud infrastructure pen test), ISO 27001 (A.12.6 management of technical vulnerabilities pen test as evidence of vulnerability assessment programme), enterprise security questionnaires (pen test report as evidence for security questionnaire responses dated within 12 months, signed letter of attestation).