The Project 

A combined web application and external network penetration test for a US based Technology company, delivered as a 16-day CREST-accredited engagement.

The objective was to identify and assess exploitable vulnerabilities across the client’s web application and its public-facing network infrastructure, and to provide clear, prioritised recommendations for remediation. All testing was carried out by CREST-registered penetration testers using recognised industry methodologies and best practice.

 

The challenge:

Modern web applications carry risks that automated scanning alone cannot uncover. Weaknesses in authorisation logic, session handling, tenant separation and business logic only surface through skilled manual testing, yet these are precisely the flaws attackers exploit to reach data and functionality they should never be able to access.

The client needed assurance that both its application and its external network exposure could withstand attack, with independently verifiable results, delivered within a clearly defined scope and timeframe.

 

The Solution 

The engagement began with a scoping exercise to agree clear boundaries and an accurate day count, captured in a BSS scoping document and Statement of Work. CREST-registered testers then assessed the application across its authorisation logic, APIs, session management, multi-tenancy controls and business logic, constructing attack scenarios that chained multiple vulnerabilities together to demonstrate real-world impact.

Alongside this, BSS conducted a time-limited external network penetration test of four public-facing IP addresses to identify and evaluate vulnerabilities exposed to external threats. Dedicated CREST project management ran throughout, providing oversight of testing operations, quality assurance of reporting and direct communication with the testing team during the assessment window.

 

The Outcome 

BSS issued CREST-certified reports for every item in scope, each verifying that testing was performed by CREST-registered penetration testers in accordance with CREST standards. The reporting combined an executive summary of high-level findings with detailed technical results, clear risk ratings supported by rationale, and prioritised mitigating actions for each identified risk.

The deliverables also documented the attack scenarios used during testing, giving the client visibility of how individual weaknesses could be combined by a real attacker. With quality assurance and retesting built into the engagement, the client received an independently certified view of its security posture across both its application and its external network.