Vulnerability Assessments
Structured assessments designed to identify real security weaknesses in web applications, APIs, and integrations — not scanner output dressed up as a report.
Full-stack web applications including authentication flows, user account features, payment integrations, and admin panels.
REST and GraphQL APIs including endpoint authorization, schema exposure, rate limiting, and mass assignment vulnerabilities.
Secrets and credentials exposed through client-side code, misconfigured CORS policies, and insecure third-party SDK configurations.
External attack surface including subdomains, open ports, cloud storage misconfiguration, and unintended service exposure.
Automated scanning combined with manual testing across all target assets. Every finding from automated tools is manually confirmed before inclusion in the report — unconfirmed scanner output is discarded.
Structured report covering executive summary, risk overview, technical findings with evidence, and remediation guidance. Written for both business stakeholders and developers.
Each finding includes specific remediation steps with code examples where applicable — not generic "fix the vulnerability" instructions.
After you've remediated the findings, we retest the specific vulnerabilities identified and issue an updated report confirming which issues are resolved.
Direct access to ask questions about findings or remediation approaches. If something in the report isn't clear to your developer, we'll explain it.
No. All testing is conducted from an external, black-box perspective — the same position an attacker would be in. We don't need source code access, VPN credentials, or access to internal infrastructure. You provide written authorisation and a list of in-scope assets, and we handle the rest.
Testing is conducted carefully to avoid disrupting production services. No denial-of-service testing or destructive techniques are used without explicit agreement. For applications where any disruption would be unacceptable, we can scope testing to a staging environment — though note this may mean some production-specific configurations are not tested.
The terms are often used interchangeably in the industry, and for small to mid-sized web applications the distinction rarely matters in practice. A formal penetration test under frameworks like CHECK or CREST involves specific accreditation requirements, deeper engagement scoping, and is typically required for compliance purposes (PCI-DSS, etc.). A vulnerability assessment — what SurfaceDelta provides — follows the same testing methodology and delivers findings of equivalent quality, but without the compliance certification overhead. If you need a formally accredited test for regulatory reasons, we'll tell you upfront.
Primarily: a list of in-scope assets (domains, subdomains, IP ranges), written authorisation to test, and confirmation of any assets that should be excluded. Optionally: test account credentials if you want authenticated application testing to cover logged-in functionality. That's it — no codebase access, no architecture diagrams required.
That's exactly who this is designed for. The report is written in two layers: an executive summary for business owners and a technical findings section for developers. Remediation guidance is written to be acted on directly by a developer — not interpreted by a security team first. Post-report Q&A is included specifically for teams who want to talk through what a finding means before they fix it.
Transparent scope, fixed price
Pricing is based on the size and complexity of the target application — not billed hourly. You'll know the cost before testing begins.