01 / Web Application + API

Web Application
+ API Testing

What appears secure rarely is. We test both sides of that assumption.

Most application testing stops at the visible surface. DALI goes further — into the logic, the trust boundaries, the API endpoints that were never meant to be found. Manual, adversary-perspective testing of your entire application layer, authenticated and unauthenticated.

Request Scoping CallView Pricing ↓
MethodologyOWASP WSTG
Primary toolBurp Suite Professional
AI augmentationPentestGPT / XBOW
ComplianceSOC 2 · PCI DSS · HIPAA
Retest30-day free on Critical/High
Methodology

How we test.

Reconnaissance
  • Subdomain enumeration
  • JS file analysis and secret hunting
  • API schema discovery (OpenAPI, GraphQL introspection)
  • Third-party integration mapping
Authentication & Session
  • Login brute-force and lockout logic
  • JWT/OAuth2/SAML token analysis
  • Session fixation and cookie attribute testing
  • MFA bypass enumeration
Authorization
  • IDOR across all resource types
  • Horizontal and vertical privilege escalation
  • Mass assignment vulnerabilities
  • GraphQL field-level authorization
Injection & Logic
  • SQLi, NoSQLi, command injection
  • SSRF and XXE
  • Business logic abuse
  • Race conditions and TOCTOU
Output & Configuration
  • Stored/reflected/DOM XSS
  • CORS misconfiguration
  • CSP bypass analysis
  • Sensitive data exposure in responses
API-Specific
  • REST: HTTP verb tampering, parameter pollution
  • GraphQL: introspection, batching abuse, nested queries
  • gRPC: metadata injection, reflection abuse
  • Webhook security
Tooling

What we use.

Burp Suite Professional
Primary testing platform — proxy, scanner, intruder, repeater.
Nuclei + ProjectDiscovery
Template-based scanning for recon and known vulnerability patterns.
PentestGPT
AI-assisted recon, exploit ideation, and finding documentation.
XBOW
Autonomous offensive platform for continuous and complex engagements.
Katana + httpx
Fast web crawler and HTTP toolkit for surface discovery.
Custom tooling
Engagement-specific scripts for logic testing and automation.
Sample findings

What we find.

Representative findings from past engagements. Client details redacted.

CRITICAL
Authentication Bypass via JWT Algorithm Confusion
RS256 → HS256 downgrade allowing token forgery and full account takeover.
HIGH
GraphQL Introspection Exposing Internal Mutations
Production introspection enabled, revealing admin-only mutation endpoints.
HIGH
IDOR in REST API — Cross-Tenant Data Access
Sequential integer IDs without authorization checks enabling cross-account data read.
MEDIUM
Stored XSS in User-Supplied Markdown Fields
Unsanitized markdown rendered as HTML in admin dashboard context.
Pricing

Engagement tiers.

Essentials
$5,000 – $10,000
SMB / startup / pre-compliance
  • Unauthenticated surface scan
  • Top 10 OWASP coverage
  • AI-augmented recon
  • Executive summary + findings report
  • 30-day retest on Critical/High
AI-augmented with human review on all findings.
Get a Quote
Most common
Standard
$12,000 – $25,000
Mid-market / SOC 2 / PCI / HIPAA
  • Full authenticated + unauthenticated testing
  • API layer coverage (REST, GraphQL, gRPC)
  • Business logic testing
  • OWASP WSTG full methodology
  • Compliance-ready report
  • 30-day retest included
Manual methodology. Most common engagement tier.
Get a Quote
Continuous
Custom — contact us
Enterprise / ongoing coverage
  • Quarterly manual validation
  • XBOW autonomous coverage between cycles
  • Remediation verification each cycle
  • Dedicated point of contact
  • Annual compliance report package
XBOW tooling cost passed through. Best for teams shipping frequently.
Get a Quote
FAQ

Common questions.

Do you test production environments?
Yes, with explicit authorization. We work with your team to define safe testing windows, escalation contacts, and a rollback plan for any destructive testing. We never test without a signed authorization letter.
How long does an engagement take?
Essentials engagements run 3–5 days. Standard engagements typically run 5–10 days of active testing depending on application complexity. We'll scope this precisely on your scoping call.
What do we receive at the end?
A full report including an executive summary, methodology section, and individual finding writeups with severity, evidence, exploit chain, business impact, and remediation guidance. Delivered via Cyver Core portal.
Do you retest after we remediate?
Yes — 30-day free remediation validation on Critical and High findings is included in every engagement. We verify the fix actually works, not just that the code changed.
How do you handle sensitive data discovered during testing?
Any sensitive data discovered is documented as evidence in a finding and not retained beyond the engagement. Engagement artifacts are stored per your MSA terms, typically 12–24 months, then securely deleted.
Start an engagement

Ready to see what's really there?

No commitment, no pitch deck. A direct conversation about your threat surface and what a DALI engagement looks like.

Request Scoping Call →
ResponseAll scoping inquiries answered within one business day.
NDA firstMutual NDA signed before any scoping conversation begins.
ComplianceSOC 2, PCI DSS, and HIPAA report-ready engagements.
Contacthello@dali.security
Begin Engagement →