• Manual testing focused on real attack paths (not scanner noise)
• Clear report: PoCs + steps to reproduce + concrete fixes
• Risk prioritization (Critical/High/Medium/Low)
• Retest after remediation (agreed scope)
Penetrationstest mit umsetzbaren Ergebnissen
Manueller Web/API/Infra-Pentest + Executive-Report + Retest. Umfang & Preise passend für Deutschland.
Wann ein Pentest sinnvoll ist
Bevor ein Incident Geld und Reputation kostet.
Ein Pentest simuliert reale Angriffe, um ausnutzbare Schwachstellen zu finden – bevor Angreifer es tun.
Besonders sinnvoll vor Go-Live, nach größeren Änderungen oder wenn Kunden Security-Nachweise verlangen.
Du bekommst einen Report, den Dev/Ops sofort umsetzen kann: Prioritäten, PoCs und konkrete Fix-Empfehlungen.
Was enthalten ist
Praktisches Testing + praktische Deliverables.
-
Manueller Pentest (nicht nur Scans)
Validierung, Chaining, Auth/Session/Rollen, Business-Logik.
-
Web / API / Infra (im Scope)
Public Services, Admin Panels, APIs, VPN/Intern falls vereinbart.
-
PoCs & Reproduktion
PoCs + Repro Steps + konkrete Remediation Guidance.
-
Executive Summary
Klare Risikodarstellung für Management und Einkauf/Security.
-
Retest
Fixes verifizieren und finalen Risiko-Status liefern.
-
Optionale Add-ons
Code Review, Cloud Deep-Dive, Phishing, Mobile – separat angeboten.
Ablauf
Klare Phasen, keine Überraschungen.
-
1) Scope & rules of engagement
Targets, accounts, time window, do/don’t, escalation contact.
-
2) Testing
Manual testing across agreed targets and scenarios.
-
3) Report
Findings + risk + PoCs + prioritized remediation plan.
-
4) Retest
Validate remediation and deliver final status.
Preise (Deutschland-orientiert)
EUR first. BGN shown for reference (fixed rate).
-
START — Web/App Pentest (small scope)
€9000.00
Manual pentest for a small web application or limited scope. Clear report + remediation guidance + retest.
- Kickoff + scope definition (black/grey/white box)
- Manual testing + validation (not scanner-only)
- OWASP-focused coverage + auth/session checks
- Executive summary + prioritized findings (Critical/High/Med/Low)
- Rerun/retest after fixes (agreed scope)
-
STANDARD — Web + API + Auth/Role model
€18000.00
For real business applications: web + API, roles, logic, and higher-quality deliverables for stakeholders.
- All START items
- Deep API testing + business logic scenarios
- Cloud config review (basic) if applicable
- Threat model mini-workshop (1 session)
- Developer-ready PoCs + remediation steps
-
BUSINESS — Combined (Web/API + Infra) + Compliance-ready reporting
€35000.00
For larger environments: combined testing + better documentation for procurement/security questionnaires.
- Combined testing by scenario (public + internal/VPN if in scope)
- Hardening findings (config & exposure)
- Report aligned to typical compliance needs (high-level mapping)
- Retest + final risk status summary
- Optional add-ons: code review / phishing / mobile (quoted separately)
FAQ
Black box, grey box or white box?
Your choice. Grey box is often the best balance between realism and efficiency.
Will you disrupt production?
We test in a controlled way under agreed rules. Destructive testing is excluded unless explicitly requested.
Do you provide compliance-ready output?
We provide an executive summary and structured findings. For strict frameworks we can tailor the report (scope-dependent).
Pentest-Angebot mit klarem Scope?
Schick Domains/Apps + Rollenmodell + Testfenster.