ICFOX

Penetration Testing that produces actionable results

Manual web/API/infrastructure pentest + executive-ready report + retest. Germany-aligned scope & pricing.

• Manual testing focused on real attack paths (not scanner noise)
• Clear report: PoCs + steps to reproduce + concrete fixes
• Risk prioritization (Critical/High/Medium/Low)
• Retest after remediation (agreed scope)

Request a pentest

When a pentest is worth it

Before a security incident costs money and reputation.

A pentest simulates real attacks to find exploitable weaknesses before attackers do.

It’s especially useful before launch, after major changes, or when customers ask for security evidence.

You’ll get a report your dev/ops team can act on immediately: prioritized issues, PoCs, and remediation guidance.

What’s included

Practical testing + practical outcomes.

  • Manual pentest (not just scanning)

    Validation, chaining, auth/session/role testing, business logic.

  • Web / API / infra (as scoped)

    Public services, admin panels, APIs, VPN/internal segments if included.

  • Proof & reproduction

    PoCs + steps to reproduce + concrete remediation guidance.

  • Executive summary

    Clear risk story for management and procurement/security teams.

  • Retest

    Verify fixes and provide final risk status.

  • Optional add-ons

    Code review, cloud posture deep-dive, phishing, mobile – quoted separately.

Process

Clear phases, no surprises.

  1. 1) Scope & rules of engagement

    Targets, accounts, time window, do/don’t, escalation contact.

  2. 2) Testing

    Manual testing across agreed targets and scenarios.

  3. 3) Report

    Findings + risk + PoCs + prioritized remediation plan.

  4. 4) Retest

    Validate remediation and deliver final status.

Pricing (Germany-aligned)

EUR first. BGN shown for reference (fixed rate).

  • START — Web/App Pentest (small scope)

    €9000.00

    Manual pentest for a small web application or limited scope. Clear report + remediation guidance + retest.

    • Kickoff + scope definition (black/grey/white box)
    • Manual testing + validation (not scanner-only)
    • OWASP-focused coverage + auth/session checks
    • Executive summary + prioritized findings (Critical/High/Med/Low)
    • Rerun/retest after fixes (agreed scope)

  • STANDARD — Web + API + Auth/Role model

    €18000.00

    For real business applications: web + API, roles, logic, and higher-quality deliverables for stakeholders.

    • All START items
    • Deep API testing + business logic scenarios
    • Cloud config review (basic) if applicable
    • Threat model mini-workshop (1 session)
    • Developer-ready PoCs + remediation steps

  • BUSINESS — Combined (Web/API + Infra) + Compliance-ready reporting

    €35000.00

    For larger environments: combined testing + better documentation for procurement/security questionnaires.

    • Combined testing by scenario (public + internal/VPN if in scope)
    • Hardening findings (config & exposure)
    • Report aligned to typical compliance needs (high-level mapping)
    • Retest + final risk status summary
    • Optional add-ons: code review / phishing / mobile (quoted separately)

FAQ

Black box, grey box or white box?

Your choice. Grey box is often the best balance between realism and efficiency.

Will you disrupt production?

We test in a controlled way under agreed rules. Destructive testing is excluded unless explicitly requested.

Do you provide compliance-ready output?

We provide an executive summary and structured findings. For strict frameworks we can tailor the report (scope-dependent).

Want a pentest proposal with clear scope and timeline?

Send your domains/apps + role model + preferred test window.

We usually reply within 1 business day.