Ship fast.
Test what attackers can reach.
Black-box security testing for web apps and APIs. No credentials, no agents, no scanner dump.
We verify scope, test from the outside, and deliver prioritized findings with evidence, CVSS scoring, and remediation guidance.
Built for teams that need clear security evidence before the next release.
1-2 business days
to schedule after scope verification
5-10 business days
typical report window
0 credentials
needed for baseline testing
Secure-looking code can still fail under attack.
These examples show the kinds of issues an external assessment should validate with evidence: authorization gaps, token handling mistakes, unsafe input paths, and race conditions.
Auth check present — object ownership missing
The resolver checks that a user is logged in, so the endpoint looks protected during a quick review.
// Common resolver mistake: authentication without ownership checks
const resolvers = {
Query: {
user: async (_, { id }, ctx) => {
if (!ctx.user) throw new AuthError('Unauthenticated');
// ← auth check exists, but no ownership validation
return db.user.findById(id);
},
invoices: async (_, { userId }, ctx) => {
if (!ctx.user) throw new AuthError('Unauthenticated');
return db.invoices.findByUser(userId);
},
},
};
// Attacker introspects → finds all types, mutations, admin ops
// query { user(id:"admin-001") { email role apiKey passwordHash } }
// → 200 OK full admin profile returned to any logged-in userThese are real vulnerability classes — the kind that pass code review and break in production.
What the report is built to clarify
The goal is simple: reduce uncertainty, show evidence, and give engineering a concrete fix path.
Scanner noise becomes reviewable evidence
Findings are grouped by risk, validated manually, and supported with reproducible HTTP evidence instead of a raw alert export.
Evidence, reproduction steps, and severity in one place
Auth and access-control paths get tested directly
The assessment looks for authorization gaps, token handling mistakes, and business logic paths that automated scanners usually miss.
Designed for web apps, APIs, and exposed admin surfaces
Fixes can be verified after remediation
Retest work confirms whether fixes hold and documents the before-and-after state for engineering, leadership, or audit review.
Retest option available after the initial report
From verified scope to report
You define the target. We verify ownership, test within scope, and document the results.
Step 1 of 4
Define Target
Tell us what to test — your domain, your priorities, your constraints.
Full Trust and Safety Rules
Show details
Engagement rules
- Verified ownership required before testing
- No credential handover required for baseline
- Non-destructive baseline by default
- Written approval for higher-impact actions
- Audit trail for approvals and transitions
Baseline includes
- Authentication, session, and access control
- API authorization and tenant boundary checks
- Common exploit chains (IDOR, SSRF, upload abuse)
- Rate limits and abuse paths
Not included unless approved
- Destructive load testing
- Data exfiltration beyond proof
- Any action outside approved scope boundaries
What the deliverable looks like
A sanitized report preview with evidence, severity, business context, and remediation guidance for each finding.
Interactive sample
Review the evidence, impact, and retest state.
Risk posture
Critical risk14
Findings
Severity distribution
Critical
2
High
4
Medium
5
Low
3
Executive summary
2 critical findings create account takeover and cross-tenant data exposure paths. Combined with 4 high-severity issues — session fixation, GraphQL schema exposure, admin API bypass, and missing rate limits — the application should not ship until priority fixes are complete.
Analyst validation
Exploitability confirmed with evidence
Business impact mapped per finding
Duplicates collapsed into clear tickets
Scope boundaries recorded and followed
Reproduction steps documented
Retest verification included
Choose an assessment
One-time assessment or ongoing validation. Both start the same way.
Black-Box Assessment
One-timeOne complete test of your external attack surface.
External black-box testing
Prioritized findings with evidence
Remediation guidance per finding
Test + Retest Program
ProgramAssessment now, verification retest after you fix. Confirms nothing regressed.
Everything in Black-Box Assessment
Follow-up retest window
Drift comparison report
Where WeHackU fits
A focused external assessment sits between automated scanning and long-running security programs.
WeHackUAnalyst-led | Auto ScannerKnown issues | In-HouseYour team | Bug BountyCrowdsourced | |
|---|---|---|---|---|
| Business logic flaws | Yes | No | Partial | Partial |
| Exploit chain analysis | Yes | No | Partial | No |
| Predictable delivery window | Yes | Fast* | Varies | Varies |
| CVSS-scored findings | Yes | No | Partial | No |
| No credentials required | Yes | Yes | No | No |
| Business context per finding | Yes | No | Partial | No |
| Fixed scope & timeline | Yes | Yes | No | No |
* Automated scanners can return fast results, but exploitability and business impact still need validation.
Common Questions
Straight answers about scope, process, and what to expect.
No. We test entirely from the outside — no credentials, no VPN, no agent installed. Exactly the access an attacker has. You verify domain ownership by placing a token at a URL on your domain, then we start.
Ready when scope is clear
Get a report your team can act on.
Evidence first. Fix path included.
Submit a target, verify ownership, and we schedule testing against the approved scope.
No setup. No access handover. Scope confirmed before any testing begins.
Findings so far
Weekly Security Brief
Security notes for busy engineering teams.
CVEs, attack techniques, and patch guidance. Short, practical, and written for teams shipping software.
No account needed · Unsubscribe any time