External security assessment

Ship fast.
Test what attackers can reach.

Black-box security testing for web apps and APIs. No credentials, no agents, no scanner dump.

We verify scope, test from the outside, and deliver prioritized findings with evidence, CVSS scoring, and remediation guidance.

Start an assessment
Black-box assessmentOwnership verified firstCVSS-scored findingsAnalyst reviewed evidence

Built for teams that need clear security evidence before the next release.

Attack surface — live mapping12 endpoints
APIDB/authAdminCDNWSS3CacheUploadOAuthGraphQLWebhook
Monitoring surface...

1-2 business days

to schedule after scope verification

5-10 business days

typical report window

0 credentials

needed for baseline testing

Code Risk

Secure-looking code can still fail under attack.

These examples show the kinds of issues an external assessment should validate with evidence: authorization gaps, token handling mistakes, unsafe input paths, and race conditions.

Auth check present — object ownership missing

The resolver checks that a user is logged in, so the endpoint looks protected during a quick review.

Vulnerable
// Common resolver mistake: authentication without ownership checks
const resolvers = {
  Query: {
    user: async (_, { id }, ctx) => {
      if (!ctx.user) throw new AuthError('Unauthenticated');
      // ← auth check exists, but no ownership validation
      return db.user.findById(id);
    },
    invoices: async (_, { userId }, ctx) => {
      if (!ctx.user) throw new AuthError('Unauthenticated');
      return db.invoices.findByUser(userId);
    },
  },
};
// Attacker introspects → finds all types, mutations, admin ops
// query { user(id:"admin-001") { email role apiKey passwordHash } }
// → 200 OK  full admin profile returned to any logged-in user
The issue is not missing login. It is missing object-level authorization. A black-box test can confirm whether changing an ID returns another tenant's data, then document the request, response, affected objects, and fix path.

These are real vulnerability classes — the kind that pass code review and break in production.

Engagement Outcomes

What the report is built to clarify

The goal is simple: reduce uncertainty, show evidence, and give engineering a concrete fix path.

Scanner noise becomes reviewable evidence

Findings are grouped by risk, validated manually, and supported with reproducible HTTP evidence instead of a raw alert export.

Evidence, reproduction steps, and severity in one place

Auth and access-control paths get tested directly

The assessment looks for authorization gaps, token handling mistakes, and business logic paths that automated scanners usually miss.

Designed for web apps, APIs, and exposed admin surfaces

Fixes can be verified after remediation

Retest work confirms whether fixes hold and documents the before-and-after state for engineering, leadership, or audit review.

Retest option available after the initial report

How It Works

From verified scope to report

You define the target. We verify ownership, test within scope, and document the results.

Step 1 of 4

Define Target

Tell us what to test — your domain, your priorities, your constraints.

Kickoff within 1-2 business days of verification.
Report delivered within 5-10 business days.
Verified ownership required before testingNo credential handover required for baselineNon-destructive baseline by default

Full Trust and Safety Rules

Show details

Engagement rules

  • Verified ownership required before testing
  • No credential handover required for baseline
  • Non-destructive baseline by default
  • Written approval for higher-impact actions
  • Audit trail for approvals and transitions

Baseline includes

  • Authentication, session, and access control
  • API authorization and tenant boundary checks
  • Common exploit chains (IDOR, SSRF, upload abuse)
  • Rate limits and abuse paths

Not included unless approved

  • Destructive load testing
  • Data exfiltration beyond proof
  • Any action outside approved scope boundaries
Sample Report

What the deliverable looks like

A sanitized report preview with evidence, severity, business context, and remediation guidance for each finding.

Interactive sample

Review the evidence, impact, and retest state.

Active Risk

Risk posture

Critical risk

14

Findings

Severity distribution

Critical

2

High

4

Medium

5

Low

3

Executive summary

2 critical findings create account takeover and cross-tenant data exposure paths. Combined with 4 high-severity issues — session fixation, GraphQL schema exposure, admin API bypass, and missing rate limits — the application should not ship until priority fixes are complete.

Analyst validation

Exploitability confirmed with evidence

Business impact mapped per finding

Duplicates collapsed into clear tickets

Scope boundaries recorded and followed

Reproduction steps documented

Retest verification included

Analyst validation with evidence, business context, and optional retest.
View full sample report
Services

Choose an assessment

One-time assessment or ongoing validation. Both start the same way.

Black-Box Assessment

One-time

One complete test of your external attack surface.

External black-box testing

Prioritized findings with evidence

Remediation guidance per finding

Typical turnaround: 5-10 business daysReport + remediation roadmap
Comparison

Where WeHackU fits

A focused external assessment sits between automated scanning and long-running security programs.

Swipe to compare
WeHackUAnalyst-led
Auto ScannerKnown issues
In-HouseYour team
Bug BountyCrowdsourced
Business logic flawsYesNoPartialPartial
Exploit chain analysisYesNoPartialNo
Predictable delivery windowYesFast*VariesVaries
CVSS-scored findingsYesNoPartialNo
No credentials requiredYesYesNoNo
Business context per findingYesNoPartialNo
Fixed scope & timelineYesYesNoNo

* Automated scanners can return fast results, but exploitability and business impact still need validation.

FAQ

Common Questions

Straight answers about scope, process, and what to expect.

No. We test entirely from the outside — no credentials, no VPN, no agent installed. Exactly the access an attacker has. You verify domain ownership by placing a token at a URL on your domain, then we start.

Ready when scope is clear

Get a report your team can act on.
Evidence first. Fix path included.

Submit a target, verify ownership, and we schedule testing against the approved scope.

Full black-box external assessment
Prioritized findings with evidence
Every finding analyst-validated with evidence
Report in 5–10 business days
Start an assessment

No setup. No access handover. Scope confirmed before any testing begins.

Live EngagementDay 3 / 7
Target: api.yourcompany.io
Discovery✓ Done
Enumeration✓ Done
Authentication↻ In progress
AuthorizationPending

Findings so far

CRITICAL
1
HIGH
2
MED
3
ETA: ~4 business days to full report

Weekly Security Brief

Security notes for busy engineering teams.

CVEs, attack techniques, and patch guidance. Short, practical, and written for teams shipping software.

CVE RadarAttack TechniquesPatch WatchResearch

No account needed · Unsubscribe any time