We're active bug bounty hunters on HackerOne, Bugcrowd, and Intigriti β not compliance checkbox vendors. We test your web application the way a real attacker would, and we find what automated tools miss.
Scoped engagement Β· Evidence-backed report Β· Web application focus Β· Fixed-price
Automated scanners catch the obvious stuff. Manual testing finds the logic flaws, chained vulnerabilities, and edge cases that only a human attacker would notice.
Passive and active subdomain discovery across Certificate Transparency, DNS brute-forcing, and web archives. We manually verify takeover candidates β not just flag fingerprints.
Broken auth flows, weak session token entropy, improper logout, OAuth misconfiguration, MFA bypass opportunities, and password policy gaps. We walk through every login and session path.
Insecure Direct Object Reference β can user A access user B's resources by changing an ID? Can a low-privilege user reach admin endpoints? We test every authorization boundary.
We test CORS headers for origin reflection, trusted-domain bypasses, and null origin acceptance. A permissive CORS policy on an API with authentication is credential theft waiting to happen.
Open redirects are used to chain OAuth token theft, credential harvesting, and referrer-bypass attacks. We test every redirect parameter across the application.
Admin panels, staging environments, debug endpoints, and developer tools inadvertently exposed to the internet. These are consistently among the highest-impact bugs we find.
Cross-site request forgery on state-changing actions. We verify CSRF token presence, token binding to session, and that double-submit cookie patterns are properly implemented.
Login, password reset, OTP, and API endpoints tested for rate limiting gaps. Missing rate limits allow credential stuffing, OTP brute force, and account enumeration.
Need broader coverage? Contact us at hello@aluetion.com β we scope every engagement before pricing.
Every engagement is scoped before it starts. No surprises on what we test or what we charge.
We define the target surface β which domains, subdomains, and endpoints are in scope. We agree on what's out of bounds and document it before a single request is sent.
Passive recon: DNS, CT logs, WHOIS, technology fingerprinting. We understand your public footprint before touching any endpoint.
We work through the in-scope surface manually β walking authentication flows, testing access controls, probing API endpoints, and checking every input the application exposes.
Every finding documented with severity rating, HTTP request/response captures, reproduction steps, and a clear remediation recommendation. No theoretical findings β if we report it, we've demonstrated it.
After you fix the findings, we verify each one is closed and issue written confirmation. You don't just take our word for it β you see the evidence.
We actively hunt on public bug bounty programs. Real programs, real triage, real findings β not just certifications.
We scope before we price. Every engagement is defined upfront β no surprises.
Single web application, defined scope
Automated audit runs first, manual testing follows
We test your application with the same mindset we use on live bug bounty programs β because that's what actually finds real vulnerabilities.
Scope a PentestWeb App Pentest $1,497 Β· Bundle with Security Audit $1,997 Β· Retest included