Multi-tenant isolation
Cross-tenant IDORs, exported reports, shared links, webhooks, integrations.
SaaS & B2B software
A pentest scoped for the team that ships multi-tenant software.
Tenant isolation, SSO and SCIM, role-based access, and the customer-facing API. We run the test, we map the findings to SOC 2 and ISO, and we sequence the retest before your audit window opens.
Where we focus
Six surfaces SaaS engagements tend to live in.
SSO and SCIM
SAML/OIDC assertion handling, downgrade paths, SCIM provisioning misuse, role-claim manipulation.
Role-based access control
Vertical and horizontal escalation across documented roles. Role-aware features called by lower roles.
Public APIs and webhooks
Auth, IDORs, replay, rate limiting, signature verification, partner-token scope.
Billing and entitlements
Logic for paid features, plan downgrades, trial abuse, seat-count enforcement.
Admin and operator surfaces
Internal admin tooling exposed inadvertently. Operator endpoints reachable by tenants.
How we typically scope SaaS
A common bundle: web app + API + authenticated.
Most SaaS engagements combine these three because that is how customers actually use a multi-tenant product. Add a compliance pentest if your audit is the primary driver.
FAQ
SaaS & software — common questions
How quickly can you deliver a report a customer will accept?
A typical SaaS web app and API engagement is two to three weeks of testing plus a week of reporting and a retest of reported findings. Many customers schedule the kickoff within the same week as the scoping call when a deadline is tight.
Will the report satisfy our SOC 2 or ISO auditor?
Yes. Findings are mapped to SOC 2 Common Criteria and to ISO 27001 Annex A controls in the same document. Customers consistently use the report as audit evidence without rework.
How do you test multi-tenant isolation?
We test with at least two tenant accounts in scope (more for cross-tenant share scenarios) and walk every protected resource boundary — direct API access, shared links, exports, webhooks, and any integration that touches multiple tenants.
Do you test our SSO and SCIM integrations?
Yes. SSO assertion handling, replay, downgrade paths to local login, role-claim manipulation, and SCIM provisioning misuse are part of standard scope when those integrations exist.
Can you fit a pentest into a sales-driven deadline?
Often, yes — tell us the date on the scoping call. We routinely sequence engagements so the report and retest land in time for procurement review.
Want a credible answer to: are we secure?
A 30-minute review with our lead pentester. No slides, no pitch — we look at what you have, tell you what we would test first, and give you a fair scope and timeline.