At Strike, we conduct high-impact manual pentests designed to simulate real-world attack scenarios and uncover vulnerabilities that pose real business risks. Each engagement is tailored based on the access level (Black-box, Gray-box, White-box) and asset type (Web Service, On-premise / Cloud Infrastructure, Mobile).
Our assessments align with industry-recognized methodologies such as OWASP Top 10 (Web, API, Mobile), NIST 800-115, CIS Benchmarks, CSA, and OWASP MASVS, among others.
Below is a breakdown of key activities per testing type:
Black-box (no prior access)
Simulates an external attacker with no prior knowledge, enabling realistic evaluation of exposure and the effectiveness of perimeter defenses.
Web Service
Passive reconnaissance
Attack surface mapping
Endpoint discovery and enumeration
Dynamic analysis of APIs and web services
Authentication, injection, and basic business logic testing
Discovery of exposed attack vectors
Methodologies: OWASP Top 10 Web / API, NIST 800-115
On-premise / Cloud Infrastructure
Host discovery
Port and service fingerprinting
Firewall, WAF, and perimeter security configuration analysis
Identification of exposed cloud vectors (IPs, subdomains, buckets, resources)
Environment segregation validation
Methodologies: NIST 800-115, CIS Benchmarks, CSA guidelines
Mobile
Initial reverse engineering of APK/IPA
Detection of hardcoded secrets
Basic permission review
Analysis of backend/API communication
Validation of unauthenticated exposed functions
Methodologies: OWASP Top 10 Mobile
Gray-box (partial access: credentials, documentation, user roles)
Simulates a limited-access attacker or insider. This approach balances realism and technical depth, enabling effective analysis of internal controls and business-critical workflows.
Web Service
Authenticated testing across different roles
Horizontal and vertical access control validation
Deep dynamic API analysis
Authorization mechanism validation
Privilege escalation
Business logic testing in critical flows
Methodologies: OWASP Top 10 Web / API, NIST 800-115
On-premise / Cloud Infrastructure
Internal attacker simulation with limited access
Lateral movement and privilege escalation testing
Network segmentation validation
Security policy review
Exposure and IAM configuration assessment in cloud environments
Methodologies: NIST 800-115, CIS Benchmarks, CSA guidelines
Mobile
Authenticated testing with different user profiles
Dynamic application analysis
Local storage and communication encryption validation
Access control between modules and APIs
Backend interaction and sensitive data handling verification
Methodologies: OWASP Top 10 Mobile, OWASP MASVS
White-box (full access: source code, architecture, credentials)
Enables in-depth analysis through full access to internal information, maximizing technical coverage and uncovering complex flaws and hardening opportunities.
Web Service
Source code review for vulnerabilities, bad practices, and backdoors
Combined static and dynamic analysis
Security architecture assessment
Input validation, data flow, and authentication mechanism testing
Methodologies: OWASP Top 10 Web / API, NIST 800-115, OWASP ASVS
On-premise / Cloud Infrastructure
Deep configuration and policy analysis (firewalls, IAM, ACLs)
Internal attack scenario simulation
Monitoring, alerting, and incident response validation
Environment segregation and critical resource permission analysis
Methodologies: NIST 800-115, CIS Benchmarks, CSA guidelines
Mobile
Full static source code analysis
Third-party dependency and library review
Advanced dynamic testing (communication, secure storage, sensitive data management)
Validation of protection mechanisms (certificate pinning, root/jailbreak detection, etc.)
Methodologies: OWASP Top 10 Mobile, OWASP MASVS
Our differentiator
Our manual pentests are conducted by a team of senior offensive hackers focused on real-world exploitation. We combine dynamic and static techniques according to the access level and asset type, ensuring maximum technical coverage and business impact across your most critical systems.