Do you cover SOC 2 Type II and ISO 27001 readiness?

Yes. CREST severity is mapped to SOC 2 CC controls and ISO 27001 Annex A. Customers ship our PDF directly to procurement and audit teams.

Do you test SCIM and SAML separately?

Yes. SCIM admin-role escalation, JIT-provisioning race, SAML signature wrap, OAuth scope drift across every supported IDP.

Is the report regulator-ready and procurement-ready?

Yes. CREST severity, working proof-of-exploit per finding, regulator-ready PDF for SOC 2 Type II, ISO 27001, and GDPR. Procurement teams accept the PDF without revision rounds.

Pentests for multi-tenant SaaS,the way your auditor will read them.

Multi-tenant isolation, webhook signing, SCIM provisioning, admin APIs, the surfaces your auditor flags and your customer-procurement teams test in their security review. Our engagements stage isolation drift, signing bypass, and admin-API IDOR as reproducible PoCs. Reports accepted by SOC 2 Type II, ISO 27001, GDPR, and customer-procurement teams.

CREST-conducted · CERT-In empanelled · SOC 2-mapped

See the SaaS attack paths

Web application penetration testing — Scope, Test, Exploit, Report

Tenant boundaries, by hand

Cross-tenant IDOR across record IDs, slugs, integration tokens, search APIs, and billing meters.

Working proof-of-exploit

Captured SAML wrap, SCIM role-escalation transcripts, webhook replay traces. Not a checklist score.

Re-test included

Every finding re-tested after fixes ship. Written closure for SOC 2 + ISO 27001 evidence.

Three ways we test multi-tenant SaaS.

Tenant isolation, webhook signing, SCIM, admin APIs, customer-facing copilots. Pick the engagement that fits where your product is right now.

BugDazz Autonomous

Runs between SOC 2 cycles against tenant boundaries, OAuth scopes, SCIM flows, webhook HMAC and timestamp checks, and admin APIs. Re-tests every push.

See BugDazz

Red team engagement

Adversary emulation against your production admin APIs and customer-tenant boundaries, with no warning to the on-call rotation. Output reads like an incident write-up.

Brief a red team

AI and LLM pentest

Tests customer copilots and internal agents for prompt injection, cross-tenant data exfil via retrieval, function-call abuse, and system-prompt extraction.

See AI pentest

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

On record

Why a SOC 2 audit isn't a pentest

A control marked effective is not a tenant boundary held.

SOC 2 Type II tells your auditor that the control runs. It does not tell anyone whether a paying tenant can read another tenant's data through an admin-API parameter that nobody on your team has touched in six months. SecureLayer7's pentesters chain the surfaces the audit grades green: a webhook signature that fails open on a missing header, a SCIM provisioning race that grants workspace-admin to a deactivated user, an audit-log endpoint that accepts an injected event with the wrong tenant ID. Then we walk the proof your auditor will accept and your team will fix.

Scope —

Every SaaS attack surface. Not just the OWASP top ten.

Six surfaces we exercise on every tech SaaS engagement. Multi-tenant isolation and identity sit at the top; data-export and supply-chain close the loop.

Multi-tenant isolation

Cross-tenant IDOR across record IDs, slug prediction, integration-token replay, search-API boundary leaks, billing-meter tampering.

OAuth, SSO, SCIM provisioning

SAML signature wrap, OAuth scope drift, SCIM admin-role escalation, JIT-provisioning race across Okta, Azure AD, Google Workspace, Jumpcloud.

Admin API and internal tools

Retool-class admin exposure, super-admin scope creep, internal-API allowlist drift, support-impersonation paths to production data.

Webhook signing and replay

Webhook-secret leakage, signature wrap, replay-window abuse, integration-partner trust boundary, event-source spoofing.

Audit log and SOC 2 evidence

Log tampering, retention bypass, audit-event injection, after-the-fact rewrite, tenant-scoped log exfil.

Data export, rate-limit, supply chain

Bulk-export drift, GDPR subject-access boundary, per-tenant rate-limit bypass, free-tier escape, dependency confusion, secrets-in-history.

IN SCOPE.

Where we look across a tech SaaS stack.

TENANT

Isolation and IDOR

Record-level, workspace-level, organization-level boundaries probed across IDs, slugs, search APIs, and integration tokens.

IDENTITY

OAuth, SAML, SCIM

Scope drift, signature wrap, role-escalation, JIT race across every supported IDP.

INTEGRATIONS

Webhooks and admin APIs

Signing bypass, replay-window abuse, super-admin scope, internal-tool exposure.

EVIDENCE

Audit log and GDPR

Log integrity, retention, audit-event injection, subject-access boundary, bulk-export drift.

TECH SAAS ATTACK SURFACE.

What an attacker chains to cross tenant boundaries in a modern SaaS stack.

01
Cross-tenant IDOR
Record-ID, slug, or integration-token leak across workspaces, exfiltrating another tenant's customer data through the same product API.
02
SAML signature wrap to admin takeover
IDP response re-wrapped to swap the subject, granting workspace-admin or org-owner in a single sign-on flow.
03
SCIM role-escalation to workspace admin
SCIM patch on a deactivated user races provisioning, lands an attacker role inside the target tenant before deprovisioning settles.
04
Webhook signing bypass to state poisoning
Missing signature header treated as valid, replay-window left open, injected events flip billing, role, or integration state.
05
Audit-log tampering to SOC 2 evidence gap
Log retention bypass or audit-event injection rewrites the trail, breaking the evidence chain your auditor needs for CC controls.
06
Admin-API exposure to super-admin access
Internal-tool allowlist drift or support-impersonation endpoint reachable from outside, granting cross-tenant read or write.
07
Dependency confusion to build-pipeline RCE
Namespace squat or registry-priority flip lands attacker code inside CI, with secrets and signing keys reachable from the build runner.

MULTI-TENANT CHAIN CLASSES.

TECH SAAS METHODOLOGY.

Eight phases. Tenant-aware, evidence-ready.

Threat-modelled to your tenant graph, IDP topology, and integration partners. Not a template we run against every SaaS.

01
Tenant model and boundary mapping
02
OAuth, SCIM, SSO chain audit
03
Admin-API surface enumeration
04
Webhook signing and replay probe
05
Audit-log integrity and retention review
06
Data export and GDPR boundary
07
Source code and dependency audit
08
Chained finding, report, and free re-test

Meet our expert

John Dill

vCISO at SecureLayer7

10+

Years in offensive security

300+

Engagements led

99.7%

On-time delivery rate

John scopes tech SaaS engagements against your tenant model, IDP topology, and integration partners. He guides the pod from kick-off through final report and free re-test.

Scopes single-product and multi-product engagements against your real tenant model and IDP topology.
Owns kick-off, mid-engagement check-ins, and live walkthrough of every chained finding.
Drives remediation review and free re-test until every tenant-crossing path is closed.

SL7 Lab. Published CVE research.

Ready to scope a SaaS pentest? Book 30 minutes with John to walk through your tenant model, IDP topology, and timeline.

Book a 30-min call

Common procurement questions

What buyers ask about SaaS penetration testing.

Six questions procurement and security-review teams send before signing a SaaS pentest SOW. Answered against our methodology and your auditor.

Show all 6 questions

Have a procurement question not listed here?

Sample engagement report

See what arrives in your inbox.

A pre-vetted sample SaaS pentest report: full tenant-crossing kill chain, working proof-of-exploit traces, SOC 2 CC and ISO 27001 Annex A mapping, and re-test scope. Sent on request after a 5-minute scoping call.