On-Demand Penetration TestingPentest at sprint pace, right-sized to your scope.
3-day, 7-day, or 15-day shapes, for a single web app, an app plus supporting API, or a multi-app stack. Same manual depth as a discipline-specific engagement, scoped on a 30-minute call, delivered with a working proof-of-exploit, the patch path, and a verified re-test.
Right-sized
3-day Sprint, 7-day Standard, or 15-day Deep, pick the shape that fits the target, not the calendar.
Manual depth
Scanner output filtered to the exploitable. Manual chained-exploits surfaced. Working proof-of-exploit on every finding.
Re-test included
We verify your fixes at no extra cost. One engagement, closed loop.
The window from vulnerability discovery to exploitation has gone from weeks to hours.
Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure
On record
Why on-demand
Engineering ships every sprint. Your pentest doesn't.
An annual pentest is one snapshot of an application that has already changed by the time the report lands. The 51 weeks in between go unreviewed. On-demand closes the gap: each release cycle gets a right-sized engagement, small enough to fit your sprint, deep enough to surface what scanners won't. The same CREST-accredited pentesters, the same manual depth, sized to the work you're shipping this quarter.
THREE ENGAGEMENT SHAPES.
Same depth. Scoped to scale.
Pick the shape that fits the target. Asset volume drives the man-days; the methodology and the accreditation stay the same at every tier.
Single web app, single API, or a focused regression. OWASP Top 10 and SANS Top 25 mapped, working proof-of-exploit, fixes in your sprint cycle.
App plus supporting API plus business-logic edge cases. Auth flows, role-based access, integration surfaces. Longer-tail vulns the scanner misses.
Multi-app stack: auth, RBAC, payment, third-party integrations, mobile-API surface. Exhaustive depth for an annual security-posture review.
What we test on-demand
One engagement model. Every target you ship.
Web, mobile, API, network, internal, brought under one delivery model. You don’t have to pick a discipline before you scope; we right-size the team and the depth to your target.
Web applications
Single SPA, multi-tenant, e-commerce, internal portal. Auth flows, RBAC, business logic, payment-stage integrity, manually walked, not scanner-rubber-stamped.
REST + GraphQL APIs
OWASP API Top 10 mapped. BOLA, mass assignment, broken object-level authZ, rate-limit bypass, schema introspection abuse, refresh-token rotation gaps.
Mobile apps (iOS · Android)
Native, hybrid, and cross-platform builds. Static + runtime instrumentation under Frida, deeplink hijack, Keychain / Keystore mishandling, addJavascriptInterface RCE.
Network IPs (internal + external)
Service enumeration, exposed admin panels, weak auth chains, default-credential pivots, RCE chains into the application stack, walked by hand, not just nmap output.
Internal apps + admin portals
VPN-gated, SSO-fronted, role-segmented apps. Same auth depth as external surfaces, mapped to your insider threat model and least-privilege contract.
Cloud + container surfaces
AWS, Azure, GCP, Kubernetes, IAM mishandling, managed-identity over-scope, IMDSv1 SSRF, pod-to-host RBAC bypass under your real workload identity model.
ON-DEMAND METHODOLOGY.
Six phases. Closed-loop at every shape.
Compressed for a 3-day Sprint, expanded for a 15-day Deep. The methodology, the manual coverage, and the sign-off contract stay the same.
- 01
Brief
30-minute scoping call. Your target, timeline, build pipeline, and risk model walked through with the engagement lead. No 2-week SOW process.
- 02
Scope
Right-sized to a 3-, 7-, or 15-day shape. Asset list, deliverables, success criteria, and re-test contract written in one document.
- 03
Recon
Dependency graph, attack-surface map, exposed endpoints, and authentication paths inventoried before the manual phase begins.
- 04
Exploit
Manual chained-exploits surfaced. Scanner output triaged to the exploitable. Each finding paired with a working proof-of-exploit on a real environment.
- 05
Report
Working PoC, severity scored against business impact, the patch path written for engineering. Executive summary and CVSS evidence for the audit trail.
- 06
Re-test
Every finding re-tested after your team ships the fix, at no extra cost. Written confirmation each path is closed before the engagement is signed off.
Insights
On-demand testing Resources.
Notes from short-cycle engagements: regression retests, single-feature pentests, and ad-hoc reviews that ship in days, not weeks.
Meet your engagement lead
One named lead, on demand.
John Dill
vCISO at SecureLayer7
3 · 7 · 15
Engagement shapes (days)
Manual
Methodology at every shape
Included
Re-test on every engagement
John runs on-demand scoping from kick-off to re-test. He translates your target, timeline, build pipeline, and risk model into a 3-, 7-, or 15-day shape, then owns status checkpoints and sign-off so the pod stays heads-down on the engagement.
- Right-sizes engagements against your sprint cycle, asset volume, and risk model, not a fixed-tier menu.
- Owns kick-off, mid-engagement walkthroughs, and live review of every finding before it lands in the report.
- Drives remediation review and re-test until every finding is closed and proven on your environment.
Ready to scope an on-demand engagement? Book 30 minutes with John to walk through your target, timeline, and which shape fits.
Book a 30-min callTested by industry.
The bug classes named below come from real engagements in each sector. Pick the closest fit.
Tech SaaS
Release-train-aligned re-tests on the surfaces that changed since last engagement.
FinTech
Pre-launch product pentests for new features hitting regulated environments.
Built for Saudi Arabia engagements
What changes when we deliver here.
Compliance scoping
Engagements fit NCA ECC change-window SLAs
Regulatory framework
SAMA quarterly D3 review-aligned cadence
Local engagements
Khobar fintech ran 11 on-demand tests in one SAMA year
Local pricing
SAR retainer with 90-day roll-over and VAT 15% per draw
Compliance scoping
KSA-region jump hosts spun up same-day
On-demand pentest questions from KSA teams.
Can a test start inside an NCA ECC change window?
Yes. We staff inside the 5 to 10 day window most KSA enterprises run. Findings are written so the change record closes on time.
Does the cadence match SAMA quarterly cycles?
Yes. Retainer draws map to SAMA quarterly D3 reviews. The bank's risk committee sees a fresh report each quarter.
Is data residency kept during a fast turn?
Yes. KSA-region jump hosts are spun up the same day. No artefact leaves the Kingdom during the short engagement.
How is unused retainer time billed?
Unused hours roll for 90 days. The SAR invoice shows draw-down vs balance with VAT 15% on each draw.
Delivery in Saudi Arabia
On-demand pentest for KSA release cycles.
Short engagements fit NCA ECC change-management windows and SAMA quarterly review cycles. SAR retainers with VAT 15% on each draw-down.
- Direct line
- +966-11-000-0000
- Office
- Riyadh, Saudi Arabia
Frameworks scoped: NCA ECC · SAMA CSF · PDPL · ISO/IEC 27001.
Sample engagement report
See what arrives in your inbox.
A pre-vetted sample report: full vulnerability narrative, working proof-of-exploit, the patch path, and the re-test confirmation. Sent on request after a 5-minute scoping call.