Thick client application pentesting.Past the network. Into the binary.

Manual thick client application penetration testing across Windows, macOS, Linux native apps plus .NET, Java, and Electron desktop. Tested by hand for DLL-search-order hijacking, named-pipe and XPC ACL abuse, hardcoded keys lifted out of process memory, custom-protocol replay over cleartext, and writable installer paths that escalate to NT AUTHORITY\SYSTEM. Every finding ships with a working proof-of-exploit, code-level fix guidance, and a free re-test.

See the methodology
Four desktop binary tiles, Windows PE,.NET, Mach-O, ELF, each annotated with one named bug class, traces converging on a reverse-engineering proof-of-exploit card lifting a DLL-hijack chain to NT AUTHORITY\SYSTEM.

Native binaries

Windows PE ·.NET · Java desktop · macOS Mach-O · Linux ELF · Electron / Tauri / CEF, every desktop runtime your team ships.

Evidence

Reverse-engineered proof-of-exploit and code-level fix guidance on every finding, Ghidra, Frida, x64dbg artefacts attached.

Re-test included

We verify your fixes at no extra cost. One engagement, closed loop.

Why now

The window from vulnerability discovery to exploitation has gone from weeks to hours.

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

Airbase
Quiltt
Pacvue
Imagine Learning

On record

  • AICPA SOC 2 Type II

Why a web pentest can't see this

Web testing stops at HTTP. The risk lives past the boundary.

Your web pentest reaches authentication, session, and the API. The same binary running on a workstation also reaches process memory, named pipes, the registry, the DLL search path, and the kernel. SecureLayer7 operators load your binary into Ghidra and Frida and report the chain that starts where the HTTP scope ends, DLL hijack to SYSTEM, hardcoded key in.data, IPC ACL bypass to a privileged service. Every finding is reproducible, code-level fixable, and re-tested before sign-off.

Two scopes from a single binary, a short cream arrow stops at HTTP labeled WEB SCOPE; a longer orange arrow extends through PROCESS, IPC, MEMORY, and KERNEL waypoints to a final BINARY SCOPE label.
Two scopes from a single binary, a short cream arrow stops at HTTP labeled WEB SCOPE; a longer orange arrow extends through PROCESS, IPC, MEMORY, and KERNEL waypoints to a final BINARY SCOPE label.

IN SCOPE.

What lands in a thick-client engagement.

BINARY
Reverse + tamper

.NET, Java, native. Decompile, patch checks, anti-debug, packer bypass, runtime hooks.

STORAGE
Local data + config

Registry, AppData, plist, SQLite caches. Credentials, tokens, license keys at rest.

IPC
Between-process surface

Named pipes, COM, DCOM, gRPC. Privilege escalation through a parser the OS trusts.

NETWORK
Past the proxy

Custom protocols, cert pinning bypass, TLS downgrade, message tampering on the wire.

What we test —

Six desktop runtimes. One engagement.

Each runtime gets a manual reverse-engineering pass against its real attack surface — binary on disk, process in memory, IPC channels, and the backend it pairs with. Intensity tunes per scope.

Windows native (PE / COFF)

DLL search-order hijacking, COM hijacking, Authenticode bypass, named-pipe and RPC ACL abuse, service / scheduled-task permission writes, registry hijacks, AppLocker / WDAC bypass, signed-installer write-paths to NT AUTHORITY\SYSTEM.

.NET assemblies

dnSpy / ILSpy round-trip, hardcoded keys and connection strings in /resources, BinaryFormatter and ObjectStateFormatter deserialization gadgets, Json.NET TypeNameHandling abuse, reflection bypass, Strong-Name forgery, ClickOnce manifest tampering.

Java desktop (JAR / JavaFX)

JD-GUI / CFR decompile, signed-JAR replacement, classpath shadowing, Spring / Beanshell injection, JMX management exposure, Java RMI deserialization, native-library (JNI) hijack, hardcoded JDBC credentials in /META-INF.

macOS native (Mach-O)

DYLD_INSERT_LIBRARIES, weak-dylib hijack, codesign and hardened-runtime bypass, XPC service ACL abuse, TCC / privacy-prompt evasion, Keychain ACL misuse, sandbox escape via privileged helpers (SMJobBless, installerd).

Linux native (ELF)

LD_PRELOAD on SUID binaries, RPATH / RUNPATH abuse, .got and .plt write paths, systemd unit override, capability misuse, world-writable shared libraries, D-Bus policy bypass, namespace and cgroup escape.

Electron / Tauri / CEF

ASAR unpack, nodeIntegration leak across renderer-to-main IPC, contextIsolation bypass, custom-protocol handler abuse, autoUpdate signature bypass, Chromium-extension prototype pollution into Node, hardcoded tokens lifted from app.asar.

THICK-CLIENT METHODOLOGY.

Eight phases. Binary to backend protocol.

Threat-modelled to your runtime, your privilege boundary, and the attacker who can drop a binary on a workstation. Not a checklist we run against every desktop app.

01

Scope & threat-model

Runtime, signing model, IPC channels, privilege boundary, in-scope hosts and supporting services defined before any binary is touched.

02

Static reverse engineering

Binary disassembled in Ghidra, IDA, or Hopper. Strings, imports, embedded keys, suspicious calls, signing chain, and high-value functions enumerated.

03

Dynamic instrumentation

Frida, x64dbg, or lldb attached. Function hooking, runtime keylogging of cleartext secrets, traffic interception under TLS-pinning bypass, GUI-flow control.

04

IPC & privilege mapping

Named pipes, COM, XPC, D-Bus, RPC, sockets, registry hooks, and on-disk handoff paths exercised against the privilege boundary.

05

Local privilege escalation

DLL hijacking, ACL misuse on writable folders, service and scheduled-task abuse, weak-dylib search, LD_PRELOAD on SUID. Pushed to NT AUTHORITY\SYSTEM, root, or _securityd.

06

Network & backend pairing

Custom protocols decoded, server-side auth bypassed when client checks are forged, replay and MITM exercised against the binary's real backend.

07

Remediation guidance

Code-level fixes, Authenticode and notarization tightening, ACL diffs, secret-storage migration, IPC policy snippets. Written for the team that built the app.

08

Patch verification

Every finding re-tested after your team ships the fix, at no extra cost. Written confirmation each path is closed.

Insights

Thick-client Resources.

Notes from desktop and Electron reviews: IPC abuse, local-storage drift, and binary-side bugs that web scanners never reach.

Meet our expert

One lead, binary to backend in scope.

Nivedita Singh

Security Advisor & Engagement Lead

10+

Years in offensive security

300+

Engagements led

99.7%

On-time delivery rate

Nivedita scopes thick-client engagements against your runtime, signing model, and privilege boundary. She guides the pod from kick-off through final report and re-test.

  • Scopes Windows, macOS, Linux, and cross-platform desktop engagements against your real privilege model.
  • Owns kick-off, mid-engagement check-ins, and a live walkthrough of every finding with a working PoC.
  • Drives remediation review and re-test until every binary-path finding is closed.
SL7 Lab. Published CVE research.
Nivedita Singh, Security Advisor & Engagement Lead at SecureLayer7

Ready to scope a thick-client pentest? Book 30 minutes with Nivedita to walk through your runtime, scope, and timeline.

Tested by industry.

The bug classes named below come from real engagements in each sector. Pick the closest fit.

FinTech

Trading workstations, treasury desktops, broker terminals.

See FinTech pentest

HealthTech

EHR thick clients, imaging-viewer workstations, lab analyzer software.

See HealthTech pentest

Tech SaaS

Internal admin tools, on-premise SaaS clients, partner-installed applets.

See Tech SaaS pentest

Built for Singapore engagements

What changes when we deliver here.

  • Compliance scoping

    MAS Notice 644 clause references in every report

  • Regulatory framework

    Singapore-resident PII extraction reviewed against PDPA §13–§17

  • Local engagements

    Asset manager terminal — found stale TLS pinning skew across 4 regions

  • Local pricing

    SGD per-binary band, scoped by feature count

  • Compliance scoping

    TRM remediation-window tagging on every finding

Thick-client review questions from SG capital-markets firms.

  • Do you test against MAS Notice 644 capital-markets controls?

    Yes. The report cites Notice 644 sections covering system integrity, change control, and access. Auditors can match findings line-by-line.

  • Can you review trading terminals running on Windows and Citrix?

    Yes. We exercise local privilege paths, DLL hijacking, update-channel tampering, and Citrix breakout against the published terminal build.

  • How are findings prioritised for a TRM action plan?

    Each issue carries a TRM remediation-window suggestion: immediate, 30-day, or next release. MAS reviewers expect that scaffolding.

  • What about embedded SQLite or local cache data?

    We extract, decrypt, and inspect local stores for PDPA-regulated personal data and trading PII. Findings include the exact field and fix.

Delivery in Singapore

MAS Notice 644 desktop trading checks.

Thick-client review inspects local crypto, IPC, and update channels for trading and back-office desktops. Findings map to MAS Notice 644 capital-markets TRM expectations.

Direct line
+65-6000-0000
Office
Singapore

Frameworks scoped: MAS TRM · PDPA · PCI DSS · ISO/IEC 27001.

Sample thick-client pentest report, kill-chain · evidence · remediation

Sample engagement report

See what arrives in your inbox.

A pre-vetted sample report: full vulnerability narrative, working proof-of-exploit, code-level fix guidance. Sent on request after a 5-minute scoping call.