Attack Surface Mapping
Entry points, authentication routes, exposed endpoints, public assets, sensitive flows, and cloud-facing interfaces.
VAPT
Authorised testing with evidence your team can fix from.
Citual performs scoped vulnerability assessment and penetration testing for web apps, APIs, authentication flows, authorization controls, business logic, and cloud-connected surfaces.
Delivery map
What we clarify before execution
1
Define scope, rules of engagement, test windows, exclusions, and communication paths.
2
Test high-risk application areas using manual review, tooling, evidence capture, and business-flow analysis.
3
Report findings with severity, reproduction, business impact, remediation guidance, and retest options.
Service coverage
What the assessment covers
Testing is tailored to the application and risk context. Not every checklist item is relevant, but the evidence should always be clear.
Authentication and Authorization
Login, reset, session handling, role boundaries, privilege escalation, object access, and tenant isolation checks.
Input and Business Logic Testing
Injection, XSS, CSRF, file handling, rate limits, workflow abuse, payment or approval bypass, and sensitive data exposure.
Configuration Review
Security headers, storage exposure, environment leaks, debug settings, CORS, transport security, and deployment hygiene.
Evidence Pack
Screenshots, affected endpoints, reproduction steps, risk explanation, affected roles, and remediation hints.
Retest and Closure
Retesting of agreed critical fixes with updated status and residual-risk notes.
How we work
Testing that respects production reality
The point is not to produce a long document and disappear. We map the operating reality, show the evidence, and turn it into a sequence your team can execute.
01
Agree scope, access, test accounts, data handling, safety limits, and escalation contacts.
02
Run discovery, manual testing, targeted tooling, and business-flow abuse checks.
03
Validate findings to reduce noise and explain the business impact clearly.
04
Review the report with engineering and leadership, then retest agreed remediations.
What the buyer sees
What the VAPT deliverable includes
Each engagement should leave the business with fewer unknowns, better prioritisation, and enough documentation to act without confusion.
Executive summary.
Technical findings.
Reproduction steps.
Severity and business impact.
Fix recommendations.
Retest status where agreed.
Decision layer
The report should make fixing easier
A useful VAPT report does not stop at naming vulnerabilities. It shows where the issue exists, why it matters, how to reproduce it safely, and what the engineering team should change.
Evidence-led findings rather than generic scanner dumps.
Business logic and tenant isolation included where relevant.
Clear owner, priority, and validation state for each issue.
Research-backed thinking
OWASP WSTG
OWASP WSTG is used as a reference for web application testing categories and evidence-oriented testing structure.
View referenceEvidence over noise
Validated findings and reproducible proof help teams act faster and reduce remediation confusion.
Remediation tracking
Critical findings should move through owner, fix, validation, and closure states.
Next step
Start with a focused assessment.
We will clarify scope, evidence, effort, and priority before recommending a larger implementation.