Penetration testing (pentest)

A security assessment that actively tries to exploit your app the way a real attacker would, then reports what it found.

A penetration test goes beyond scanning for known issues: it actively attempts to exploit your application, chaining weaknesses to see what an attacker could really reach. The output is a report of confirmed findings, usually with severity ratings, evidence, and steps to reproduce, rather than a list of theoretical warnings.

For a founder, a pentest is how you find out whether your product is safe to put in front of customers, before they (or an attacker) find out for you. The catch has traditionally been cost and turnaround: a human engagement runs into the thousands and takes weeks. How much a pentest costs covers the real numbers, and how to pentest your web app before launch walks through the process.

Kalit Pentest runs an autonomous, non-destructive pentest with CVSS findings, evidence, and remediation, sized for a pre-launch budget.

Related terms

IDOR (Insecure Direct Object Reference)An access-control flaw where changing an ID in a request lets a user read or edit records that belong to someone else.SSRF (Server-Side Request Forgery)A flaw where an attacker tricks your server into making requests to internal systems or cloud metadata it should never reach.SQL injection (SQLi)A flaw where untrusted input is mixed into a database query, letting an attacker read, change, or destroy your data.XSS (Cross-Site Scripting)A flaw where attacker-controlled script runs in another user's browser, letting it steal sessions or act as that user.