Web App · API · Cloud Penetration Test

Full White-Hat Pen Test of Your Web App + APIs — $97

By the engineers who audit fintechs and SaaS startups for pre-funding due diligence.

Manual review by senior engineers — not just an automated scanner. OWASP Top 10 · API authentication · session security · cloud config · leaked secrets. 15-page severity-rated report + 30-min walkthrough with a senior engineer.

✓100+ businesses audited

✓Senior engineers only

✓Report in 7 business days

Get My Audit →

✓ 100% refund — we've never been asked for one.

Sample Report

Here's What You'll Actually Receive

A real 15–25 page report. Every issue rated by severity and explained in plain English — with exact steps to fix each one.

Security_Audit_Report_Confidential.pdf

Page 5 / 22

100%

CONFIDENTIAL

SECURITY AUDIT REPORT

Prepared by Qilin Lab · Reference: QL-2024-0142

CONFIDENTIAL

Date

May 2026

Scope

Web App · API · Cloud Infra

Total Findings

25 (3 Critical · 7 High · 11 Medium · 4 Low)

3. Vulnerability Findings

QL-2024-001

CRITICAL

CVSS 9.8

Broken Authentication — Password Reset Flow

The password reset endpoint does not verify ownership of the email address before issuing a reset token. An unauthenticated attacker can reset the password of any registered user account and gain full access.

QL-2024-002

HIGH

CVSS 8.2

Unauthenticated API Endpoint Exposing Customer PII

GET /api/v1/users returns a paginated list of all registered users including full name, email address, phone number, and registration date without requiring any authentication or authorization headers.

QL-2024-003

HIGH

CVSS 7.5

No Rate Limiting on Login — Brute Force Possible

The POST /auth/login endpoint does not implement rate limiting, account lockout, or CAPTCHA verification. An attacker can perform unlimited automated credential stuffing attacks against any account.

— 22 more findings in your full report —

Qilin Lab · qilinlab.com · hello@qilinlab.com

Page 5 of 22 · Confidential

Standards We're Committed To

We hold ourselves to the same standards we audit you against.

GDPR Ready

EU data protection compliant

Compliant

DPDP 2023

India data protection act

Compliant

SOC 2

Type II framework

Aligned

ISO 27001

Information security mgmt

Aligned

Deliverables + Scope

What You Get + What We Check

Your Deliverables

Full website scan — every page, every weak spot

OWASP Top 10 review — the 10 most common attack patterns

Server + cloud configuration check — no exposed defaults

Plain-English report telling you exactly what to fix and in what order

30-minute walkthrough call with a senior security engineer

What We Audit

🔐

Auth bypass + brute-force resistance

Session hijacking + impersonation

Sensitive data encryption + masking

Password policy + MFA strength

☁️

Cloud & Server Setup

AWS / GCP / Azure misconfigurations

Leaked API keys / secrets in code

Security headers + TLS config

Email domain protection (SPF / DKIM / DMARC)

🔗

APIs & App Connections

IDOR + broken object-level auth

Rate limiting + DoS resistance

SSO (Google / Apple / SAML) hardening

Hidden endpoints + auth-bypass paths

100+ businesses audited across fintech, healthtech, edtech, and retail

From regulated lenders in India to telecom carriers in Singapore to portfolio platforms in Switzerland.

Why $97?

$5,000–$15,000

Traditional pen test

→

$97

Qilin Lab audit

Same expert engineers. Focused scope. We skip the corporate overhead and pass the savings directly to you. It's a real, manual audit — not an automated scan.

What our clients say

Real audits. Real businesses. Real results.

“The audit flagged a session token vulnerability in our crypto wallet — had that gone live, any user's funds could have been stolen. We were two weeks from launch. The $97 we paid probably saved us from a seven-figure liability.”

Jaskaran Kambo

CEO · Spend The Bits

Critical vuln caught pre-launch

“We were three weeks from our regulatory review when the audit found gaps in how we stored borrower data. We fixed them in time. The regulator found nothing. That report may have saved our lending licence.”

Ayush Somani

Kashti FinServ

Passed regulatory review clean

“Three senior engineers had reviewed our platform. Qilin still found API endpoints leaking one client's portfolio data to another. Fixed before any institutional client noticed. That's the kind of issue that ends companies.”

Christian Kronseder

Head of Americas · Allindex AG

Cross-account data leak closed

Who leads your audit

Aditya Agarwal

Founder, Qilin Lab · Leads the audit team

Your audit is performed by a senior security engineer hand-picked and trained by Aditya himself. The team has spent 10+ years securing infrastructure for fintechs, lenders, and SaaS platforms across India, Canada, Singapore, and Switzerland — together auditing 100+ businesses, from early-stage startups to companies processing thousands of financial transactions a day.

Aditya is the author of AWS Profit Playbook — a cloud security guide used by engineering teams across Asia. He built and leads the team that audits your site.

10+ years in cloud & security

35+ engineers

100+ businesses audited

Author · AWS Profit Playbook

Frequently Asked Questions

Why only $97? Is this a real audit or just an automated scan?

It's a real, manual audit done by our security engineers — not a software scan. Traditional penetration tests cost $5,000–$15,000 because they involve weeks of consulting overhead. We've stripped that down to a focused, expert review at a price any business can afford. Our full-scale audit normally starts at $2,500.

What exactly do you check?

We check whether someone could break into your website, steal your customer data, access things they shouldn't, or bring your site down. Think of it like a home inspection — but for your online business. We cover login security, your server setup, your APIs, and how your data is stored and protected.

What if you find serious problems?

We'll clearly explain what's wrong, how serious it is, and tell you exactly what to fix first. You also get a 30-minute call with a senior security engineer to walk through it in plain English. If you need help fixing things, we can do that too — at a separate cost.

Who does the checking?

Our team of security engineers, led by Aditya Agarwal — founder of Qilin Lab and author of the AWS Profit Playbook. The same team that has audited 100+ businesses across fintech, healthtech, edtech, and retail. They're trained to think like attackers — but they work for the good guys.

What if the report isn't useful?

100% refund, no questions asked. We've been doing this since 2019 and have never been asked for one — but the guarantee stands.

Get Your Security Audit

Fill out 3 fields. That's it.