SECTOR — SAAS & CLOUD
Penetration testing for UK and international SaaS companies. SOC 2 Type I and Type II evidence, ISO 27001 Annex A.12.6.1, multi-tenant security boundaries, API authentication, role escalation. CREST-certified.
CREST
Approved Provider
SOC 2
Type I & II Ready
ISO 27001
BSI-Audited
24h
Scope to Active Test
AUDIT CONTEXT
What SOC 2 and ISO 27001 Auditors Expect
Multi-Tenant Boundaries
SOC 2 CC6 and ISO 27001 A.9 require demonstrable tenant isolation. Pen testing validates that one tenant cannot reach another tenant’s data through application logic, API auth flaws, or shared infrastructure.
Annual Re-Test
SOC 2 Type II requires annual evidence; ISO 27001 Annex A.12.6.1 requires regular vulnerability management. Most SaaS firms commission one full pen test annually, plus targeted retests after major releases.
Auditor-Ready Reporting
SOC 2 control narratives and ISO 27001 SoA mappings sit directly inside our reports. Your auditor receives the evidence with control references already attached, no translation work required.
SCOPE
What We Test for UK SaaS Companies
PRODUCT SURFACE
Web Applications
Multi-tenant logic, role-based access control, IDOR across tenant boundaries, business-logic flaws, and OWASP Top 10 manual exploitation.
APIs
REST & GraphQL
OWASP API Top 10. JWT/OAuth flow scrutiny, broken object-level authorisation, mass assignment, rate limiting, and tenant-data scoping.
CLOUD
AWS / Azure / GCP
CIS Benchmark-aligned configuration review. IAM, S3/Storage, KMS/Key Vault, secrets management, and segregation testing for multi-tenant deployments.
CODE
Secure Code Review
Manual review against OWASP top patterns, hard-coded secrets, unsafe deserialisation, cryptographic misuse, and supply-chain dependency vulnerabilities.
CONTINUOUS
Attack Surface Monitoring
Continuous external surface discovery. New asset detection, exposed services, certificate monitoring, and credential leak detection between annual tests.
SOCIAL
Phishing Assessments
Targeted campaigns against engineering and admin users. Credential harvesting, MFA bypass, OAuth phishing for SaaS-platform compromise scenarios.
OUR ACCREDITATIONS
Verified Credentials That Matter to UK SaaS Companies
SaaS procurement gates and SOC 2 / ISO 27001 auditors expect penetration testing evidence to come from accredited providers. Our credentials below sit directly inside SOC 2 Type II evidence packs, ISO 27001 Stage 2 audits, and customer-tier vendor due-diligence questionnaires.
CREST Member
CREST membership is increasingly cited in customer security questionnaires (TPRM tools, vendor risk assessments). For SaaS firms targeting enterprise procurement, having a CREST-certified pen testing partner shortens the due-diligence cycle.
IASME Cyber Essentials Body
Cyber Essentials Plus is a recurring requirement in UK SaaS-procurement gates and cyber insurance applications. As an IASME-approved certification body, we deliver both the pen testing and the certification in a single engagement.
ISO 27001 (BSI)
Our ISO 27001 (BSI-audited) certification demonstrates that EJN protects engagement data to the same standard SaaS customers expect of you. ISO 27001 customers will request our certificate during vendor onboarding.
ISO 9001 (BSI)
ISO 9001 (BSI-audited) demonstrates our delivery quality management system. SaaS firms with multi-jurisdiction customer commitments value ISO 9001 evidence as part of operational-resilience documentation.
UK Cyber Security Council
Corporate Membership of the UK Cyber Security Council confirms our testers operate to the UK government-backed professional standard, supporting SaaS firms whose customers include UK public-sector or regulated buyers.
Crown Commercial Service
We are a Crown Commercial Service supplier (G-Cloud framework). For SaaS firms targeting UK central or local government customers, our CCS supplier status is a procurement-tier accelerator.
OUR PROCESS
From Scope to Attestation in 4-6 Weeks
Scoping Call
30-minute technical scoping call. Define attack surface, methodology, rules of engagement, and timeline. Fixed-price quote within 24 hours.
Active Testing
3-15 days of hands-on testing by CREST-certified pen testers. Daily status updates and live findings delivered to your client portal.
Reporting
Executive summary plus full technical report with CVSS scores, reproduction steps, screenshots, and specific remediation. 60-minute walkthrough call.
Free Retest
After remediation, we retest at no extra charge. Letter of attestation provided for audit, regulator submission, or insurance underwriting.
COMPLIANCE READY
Reports Aligned to Every Framework
Findings map to specific control references in each framework, so your audit team submits the report directly without translation work.
SOC 2 Type I & II
CC6 logical access, CC7 system operations, CC8 change management evidence.
ISO 27001
Annex A.12.6.1 vulnerability management plus A.9 access control validation.
UK GDPR / EU GDPR
Article 32 effectiveness testing, customer-data security controls.
NIST CSF
Identify-Protect-Detect-Respond mapping for SaaS deployments.
CCPA / HIPAA
For SaaS processing US customer data, controls aligned to relevant US regulations.
Cyber Essentials Plus
Direct certification through our IASME body status.
PRICING
Indicative Engagement Pricing
Fixed-price quotes confirmed during scoping. Free retest, executive summary, walkthrough call, and letter of attestation included.
Single SaaS application
£7,000 – £20,000 depending on multi-tenant complexity, role hierarchy, and authentication patterns.
Web + API combined
£12,000 – £35,000 covering frontend, backend APIs, and integration test paths.
Continuous testing programme
£3,500 – £15,000 / month covering attack surface monitoring, quarterly scoped tests, and incident retainer.
FAQ
Frequently Asked
Do you support SOC 2 Type II evidence collection?
Yes. Our reports include SOC 2 Trust Services Criteria mappings (CC6, CC7, CC8) ready for auditor review. We can also provide a control narrative document tailored to your specific Type II audit period.
Can you test our development pipeline?
Yes. CI/CD pipeline review covers secret scanning, dependency vulnerabilities, build provenance, and access controls on the deployment toolchain. SLSA framework alignment optional.
Multi-region SaaS testing?
We test the global production deployment from a UK origin, plus targeted scenarios from regional perspectives where geo-aware controls (data residency, regional API gateways) need validation.
How do you handle production data during testing?
We require a non-production environment that mirrors production data structures with synthetic or masked PII. For limited production testing, we operate with explicit firm-side authorisation, restricted scope, and real-time SOC coordination.
Do you test customer integrations / webhooks / OAuth?
Yes. Webhook signature validation, OAuth flow scrutiny (PKCE, state parameter, redirect URI validation), and customer-tenant integration boundaries are core to SaaS engagement scope.
Time to ship a new SOC 2-ready report?
Typical SOC 2-aligned engagement: scoping (week 1), active testing (week 2-3), reporting (week 4), free retest after remediation (week 5-7). Most SaaS clients receive auditor-ready evidence within 6 weeks.
Continuous vs annual testing?
If you ship code weekly or daily, annual testing is insufficient for ISO 27001 spirit-of-control. We offer continuous attack surface monitoring plus quarterly scoped tests for high-velocity teams. See our attack surface monitoring service.
Book a SaaS Scoping Call
30 minutes with a CREST-certified pen tester. Fixed-price quote within 24 hours.
