THICK CLIENT & DESKTOP APP PEN TESTING

CREST-Certified Thick Client and Desktop Application Penetration Testing for UK Businesses

Thick client penetration testing, also called desktop application or fat client testing, covers Windows, macOS, and Linux desktop apps. We test .NET, Electron, JavaFX, Qt, native C++, and modern frameworks: reverse engineering, IPC abuse, local privilege escalation, registry and file-system tampering, and binary-protection assessment.

  • Unlimited retesting
  • Unlimited pre-retesting
  • No hidden fees
Accredited & recognised
Cyber Essentials certified Cyber Essentials Plus certified IASME certifying body ISO 27001 certified ISO 9001 certified Crown Commercial Service supplier UK Cyber Security Council member
CREST
Approved provider
12
Thick client test categories
Free
Retest included
24h
Scope to active testing
CLIENT REFERENCE
“I would highly recommend EJN Labs to any organisation seeking reliable, detailed, and well-managed penetration testing services, particularly for government or enterprise-level projects.”
SquareOneImran SaghirProject Lead, SquareOne
CLIENT REFERENCE
“There wasn’t another company we could find that could deliver what we needed in the timeframe we needed. The client loved it, and we got instant ROI from the engagement.”
CelloriDan WilcocksonCo-Founder, Cellori
WHY IT MATTERS
85%

of thick clients ship without code obfuscation. Decompilation reveals hardcoded API credentials, custom auth, and embedded business logic.

Web app testing covers the browser. Mobile covers the device. Thick client covers the desktop.

Many regulated UK businesses still rely on thick-client desktop applications: banking back-office tools, claims-processing software, legal practice management, healthcare clinical systems, and manufacturing operations consoles. These applications face attack surfaces unfamiliar to web and mobile testing: local privilege escalation, IPC abuse, registry tampering, DLL hijacking, embedded credentials, and custom binary-protocol attacks.

Our thick client penetration testing covers Windows (.NET, Electron, native C++, Qt), macOS (Swift, AppKit, Electron), and Linux (Qt, Electron, GTK) desktop applications. Reverse engineering with IDA Pro, Ghidra, and dnSpy. Runtime instrumentation with Frida. Network-protocol analysis for custom binary protocols. Local privilege-escalation testing.

Reports satisfy ISO 27001 A.14.2, PCI DSS Req 6.5, and FCA SYSC requirements for desktop-deployed applications.

THICK CLIENT TEST CATEGORIES

What We Test in Thick Client Penetration Testing

Twelve categories spanning binary, runtime, IPC, network, and operating-system-layer attacks.

01

Reverse Engineering

IDA Pro, Ghidra, and dnSpy decompilation. Binary structure analysis, hardcoded credential extraction, and custom obfuscation defeat.

02

Runtime Instrumentation

Frida runtime hooking, method tracing, memory analysis, live modification of executable state, and protection-bypass validation.

03

IPC & Named Pipes

Inter-process communication abuse. Named-pipe authentication, Unix-socket permissions, COM/DCOM access, and D-Bus security.

04

Local Privilege Escalation

Service-account exploitation, DLL hijacking, registry and file-permission abuse, scheduled-task injection, privileged-service vulnerabilities.

05

Network Protocol

Custom binary protocol analysis with Wireshark dissectors, MITM, protocol fuzzing, certificate validation, and mutual-TLS bypass.

06

Local Storage

Encrypted local-database review (SQLite, LevelDB, IndexedDB), encryption-key extraction, and sensitive-data residue.

07

Auto-Update Mechanism

Update-channel security, signed-binary validation, update-server impersonation, downgrade attacks, and auto-update RCE chains.

08

Authentication

Local authentication bypass, credential-storage review (Credential Manager, Keychain), single sign-on integration, and MFA enforcement.

09

Configuration Storage

Registry, plist, and config-file security, encrypted-configuration validation, and configuration-tampering detection.

10

Dependency Audit

DLL, framework, and .NET-assembly dependency review, supply-chain risk, outdated-component CVEs, and vulnerable runtime versions.

11

Anti-Tampering

Code-signing validation, anti-debug measures, runtime-integrity checks, anti-RE protection effectiveness, and custom-packer defeat.

12

Side-Channel

Memory dumping, swap-file residue, process-memory inspection, and Windows ETW / macOS unified-logging exposure.

FOUR-PHASE METHODOLOGY

Thick Client Pen Testing: From Binary to Backend

Multi-layer thick-client testing requires reverse engineering, runtime analysis, IPC review, and backend-integration assessment.

01

Recon & Static Analysis

Binary inventory, dependency audit, file and registry installation footprint, signing-certificate review, and automated AV detection.

02

Reverse Engineering

IDA Pro, Ghidra, and dnSpy decompilation, hardcoded-credential extraction, custom-protocol analysis, and anti-debug measure assessment.

03

Runtime & IPC

Frida instrumentation, IPC enumeration, local privilege-escalation testing, network-protocol fuzzing, and MITM where TLS is used.

04

Backend & Report

Server-side validation testing, custom-protocol replay, CVSS-scored findings, executive and technical reports, free retest within 30 days.

CREDENTIALS

Verified Accreditations Auditors Accept

Every credential below is independently verifiable. UK procurement teams, FCA supervisors, ISO 27001 / SOC 2 auditors, and cyber insurance underwriters all recognise these standards.

GET YOUR QUOTE

Get a fixed Thick Client pen test quote in 24 hours

A fixed-price quote back in one business day, from a named CREST assessor. No sales pipeline, no chasing.

  • CREST and IASME accredited. Testing your auditors and clients already recognise.
  • Fast-track testing within 24 hours where required. Free retest of every fix included.
  • Live findings via your client portal, not a four-week PDF.
  • Fixed price from £3,500 for a single-role, single-app scope, agreed up front. Most engagements run £5,000 and up. No day-rate surprises.
What clients say
There wasn’t another company we could find that could deliver what we needed in the timeframe we needed. The client loved it, and we got instant ROI from the engagement.
CelloriDan WilcocksonCo-Founder, Cellori

Under NDA Further named references available on a scoping call.

What happens next
  1. We reply within one business day with a fixed-price quote from a named CREST assessor.
  2. You approve the scope and we book a start date, usually within 24 hours.
  3. Live findings land in your client portal as we test, with a free retest of every fix.
Accredited & recognised
CREST member Cyber Essentials certified Cyber Essentials Plus certified IASME certifying body ISO 27001 certified ISO 9001 certified UK Cyber Security Council Crown Commercial Service supplier

Get your fixed pen test quote in 24 hours

24h reply CREST tester Free retests

or book a 20-min scoping call first

We reply within one business day. Your data stays with us. No newsletter signup.

COMPLIANCE READY

Thick Client Reports Mapped to Every Framework

Findings tagged to OWASP ASVS verification IDs where applicable, and to your specific compliance-framework controls.

OWASP ASVS V14

Configuration-architecture and dependency requirements particularly relevant for desktop applications.

ISO 27001

Annex A.12.6.1 vulnerability management and A.14.2 secure development for desktop-deployed apps.

PCI DSS

Req 6.5 secure development including thick-client payment applications. Req 11.3 testing scope.

FCA SYSC

Operational Resilience evidence for desktop-deployed financial applications, particularly for treasury and trading systems.

NHS DSPT

Clinical desktop systems, EHR thick clients, and NHS-supplier desktop applications.

SOC 2 Type II

CC7.1 vulnerability identification and CC8.1 change management for desktop-deployed software.

PRICING

Transparent Thick Client Penetration Testing Pricing

All tiers include reverse engineering and runtime instrumentation. Price varies by application complexity and platform breadth.

✦ ALWAYS · ON EVERY TIER · NO EXCEPTIONS ✦
Free retests, no time limit
Free rescheduling
No cancellation fees
24-hour scope to active testing
Live findings to client portal
Executive + technical report
60-min walkthrough call
Letter of attestation
SMALL
£5,000–£9,000
Depends on app complexity

Single platform (Windows or macOS), basic application, up to 5 IPC interfaces, single backend integration. Typically 5-7 day engagement.

Get a fixed quote
ENTERPRISE
£18,000+
Depends on app complexity

Enterprise desktop (Windows + macOS + Linux), complex business logic, custom binary protocols, hardware integration. Typically 12-15+ day engagement.

Get a fixed quote

Full UK pen test cost guide

WHY EJN LABS

What You Actually Get

What distinguishes our service from automated scans and box-tick competitors.

What You Get From Thick Client Testing

Reverse engineering, runtime instrumentation, IPC-abuse testing, local privilege escalation, custom-protocol analysis, and free retest within 30 days.

Reverse Engineering Specialism

IDA Pro, Ghidra, dnSpy, and Frida. Custom obfuscation defeat, anti-tamper bypass, and hardcoded-credential extraction across .NET, C++, Java, and Electron stacks.

Multi-Platform Coverage

Windows (.NET, native, Electron), macOS (Swift, AppKit, Electron), and Linux (Qt, GTK, Electron). Where applicable, all three platforms in one engagement.

OWASP ASVS V14 Aligned

Findings pre-mapped to ASVS verification IDs. Audit-grade evidence for ISO 27001 A.14.2 and PCI DSS Req 6.5.

UK CREST + IASME + ISO 27001 + ISO 9001

Independently accredited. UK-based reverse-engineering specialists. Reports accepted by FCA, NHS, and regulated-financial auditors.

Specialist Reverse-Engineering Team

A small, dedicated reverse-engineering team rather than rotating generalists, with practical experience across packers, obfuscators, and custom binary protocols.

FAQ

Frequently Asked

What is thick client penetration testing?

Thick client penetration testing (also called desktop application or fat client testing) is the security assessment of desktop-installed applications across Windows, macOS, and Linux. It covers attack surfaces unique to desktop apps: local privilege escalation, IPC abuse, reverse engineering, custom binary protocols, registry and file-system tampering, and binary protection.

How is thick client testing different from web and mobile?

Web testing covers the browser, mobile covers the smartphone, and thick client covers the desktop. Different attack surface (local privilege escalation, IPC, custom protocols), different tooling (IDA Pro, Ghidra, Frida, Wireshark dissectors), and a different threat model: a local attacker has more capabilities than a remote web attacker.

What platforms do you test?

Windows (Win32, .NET / C# / VB.NET, native C++, Electron, Qt, JavaFX), macOS (Swift / Objective-C / AppKit, Electron, Qt), and Linux (Qt, GTK, Electron). Multi-platform applications can be tested on all platforms in one engagement.

What frameworks do you cover?

.NET / C# / VB.NET, Electron (Node.js plus Chromium), JavaFX, Qt (cross-platform), Win32, native C++, native macOS Swift / Objective-C, and Linux GTK. Less common frameworks (Tcl/Tk, wxWidgets, Avalonia) on request.

How long does thick client testing take?

Small (single platform, basic app): 5-7 working days. Mid-market (multi-platform, custom protocols): 8-12 days. Enterprise (complex business logic, hardware integration, multi-platform): 12-15+ days. Test duration is determined during scoping based on application complexity.

How much does thick client penetration testing cost in the UK?

Small £5,000-£9,000. Mid-market (most commonly commissioned) £9,000-£18,000. Enterprise £18,000+. UK day rates for CREST-certified reverse-engineering specialists are £1,100-£1,400 per day.

Do you test custom binary protocols?

Yes. Custom binary-protocol analysis is a core thick-client capability. We use Wireshark with custom dissectors, Frida for runtime hooking, and protocol-fuzzing tools (boofuzz, custom fuzzers) to analyse and exploit proprietary protocols common in financial trading, industrial control, and legacy enterprise systems.

Do you do reverse engineering?

Yes. Reverse engineering is core to thick-client testing. IDA Pro, Ghidra, and Binary Ninja for native code. dnSpy / dotPeek / ILSpy for .NET. JD-GUI / CFR for Java. Custom obfuscation defeat, anti-debug bypass, and hardcoded-credential extraction. We retain reverse-engineering specialists with practical experience.

Can you test against custom obfuscation and packers?

Yes. Custom obfuscation and packer defeat is part of advanced thick-client engagements. VMProtect, Themida, ConfuserEx, Eazfuscator, Dotfuscator, ProGuard, and custom packers have all been encountered in past engagements. Time investment varies and is quoted during scoping.

Do you test the backend and server side?

Yes. Where the thick client communicates with backend services (commonly via REST APIs, SOAP, or custom binary protocols), we test the server side as part of the engagement. This is necessary because thick clients often trust the server implicitly, and server-side validation flaws are a common finding.

Are your testers UK-based?

Yes. UK-based reverse-engineering specialists. SC-cleared testers available for public-sector and regulated-financial engagements. Reverse engineering is a specialist skillset; we maintain a small dedicated team rather than rotating generalists.

Do you sign NDAs?

Yes. Standard NDA before any binary access. We operate under a project-specific master agreement that includes binary IP protection, post-engagement binary destruction, and embargo periods for findings, particularly important for proprietary thick-client applications.

EXPLORE EVERY SERVICE

20+ CREST-certified testing services in one place

Web, mobile, API, cloud, AI, infrastructure, red team. Pick the test that fits your environment.

Penetration testing services
READY TO START

Get a fixed Thick Client pen test quote in 24 hours

A CREST-certified reverse-engineering specialist will contact you within one business day with a fixed price, a realistic timeline, and the named consultant. No sales pipeline.