DIGINUANCE

PREMIUM · 3RD‑PARTY · NDA AVAILABLE

Security audit + malware scan, done by humans.

We audit websites, web apps, mobile apps, REST APIs, and the hosting underneath them as an independent 3rd party — by hand, by senior engineers, with a written report your board can read and your engineers can act on.

Request a confidential quote →
See what’s covered
  • Mutual NDA before any data shared
  • Manual review — no off-the-shelf SaaS
  • Written report + remediation plan

WHAT WE AUDIT

From the marketing site to the production stack.

We audit each surface separately and tie the findings together. You get one report, prioritised by severity, with a fix-plan that respects your release cycle.

Marketing websites

WordPress, static sites, headless CMS frontends. Theme + plugin CVE check, malware + webshell hunt, header hardening, page-level XSS / injection.

Web applications

SaaS dashboards, internal tools, multi-tenant platforms. OWASP Top 10, auth + session, CSRF, multi-tenant isolation, file uploads, role abuse paths.

Mobile apps

iOS & Android (native + React Native / Flutter). Static binary analysis, runtime traffic inspection, certificate pinning, keychain / shared-prefs review, API surface.

REST & GraphQL APIs

Auth flows, rate limiting, IDOR, mass-assignment, JWT integrity, schema introspection, error-message leakage, dependency CVEs.

WordPress installs

Specialist WP hardening pass. SECP-grade audit: core checksum verify, sql-injected admin hunt, mu-plugin review, xmlrpc + REST surface, .htaccess + uploads denylist.

Hosting infrastructure

Shared host (cPanel / Plesk) or VPS / cloud. SSH + sudoer audit, exposed ports, firewall config, MySQL binding, expired certs, public ENV / git directories.

COVERAGE

What’s actually in the report.

Each finding is scored (Critical / High / Medium / Low) with reproduction steps, affected scope, and a remediation pointing at code or config — not just a generic OWASP reference.

Application surface

  • OWASP Top 10 (injection, broken auth, sensitive data exposure, XXE, broken access, security misconfig, XSS, deserialization, vulnerable components, logging)
  • CSRF + clickjacking + SSRF
  • Multi-tenant data leakage / IDOR
  • File upload + binary handling
  • 3rd-party JS supply chain (subresource integrity)

Infrastructure surface

  • HTTP security headers (CSP, HSTS, Referrer-Policy, COOP/CORP, Permissions-Policy, X-CTO, X-Frame)
  • TLS / certificate config + cipher suite review
  • DNS config (CAA, SPF, DKIM, DMARC, MTA-STS)
  • Open port + firewall config
  • SSH + sudoer + key rotation review
  • Database exposure + bind-address audit

Compromise & forensics

  • Malware + webshell + cryptominer hunt
  • Core / vendor file checksum verification
  • DB-injected admin / user account audit
  • Suspicious cron / scheduled tasks
  • .git / .env / .svn / backup exposure
  • CVE cross-check against dependency tree

HOW IT WORKS

From scoping call to delivered report in four steps.

Scope & NDA

30-minute call to define the surface. Mutual NDA signed before any system access or sensitive data shared.

Audit

3–10 business days of manual review. Read-only access on a staging mirror where possible. Production scans are throttled and out-of-business-hours.

Report

PDF report: executive summary + findings table + reproduction + remediation. 60-min review call to walk through with your engineering lead.

Remediation (optional)

We implement the fixes ourselves OR support your team while they do. Re-test after fixes are merged. Clean-bill follow-up letter.

TIERS

Three engagement tiers.

Free scan to qualify, paid audit to know, paid remediation to fix. Every tier above Free runs under a mutual NDA.

Free scan

Free

Quick automated check. Headers + obvious vulns + public CVE match. Lightweight public-facing report.

  • HTTP security headers grade
  • Visible dependency CVE check
  • SSL / cert config grade
  • Public scan report (no NDA)

Request a free scan →

Most common

Standard Audit

From $—

Full hand-audit, private report. Mutual NDA before access. 3–10 business days, scoped per surface.

  • OWASP Top 10 + dependency CVEs
  • Malware + webshell hunt
  • Infrastructure + DNS hardening
  • Severity-scored findings + reproduction
  • Remediation plan + 60-min walkthrough

Request a quote →

Audit + Remediation

From $——

Everything in Standard Audit, plus we implement the fixes ourselves. Re-test before sign-off.

  • Standard Audit deliverables
  • Engineering team implements fixes
  • Re-test after merge
  • Clean-bill follow-up letter
  • Optional: 90-day continuous scan

Discuss fit →

Diginuance has run this exact playbook on a portfolio of 5+ live sites — including a salesiren.pk reinfection where they cleaned 80+ webshell files, hunted a SQL-injected admin, and rolled out zero-trust hardening across the whole account in 48 hours.

Salesiren.pk · post-incident recovery

2026-05-21 · sample work, available under NDA

QUESTIONS, ANSWERED

Before you book a confidential call.

Will the audit disrupt my live site?

No. We test against a staging mirror wherever possible. Where we must touch production (e.g. headers, malware scan), we throttle and run outside your business hours. We never run aggressive fuzzing against a live customer-facing system without explicit written approval.

Do you sign an NDA?

Yes — mutual NDA required for any tier above Free. Our standard template is one page, sent within an hour of your scoping call. We’re equally happy to sign yours.

How long does an audit take?

3 to 10 business days, depending on surface size. A marketing site is 3 days. A SaaS app + API + mobile client + hosting infra is closer to 10. We scope the timeline in the call.

What does the report look like?

A PDF (and Markdown source if your engineers prefer). Executive summary (1–2 pages), findings table sorted by severity, then per-finding deep-dive: scope, reproduction, evidence, remediation pointer. Plus an appendix with the raw scan data.

Will you share my findings with anyone?

No. Audit findings are confidential between Diginuance and you, governed by the mutual NDA. We may use anonymised, aggregated learnings to improve our methodology — never with your name or system details attached.

What’s your methodology?

OWASP ASVS / WSTG checklist as the spine, OWASP Top 10 + Mobile Top 10 + API Top 10 layered on. Manual review is primary; we use tooling (Burp, ZAP, nmap, custom Playwright + WP-CLI scripts) only to assist — never as the verdict. Every finding is reproduced by hand before it goes in the report.

Can you do recurring scans?

Yes. Audit + Remediation includes an optional 90-day continuous scan add-on. Recurring monthly scans are also available as a separate retainer.

START HERE

Book a confidential scoping call.

Tell us the surface and the timeline. Mutual NDA in your inbox within an hour. Quote within 48 hours.

Request a quote →