Pentrova’s testing is organised by what it covers, not by how it is wired internally. Across an engagement, coverage spans the full application attack surface.
Coverage areas#
- Recon — read-only observation of traffic, DOM, headers, and responses, with no exploit payloads sent.
- Injection — , command injection, LFI/RFI, , and related classes.
- Access control — broken object-level and function-level authorization, cross-tenant access, privilege escalation.
- Business logic — pricing, workflow order, rate and quota abuse, and other application-specific invariants.
- Protocol & API — REST, GraphQL, gRPC, SOAP, JSON-RPC, and WebSocket surfaces.
- Post-exploitation — escalation of confirmed findings into business-impact paths under sandbox guardrails.
How coverage adapts#
Pentrova does not run a fixed checklist. Testing adapts to what your application reveals, concentrating effort where the attack surface is richest and skipping what does not apply. Every decision is recorded so the run is auditable after the fact.
Detailed inventory#
The detailed coverage inventory is available to prospects under evaluation. The areas above describe what every engagement covers.