What we offer you

Automated tools simply are not good enough. Our security experts will personally help you without breaking the bank.

∞ code analysis

continuous whitebox pentest

  • Continuous software security evaluation
  • Manual check by expert pentesters
  • Meaningful direct vulnerability report to developers
  • You code, we review

◦ codeless analysis

design reviews | greybox pentesting | blackbox pentesting

  • Flexible approach
  • Manual check by expert pentesters
  • Applicable to any development stage, from design to production

CTF

a battle-tested team building event

  • Learn about software security or improve your security mindset
  • For developers and pentesters, from entry-level to seasoned security expert
  • Online or in-person

What sets Codean Labs apart from other pentesting companies?

We believe security review can be done both more throughly and more cost-efficient, whereas other labs often compromise on one of these two. We achieve this through our home-grown tooling and processes that we have optimized over time.

I need to do a software pentest. Can you guide me through my options?

Of course! We are happy to assist you: chat with us, plan a meeting, or read on for a short summary!


If you would like a thorough pentest that enables you to rapidly find and resolve security issues in your code, opt for our ∞ code analysis service. If, instead, you would like to see what a real external hacker (without confidential knowledge of your solution) could do, go for our ◦ codeless analysis service. The latter can also be used for design review, if you are already thinking about security but do not have an implementation yet. If we failed to capture your very need on this FAQ, try contacting us: we strive to provide a personalized approach!

Do I have to share my source code with Codean Labs?

We understand the hesitation in sharing your most precious asset, the source code of your product. Therefore we have strong security measures in place to protect it during ∞ code analysis. Specifically, there is no need to share .zip files or download links with us, instead we connect our system with your own code hosting platform (e.g. Github, Gitlab), so we align at least with the security you already have in place.


If you prefer a security assessment without code access, we also offer our ◦ codeless analysis service. There, we step into the role of a real external hacker, exploring whether vulnerabilities can be found and abused with no additional knowledge.


What do white-, grey-, and black-box mean?

These are industry terms for approaches that can be taken when evaluating the security of software systems.


When using a whitebox approach, pentesters are given access to the source code of the software they are analyzing; this corresponds to our ∞ code analysis service. In contrast, a blackbox approach puts a pentester in the shoes of an external attacker having no confidential information like source code or documentation. A greybox approach is somewhat in between white- and black-box: typically the code is unavailable but some information is shared. Grey- and black-box approaches are followed in our ◦ codeless analysis service.


As a rule of thumb, request a whitebox approach for a more thorough analysis with clear coverage, and a grey- or black-box approach for a feel of what an external attacker could do in a defined timeframe.

Do your experts have any certifications? What is your experience level?

Our analysts have a strong software security background, with experience and passion across a wide range of targets, programming languages and technology stacks. Additionally, all of our analysts are OSCP-certified.

Will I receive a shareable summary report?

Yes! You may need to give your client(s) or management an insight into the security of your product. We got you covered with periodical summary reports showing the overall security of your software (without revealing critical details) as well as your developments over time.

What types of software do you pentest?

We have a very wide expertise in terms of software security. So anything from embedded to cloud and in between is within our capabilities to pentest. In practice, what we see most are web and mobile applications, and associated backend(s) and cloud infrastructure.


Even in the design phase, we can help by reviewing your planned technical design or architecture. By giving you early feedback from a security perspective, we can help you build a strong core, making sure no time is wasted refactoring it later.

When can you start?

We try our best to meet your needs, aiming to start as soon as you are ready! Together with you, we will agree upon a specific start date.

I already use development / SAST tools. Would Codean Labs add any value?

Yes. Automated tools provide insight on the security of your source code, but they are limited in their ability to consider complex scenarios and attacks; they also provide a number of false positives / negatives, and results that are often difficult to understand and resolve.


Codean Labs provides human expert feedback instead. We manually analyze your source code and test discovered vulnerabilities to assess their associated risk. This way, we can provide you with higher quality and precise results that require no security expertise to be understood and remediated. No harm in using SAST tools as a first line of defense, definitely added value in using Codean Labs.

We are here for you