All industries
SaaS · Series A–C · API-first · Cloud-native

Pass the
Enterprise Security Review

SOC 2 Type 2, customer security questionnaires, OWASP ASVS L2 across the production app, OWASP API Top 10 across REST and GraphQL, CIS Benchmarks across the cloud control plane — packaged for the founder-CISO and the security-of-one team chasing the next enterprise logo.

14%
of breaches now trace to vulnerability exploitation — nearly 3× YoY (Verizon DBIR 2024)
#1
broken access control — IDOR / BOLA / BFLA — the dominant SaaS bug class on the public record
200+
line security questionnaires (SIG / CAIQ) now ship alongside the enterprise MSA
30 days
free retest window on every Critical, High and Medium finding marked remediated

Why sector-specific matters in SaaS

The buyer is the gatekeeper. Enterprise procurement now routinely sends a 200-line security questionnaire alongside the MSA — Standardised Information Gathering (SIG), Consensus Assessments Initiative Questionnaire (CAIQ), or the buyer's own bespoke spreadsheet — asking for evidence of independent penetration testing, SOC 2 attestation, vulnerability management cadence, secure SDLC, encryption baselines and incident response capability. A single missing answer can stall a six-figure deal for a quarter while the founder scrambles to schedule the work that should have been done six months earlier.

The Verizon 2024 Data Breach Investigations Report attributes 14% of breaches to vulnerability exploitation (nearly tripling year over year), with stolen credentials and phishing leading the other vectors. For SaaS the dominant exploit class on the public record remains broken access control — IDOR, BOLA / BFLA, multi-tenant boundary breaks — exactly the issues that scanners miss and that ASVS L2 testing is built to catch. The AxVeil SaaS engagement is built around the controls customers ask about and the bug classes that actually breach SaaS companies, not a generic OWASP Top 10 sweep.

The four drivers behind a SaaS engagement

01

SOC 2 Type 2 attestation

AICPA Trust Services Criteria — Security mandatory, often with Availability and Confidentiality. Annual external pentest expected as evidence under CC7.1; tracked remediation under CC8.1; retest verifying closure. AxVeil reports ship with the SOC 2 control mapping appendix and a Letter of Attestation.

02

Customer security questionnaires

SIG / SIG Lite, CAIQ, vendor-specific spreadsheets. Questions on testing cadence, OWASP coverage, authenticated testing, business-logic testing, retest evidence. We provide a one-page "questionnaire-ready summary" alongside the full report so the security-of-one team can answer in under an hour.

03

OWASP ASVS L2 baseline across the app

ASVS v4.0.3 L2 across authentication, session management, access control, input validation, cryptography, error handling, data protection, communication security, malicious code, business logic, files / resources, API and web service, configuration. Mapped per-finding for the auditor.

04

API + cloud as first-class targets

OWASP API Top 10 (2023) across REST, GraphQL, gRPC. CIS Benchmarks across AWS / Azure / GCP control plane. Kubernetes RBAC review for managed clusters. The two surfaces where SaaS breaches actually originate.

Attack scenarios exercised

The bug classes that actually breach multi-tenant SaaS — drawn from the public breach record, not a generic checklist.

THREAT
Tenant-boundary break via BOLA on the object API
Authenticated as a single low-privilege tenant. Sequential / UUID-guessable object identifiers tampered across the REST and GraphQL object endpoints to reach records belonging to other tenants. The single most common cause of multi-tenant SaaS breaches on the public record — and the exact class ASVS L2 access-control testing is built to surface. Maps to OWASP API #1 (BOLA) and #5 (BFLA).
THREAT
Privilege escalation through the cloud control plane
Pivot from an SSRF or leaked-credential foothold in the application into the supporting AWS / Azure / GCP account. IAM privilege-path enumeration via assumable roles, over-permissive service principals, instance-metadata exploitation and secrets-manager misuse — mapped to the MITRE ATT&CK Cloud matrix and the relevant CIS Benchmark control number per finding.
THREAT
SSO / OAuth2 / OIDC trust-relationship abuse
SAML signature-wrapping, OIDC token-audience confusion, OAuth2 redirect-URI and PKCE-downgrade testing, IdP-initiated-flow abuse and account-linking takeover. The federation layer enterprise buyers mandate is also the layer that, misconfigured, hands an attacker every tenant at once.

Standards & reference material

AICPA SOC 2 Trust Services Criteria

link ↗

2017 TSC with 2022 points of focus. Common Criteria (CC1–CC9) mandatory for the Security category, supplemented by Availability, Processing Integrity, Confidentiality and Privacy criteria where in scope.

OWASP Application Security Verification Standard v4.0.3

link ↗

Three-level control catalogue. L2 is the SaaS baseline — sufficient for most enterprise reviews and aligned with the controls a SOC 2 auditor expects evidence against.

OWASP API Security Top 10 (2023)

link ↗

BOLA, broken authentication, BOPLA, unrestricted resource consumption, BFLA, unrestricted access to sensitive business flows, SSRF, security misconfiguration, improper inventory management, unsafe consumption of APIs.

CIS Benchmarks (AWS / Azure / GCP / Kubernetes)

link ↗

Industry-consensus configuration baselines for the cloud control plane and managed services. AxVeil cloud findings reference the benchmark version and control number per finding.

AxVeil SaaS engagement model

A typical Series-A SaaS engagement runs as a 4-week initial cycle (app + API + cloud) followed by an annual repeat and quarterly retests on Critical / High remediations. Series-B and Series-C add red team or adversary simulation against the threat actors targeting the customer base.

Week 0 — Scoping
Confirm asset inventory, ASVS level (L1 / L2 / L3), tenancy model, in-scope cloud accounts, test-account provisioning at every role, escalation contacts, SOC 2 audit window if relevant. Rules of Engagement signed.
Week 1 — Reconnaissance & automated discovery
Subdomain and JavaScript route mining, API schema extraction (OpenAPI / GraphQL SDL where available), Nuclei templates against the perimeter, Burp Suite Pro active scanner against authenticated journeys, dependency CVE correlation against the SBOM. All output is candidate-only.
Week 2-3 — Manual testing
Authenticated testing across every user role. ASVS v4.0.3 L2 control-by-control. OWASP API Top 10 across REST, GraphQL, gRPC. Multi-tenant boundary testing — BOLA, BFLA, mass assignment, IDOR, workflow bypass. SAML / OAuth2 / OIDC misconfiguration. SSRF with cloud-metadata exploitation paths.
Week 3-4 — Cloud & post-exploitation
AWS / Azure / GCP control-plane review against CIS Benchmarks. IAM privilege-escalation pathing. Kubernetes RBAC for managed clusters. Where in scope, demonstrate downstream impact: pivot from web compromise into the supporting cloud account, enumerate accessible data, map the blast radius.
Week 4 — Reporting & questionnaire pack
Single PDF (60–120 pages) plus the one-page questionnaire-ready summary. SOC 2 control mapping appendix, ASVS / API Top 10 / CIS appendix, JSON export for DefectDojo / Jira / GitHub Security. Letter of Attestation issued on PASS.
Week 4-8 — Remediation & retest
Remediation owned by your engineering team. One free retest of every Critical, High and Medium finding marked remediated. Retest report appended to the original PDF; updated Letter of Attestation on full PASS.

Sample artefacts handed back

Pentest PDF (60–120 pages)
Executive summary, technical findings with CVSS v3.1 + v4.0, ASVS / API Top 10 / CWE mapping, reproduction steps, remediation guidance with code samples, SOC 2 control mapping appendix, retest section.
Questionnaire-ready summary (one page)
Drop-in answers for SIG / CAIQ / vendor questionnaires. Testing cadence, scope, methodology, OWASP coverage, retest evidence, ASVS level, lead tester credentials. The page enterprise procurement asks for.
Letter of Attestation
Signed PDF referencing engagement scope, dates, ASVS level achieved, lead-tester credentials and report hash. The artefact you forward to enterprise buyers and SOC 2 auditors as evidence of the work.
JSON findings export
Schema-documented JSON for import into DefectDojo, Jira, ServiceNow, GitHub Security or your in-house vulnerability tracker. Lets engineering work the backlog without copy-paste from the PDF.
SOC 2 control mapping appendix
Per-finding mapping to AICPA TSC CC7.1, CC7.2 and CC8.1. Drops directly into the auditor's evidence request list during fieldwork.
Cloud configuration review
Per-account, per-service findings against the relevant CIS Benchmark. Includes IAM privilege-path graph and a remediation backlog ordered by exploitability and effort.

Related work

Services
Reading
Sibling industries

Frequently asked questions

We are pre-Series-A. Do we really need a pentest yet?+

Realistically yes, the moment you start selling into mid-market or enterprise. The first dozen enterprise security questionnaires you receive will ask for a recent independent penetration test, a SOC 2 Type 1 (heading toward Type 2) and evidence of a vulnerability management programme. Founders who postpone the work until their first enterprise procurement cycle typically lose three-to-six weeks of sales motion to remediation. A right-sized ASVS L2 engagement against the production app is usually the cheapest unblock at that stage.

Why ASVS L2 and not L1 or L3?+

OWASP ASVS L1 is a generic baseline ("opportunistic attacker who applies known and easily exploitable vulnerabilities") and rarely satisfies an enterprise buyer's security review. L3 is reserved for systems where compromise has serious consequences (financial transactions, healthcare, military) and adds controls that are expensive to retrofit. L2 is the sweet spot for SaaS — it covers the controls a competent attacker with knowledge of the application and reasonable resources would attempt, including business-logic abuse, multi-tenant boundary testing, and authentication / authorisation depth that customer questionnaires keep asking about.

What does a SOC 2 Type 2 actually require from the application?+

The relevant Trust Services Criteria are mostly under the Security category — CC6 logical and physical access, CC7 system operations and change management, CC8 risk mitigation. From a pentest perspective the auditor cares about CC7.1 (vulnerability identification), CC7.2 (anomaly monitoring), CC8.1 (change management before production deployment) and the supporting evidence: a documented testing programme, a tested cadence (typically annual external pentest plus continuous internal scanning), tracked remediation, and a retest verifying the closure. AxVeil reports include the SOC 2 control mapping appendix and a Letter of Attestation that drops cleanly into the auditor's evidence request.

How do you handle the API surface — REST plus GraphQL?+

Mapped to the OWASP API Security Top 10 (2023). BOLA / BFLA tenant-boundary enumeration is the dominant risk class for B2B SaaS — most multi-tenant breaches in the public record trace back to broken object-level or function-level authorisation rather than injection or exposure. GraphQL adds introspection abuse, query depth and alias-based denial of service, batched mutation abuse and complex authorisation modelling. We exercise the schema (where OpenAPI / Swagger / Protobuf / GraphQL SDL is available) and discover endpoints black-box where it is not.

Can you cover the cloud control plane in the same engagement?+

Yes. AWS, Azure and GCP control-plane review against the CIS Benchmarks. IAM privilege-escalation pathing, role assumption chains, public S3 / Blob / GCS exposure, Lambda / Function trigger abuse, secrets-manager misuse, Kubernetes RBAC and admission-controller bypass. MITRE ATT&CK Cloud matrix is used to structure the cloud findings. For SaaS running on managed Kubernetes (EKS / AKS / GKE) we also test cluster-level RBAC and pod-security boundaries.

How long is a typical Series-A SaaS engagement?+

Four-to-six weeks of testing for a single production web application plus its API plus the supporting cloud account. Two-to-three weeks for the app + API alone if the cloud is out of scope. Add one week for mobile (iOS or Android) per platform. Add two weeks for a credential-phishing / business-email-compromise tabletop where required by the buyer. Reporting and remediation runs in parallel; free retest within 30 days of the original report is included.

Scope a SaaS engagement

Send the production app URL, the API surface (REST / GraphQL / gRPC), the cloud (AWS / Azure / GCP), and your SOC 2 audit window. We respond with a fixed-fee proposal, sample questionnaire-summary page and a redacted report from a comparable engagement under NDA.

Request a scoping call