Our method
Every test mapped.
Every finding proven.
Heist pentests your live application against a public standard. You see what was tested, not just what was found. Every finding comes with proof.
Step 01 / Map
Map every route and role
Heist logs into your application and walks it like a user. Every route, endpoint and form is recorded. Roles and tenants are mapped separately so access control can be tested between them.
- /auth/loginpublic
- /dashboarduser
- /settings/teamadmin
- /api/v2/usersapi
- /api/v2/users/{id}/profileapi
- /api/v2/billingapi
- /webhooksapi
38
endpoints
4
roles
3
auth flows
Step 02 / Test
Run the full standard
Testing follows OWASP ASVS 5.0. That is around 350 requirements across 17 categories. Every endpoint gets every applicable check. The standard is public so you can read exactly what a pass means.
- V1Encoding and Sanitization
- V2Validation and Business Logic
- V3Web Frontend Security
- V4API and Web Service
- V5File Handling
- V6Authentication
- V7Session Management
- V8Authorization
- V9Self-contained Tokens
- V10OAuth and OIDC
- V11Cryptography
- V12Secure Communication
- V13Configuration
- V14Data Protection
- V15Secure Coding and Architecture
- V16Security Logging and Error Handling
- V17WebRTC
Step 03 / Validate
No finding without proof
Heist proves findings by exploiting them without destructive actions. Every finding includes the exact request, the response and steps to reproduce. What cannot be proven is not reported.
- Finding
- IDOR on user profile endpoint
- ASVS
- V8 Authorization
- Target
- /api/v2/users/{id}/profile
GET /api/v2/users/4812/profile Authorization: Bearer tok_user_3291 HTTP/1.1 200 OK # authenticated as 3291. returned profile 4812
Step 04 / Fix
Findings land where you work
Each finding arrives in Linear or Slack with severity, repro steps and the violated ASVS requirement. Fix it yourself or hand it to Claude over MCP. Nothing gets lost in a PDF.
- LN
Linear issue created
HEI-247 · IDOR on /api/v2/users/{id}/profile
- SL
Slack alert sent
#security-alerts · critical · repro attached
- MCP
MCP handoff
heist.get_finding("HEI-247") -> fix branch opened
Severity, repro steps and the ASVS reference travel with every finding.
Step 05 / Retest
Fixed means verified
Push a fix and trigger a retest. Heist runs the original exploit again and records the outcome. The record is timestamped from first report to confirmed fix.
- Day 0 · 09:12
Finding reported
IDOR on user profile endpoint
- Day 1 · 14:38
Fix deployed
ownership check added
- Day 1 · 14:41
Retest passed
finding closed
Continuity
Remembers your application
Structure, roles and workflows carry forward between runs. Changes get tested first.
Evidence
Audit-ready by default
Every run is logged and every finding maps to an ASVS requirement. The trail holds up in SOC 2 and ISO 27001 audits.
Safety
Safe on production
Scoped credentials, guardrails and a kill switch. Proof without destructive actions.