Penetration Testing

Pentesting, the way attackers do it.

Black-box, white-box, or hybrid pentest of your application and infrastructure. We attack from the perimeter, then take the codebase and finish the job from inside.

black-box · white-box · application · infra

Request an intro call
Why this exists

Scanners find configurations. Pentesters find chains.

Automated scanners check that ports are closed, headers are set, and known CVEs aren’t on your stack. They miss the chains: low-impact bugs that combine into account takeover, the business-logic flaw that drains funds, the IDOR that exposes signed payloads. A pentest looks for what scanners can’t see.

Scope

What’s in the test.

What we test

Application + infrastructure attack surface

Auth and session, IDOR, injection, deserialization, file handling, business logic abuse, race conditions, and infra misconfigurations (S3, IAM, container, CI).

Modes

Black-box, white-box, hybrid

Black-box mimics a real attacker without source. White-box adds the codebase and credentials. Hybrid combines both inside the same engagement.

Targets

Web apps, APIs, mobile, infra

dApp frontends, REST and GraphQL APIs, mobile apps (iOS / Android), and the infrastructure underneath: networks, containers, secrets, and CI/CD.

Recent engagements

Recent pentest engagements.

Backend · NestJS

Dripster Backend Pentest

Black-box and white-box review of the backend that signs EIP-712 payloads and routes Polymarket orders.

Apr 2026 · Dripster

Black-box · TypeScript

Novaswap Blackbox Pentest

External-perimeter pentest of the Novaswap stack — no source access, just the attacker's view.

Jan 2026 · Novaswap

Core platform

Fair Casino Core Pentest

Core platform pentest covering auth, session management, and the API surface that feeds the on-chain game.

Jan 2026 · Fair Labs

How pricing works

Scoped to your surface.

Pentests are sized to attack surface (asset count, app count, infra complexity) and timeline. No fixed packages. Talk to us for a scope and quote.

Request an intro call
FAQ

Questions.

Default is hybrid: black-box first (attacker's view), then white-box for depth on what we couldn't reach from outside. Either mode standalone is available on request.

No. We're focused on application and infrastructure security for Web3 teams. Social engineering and physical security are separate disciplines best handled by specialist firms.

Both are options. Staging is safer and gets the same depth. Production testing happens with explicit consent, rate limits, and a rollback plan in case anything misbehaves.

Written report with findings, severity rationale, full reproduction steps, and remediation guidance. Plus fix verification after you patch. Published on zealynx.io by default; private engagements available.

Yes — the Security Audit Subscription includes an Off-chain Security Review add-on that runs a monthly bounded pentest review against your evolving stack.

One to four weeks depending on scope. We scope and quote against your specific surface before you commit.

From our research

Go deeper.

Threat model

The weakest link in DeFi is the web app

How frontend and backend mistakes turn audited contracts into losing customer funds.

Infrastructure

When web2 infrastructure breaks DeFi

The off-chain incidents that drained on-chain liquidity, and how to keep your infra from being the failure mode.

Supply chain

Supply-chain attacks against Web3 teams

npm compromise, dependency confusion, and CI/CD pipeline attacks — what we look hardest for in a pentest.

Other services

Need something else?

Parent

Application security

Back to the parent service — full off-chain audit scope including pentesting, TypeScript audits, and wallet security.

Bundle

Full-Stack Audit

Pair this pentest with a smart contract audit, run in parallel, boundary risks reviewed jointly.

Subscription

Security Audit Subscription

Ongoing monthly off-chain security review as an add-on to the subscription.

Ready when you are

Ready to test?

Send us your targets and a target date. We’ll come back with a scope and a quote within 24 hours.

Request an intro call