B2B SaaS lives or dies on the security questionnaire. SOC 2 Type II, ISO 27001, multi-tenant isolation, OAuth posture, sub-processor audits — we’ve scoped this exact work for hundreds of SaaS companies from seed to scale.
Enterprise buyers evaluate SaaS vendors against a security questionnaire (CAIQ-Lite, SIG, custom). The same patterns repeat: SOC 2 / ISO 27001 attestation, recent pen test report, multi-tenant isolation evidence, encryption details, incident response policies, sub-processor list, data residency. Our work is scoped to make every cell in that questionnaire defensible.
The #1 SaaS-specific bug class. Every multi-tenant boundary is tested: row-level data isolation, tenant-scoped API access, file storage isolation, async job context, queue routing, log isolation. We attempt cross-tenant access with every available role.
SaaS authentication is almost always OAuth / OIDC against Okta, Azure AD, Auth0, Google Workspace. We test for PKCE bypass, scope escalation, refresh token replay, SCIM provisioning gaps, and the “Just-in-Time” user creation patterns that grant unintended access.
SaaS APIs are usually the largest attack surface. We test against the OWASP API Top 10 with deep focus on BOLA across tenant boundaries, BFLA on admin endpoints, and rate-limit abuse (which often correlates to billing).
Outbound webhooks introduce SSRF risk; inbound webhooks introduce authentication and replay risk. We test signature validation, idempotency, and timestamp drift.
SaaS ships fast; pen tests can’t take three months. Our standard engagement timeline:
Free 30-minute scoping call. Customer-ready letter of attestation included with every engagement.