CyberCTRL — Australian penetration testing
Services / Grey Box

Grey Box Penetration Testing

Authenticated web application testing that finds what an external scan cannot. CyberCTRL logs in to your app with credentials you provide, crawls every authenticated page, and probes for OWASP Top 10 vulnerabilities, broken access control, IDOR, session weaknesses, and authenticated injection.

Standard $1,550 ex GST covers a single role end to end. Plus $2,090 ex GST adds a full multi-role Broken Access Control matrix across up to 3 user roles. Report within a day.

Aligned to OWASP and the ASD ISM. Supports Essential Eight, APRA CPS 234, ISO 27001 and SOC 2 evidence. Credentials encrypted with AES-256-GCM, mandatory MFA on every account.

Start your testSee pricing

What is included

Grey Box Standard - $1,550 ex GST
  • Authenticated site-wide crawl of every page, form, and API endpoint reachable by your test user
  • OWASP Top 10 (2021) coverage on all discovered URLs
  • IDOR (Insecure Direct Object Reference) probing on every numeric and UUID resource identifier
  • Broken authentication and session-management testing - cookie attributes, session fixation, logout integrity
  • Authenticated SQL injection (error-based and boolean-based) and command injection detection
  • Reflected and stored XSS, path traversal, open-redirect detection
  • Anti-CSRF token coverage check on every state-changing form
  • PII, secrets and credential leak detection across all responses
  • Authenticated security-headers and cookie-attribute audit
Grey Box Plus - $2,090 ex GST (adds to Standard)
  • Up to 3 additional user roles (e.g. user, manager, admin) with independent credentials
  • Full Broken Access Control (BAC) matrix - every URL probed under every role
  • Cross-role privilege escalation detection on every resource
  • Per-role authenticated coverage map showing what each role can see and do
  • Visual BAC heatmap in the PDF report
  • Independent decryption audit log per role

Works with how you log in

Three authentication methods are supported so the scanner can reach your app no matter how complex the login flow is - including SSO, MFA-protected, and JavaScript-rendered logins.

Form login

Username + password

CyberCTRL logs in to your standard form-based login for each scan run.

Form + TOTP

MFA-protected apps

Provide a TOTP shared secret; the scanner generates the current code at login time.

Pre-captured session

SSO, CAPTCHA, hardware tokens

Log in manually in your browser, paste the session cookies or Authorization header into the configure form. Works with any auth flow.

How it works

  1. STEP 01

    Buy and configure scope

    Choose Grey Box Standard or Plus, register, enrol TOTP MFA, pay via Stripe. Provide the target application URL and your test credentials (form login, TOTP secret, or pre-captured session cookies).

  2. STEP 02

    Credentials encrypted on submit

    All credentials are encrypted with AES-256-GCM the moment you submit them. The key lives outside the database. Decryption only happens inside the scan worker at scan time, and every decrypt event is audit-logged.

  3. STEP 03

    Authenticated crawl and test

    The worker logs in, crawls every page reachable by your test role, then runs OWASP-mapped checks against each URL and form. For Plus, the worker re-authenticates as each additional role and runs the full BAC matrix.

  4. STEP 04

    Cross-validated report

    Two AI models analyse findings independently and merge results. The PDF report includes a finding card for each vulnerability with description, impact, recommendation, CVSS score, and a reference URL. For Plus, a visual BAC heatmap shows which roles can access what.

What you receive

A grey-box PDF report mapped to OWASP Top 10 categories. Every finding has a CVSS v3.1 severity rating, a plain-English impact description, a remediation recommendation in 2 to 3 sentences, and a reference URL to OWASP WSTG, the ASD ISM, ACSC guidance, or vendor documentation. Plus tier reports include a visual Broken Access Control heatmap.

View a sample report →

Methodology and compliance

Methodology aligned to the OWASP Web Security Testing Guide and the Australian Signals Directorate Information Security Manual (ASD ISM). Reports are defensible evidence for the audits Australian businesses actually face.

Essential Eight
Authenticated findings support User Application Hardening and MFA mitigations evidence.
APRA CPS 234
Demonstrates regular testing of authenticated application controls.
ISO 27001 / SOC 2
Satisfies A.12.6.1 / CC7.1 application vulnerability management.
PCI DSS 11.3
Authenticated application testing for in-scope payment apps.

Pricing

Standard
$1,550
ex GST per engagement

Single-role authenticated testing, OWASP Top 10 coverage, up to 5 runs over 2 weeks.

Multi-role BAC
Plus
$2,090
ex GST per engagement

Standard plus up to 3 user roles, full BAC matrix, visual heatmap.

Bundle with an External test and save 25 percent.

Start your testCompare all plans

Frequently asked questions

What is grey box penetration testing?

Grey box testing is authenticated penetration testing - you provide CyberCTRL with valid user credentials, and the platform logs in to your web application and tests it from the perspective of a real user. This finds vulnerabilities that an unauthenticated external scan cannot reach: IDOR, broken authentication, session weaknesses, authenticated SQL and command injection, privilege escalation, and Broken Access Control issues. Methodology aligned to the OWASP Web Security Testing Guide and ASD ISM, supports Essential Eight audit evidence.

What is the difference between Standard and Plus?

Standard ($1,550 ex GST) is single-role authenticated testing - you provide one set of credentials and we test that role end to end against the OWASP Top 10. Plus ($2,090 ex GST) adds a multi-role Broken Access Control matrix - you provide up to 3 user roles (e.g. user, manager, admin) and we re-authenticate as each, then verify that resources accessible to one role are correctly denied to the others. Plus catches privilege-escalation issues that single-role testing cannot.

Does it work with SSO and MFA?

Yes. Three authentication methods are supported: (1) form login with username and password; (2) form login plus a TOTP shared secret if your app uses time-based MFA; (3) pre-captured session - log in manually in your browser, copy the session cookies or Authorization header from DevTools, and paste them into the configure form. The pre-captured session method covers SSO (Okta, Azure AD, Google Workspace), CAPTCHA, hardware tokens, and JavaScript-rendered login flows.

How are my credentials kept safe?

All credentials and session material are encrypted with AES-256-GCM at rest in the database. The decryption key is held outside the database. Credentials are only decrypted inside the scan worker process for the duration of the scan, never written to logs, never displayed in the UI, and every decrypt event is audit-logged. The platform is hosted in AWS Sydney; data never leaves Australian jurisdiction. Mandatory TOTP MFA on every account.

What kinds of applications can you test?

Any web application or web API reachable from the public internet that you have authority to test. CMS-based sites (WordPress, Drupal), custom SaaS, e-commerce platforms, single-page apps (React, Vue, Angular), JSON APIs, GraphQL endpoints, internal-only apps fronted by a reverse proxy or a temporarily-opened firewall rule. The crawler handles client-rendered apps and modern auth flows.

How long does it take and how often can I run it?

The active scan typically runs 1 to 3 hours depending on application size. AI cross-validation and report generation follow. Your finished PDF is delivered within a day of starting. Each engagement includes up to 5 test runs over a two-week window so you can re-test after applying remediation and demonstrate the closure to your auditor or insurer.

Test the app the way a logged-in attacker would.

Buy a Grey Box engagement now. Authenticated report within a day.

Start your testView sample report