intrus.io
SaaS & Technology

Pentest for SaaS and Technology Companies

Offensive security in B2B SaaS products, multitenancy, APIs and cloud-native infrastructure.

Request SaaS pentestSee vectors
90% manual · 10% automated
OSCP · CISSP · CRTO · GPEN
BR · PT · IT · ES · MA · US · AU
OWASP · MITRE · PTES · NIST

Why now

The real pain

B2B SaaS lives on trust. A multitenancy finding that leaks data from client A to client B is game over — you lose the customer, NPS, renewal and sometimes the company. SOC 2, ISO and enterprise compliance demand periodic pentest.

Applicable regulation

SOC 2 Type IIISO 27001LGPDGDPRHIPAA (saúde)

/attack-surface

Vectors we test in saas & technology

Every engagement is designed for your environment. The points below are part of our standard playbook for this sector — final scope is adapted to your stack and contract.

01

Multitenancy

Tenant isolation, cross-tenant IDOR, namespace escape.

02

REST/GraphQL API

Auth, authz, rate limiting, mass assignment, introspection.

03

OAuth, SAML, OIDC

SSO implementation, assertion validation, replay, CSRF.

04

CI/CD and supply chain

GitHub Actions, pipeline secrets, malicious dependencies.

05

Cloud infrastructure

AWS/GCP/Azure, IAM, SSRF to metadata, public S3, IMDSv1.

/methodology

Genuinely manual pentest

Automated scanners find what's documented. Real attackers find what isn't. 90% of the work is manual — performed by specialists holding OSCP, CISSP, CRTO and GPEN.

01 · Reconnaissance

Target mapping, OSINT, footprint, sector-specific threat modeling.

02 · Discovery

Deep enumeration, complementary scanning, manual exposure identification.

03 · Exploitation

Manual validation with controlled PoC, finding chaining, escalation.

04 · Report

Executive + technical, step-by-step replication, mapped to applicable regulation.

/why-trust

Who has trusted our work

B2B SaaS clients and technology platforms.

Caixa Econômica Federal
Banco BMG
iFood
ArcelorMittal
Multibanco
Polícia Federal
Fórmula 1
OpenFinance

Technical assessment recognized in highly regulated, mission-critical environments — the pentest that finds what nobody had found before.

DL

Douglas Lopes

Founder · CEO · intrus.io

/faq

FAQ — SaaS & Technology

Do you do SOC 2 pentest?

Yes. Annual pentest with a report accepted by SOC 2 Type II audit, mapped to CC trust services criteria.

Do you serve Series A/B startups?

Yes. Lean pentest focused on multitenancy + API + infra, in the format enterprise clients ask for in due diligence.

/contact

Ready for a serious pentest in saas & technology?

Schedule a confidential meeting. Within 48h we'll send a proposal with scope, timeline and pricing.

Talk to usSee other sectors

Other sectors we cover

/saude

Hospitals & Clinics

/planos-saude

Health Insurers

/fintech

Fintechs

/bancos

Banks & Credit Unions

/consorcios

Consortium Administrators

/seguros

Insurance & Brokers