VAPT — Vulnerability Assessment & Penetration Testing
CREST-aligned vulnerability assessment and penetration testing (VAPT) from Nairobi — web, mobile, API, network, cloud and social engineering. Manual testing, exploit proof, prioritised remediation and a free retest. Scope your VAPT: +254 725 722 965.
We attack your systems the way a real adversary would, then hand you a prioritised, developer-ready plan to close every gap we find.
A vulnerability scan tells you what a tool can see. A penetration test tells you what an attacker can actually do. Neurobyte's VAPT engagements combine both: automated coverage across your whole attack surface, then manual, human-led exploitation of the flaws that scanners never find — broken authentication, insecure direct object references, privilege escalation, and business-logic abuse that only makes sense once you understand what your application is for.
We test web and mobile applications, APIs, internal and external networks, cloud environments, and the people who use them. Every finding we report is proven, not theorised: we show the request that worked, the data it exposed, and the exact code or configuration change that closes it. Findings are ranked by real business impact rather than raw CVSS, so your team fixes what matters first instead of drowning in a 200-page scanner dump.
Engagements are scoped and priced up front, run against a rules-of-engagement document you approve, and delivered by testers based in Nairobi who work in your timezone. A free retest of every remediated finding is included, so you finish with evidence the gaps are actually closed — the artefact your board, your auditor, and your enterprise customers are asking for.
What's included
- Web application testing — Manual testing against the OWASP Top 10 and beyond — injection, broken access control, authentication and session flaws, SSRF, and the business-logic bugs unique to your application.
- Mobile application testing — Android and iOS assessment covering insecure storage, certificate pinning, hardcoded secrets, tampering and reverse engineering, plus the backend APIs the app depends on.
- API & integration testing — REST and GraphQL endpoints tested for broken object-level authorisation, mass assignment, rate-limit abuse and token handling flaws — including payment and M-Pesa integration paths.
- Network & infrastructure testing — External and internal network testing: exposed services, patch and configuration gaps, lateral movement, privilege escalation, and Active Directory attack paths.
- Cloud configuration review — AWS, Azure and Google Cloud assessed against CIS benchmarks — over-permissive IAM, public storage, unencrypted data, weak logging and exposed management planes.
- Social engineering & phishing — Simulated phishing, vishing and pretexting campaigns that measure how your staff actually respond, paired with the awareness training to improve the result.
How it works
- Scoping & rules of engagement — We agree targets, testing windows, depth, and escalation contacts in writing before anything is touched. You receive a fixed price and a fixed scope.
- Reconnaissance & mapping — We enumerate your real attack surface — subdomains, endpoints, services, technologies — which routinely surfaces assets clients had forgotten were exposed.
- Automated & manual testing — Tooling provides breadth; our testers provide depth, manually chaining findings into the exploit paths that automated scanners cannot construct.
- Exploitation & proof of impact — We safely demonstrate what each flaw permits — data accessed, accounts taken over, privileges gained — without disrupting production systems.
- Reporting & debrief — You get an executive summary for the board and a technical report for engineers, then a live walkthrough where your developers can ask questions directly.
- Remediation support & free retest — We advise on fixes as your team implements them, then retest every finding at no extra cost and issue a clean attestation letter you can share.
What you walk away with
- Executive summary written for non-technical stakeholders and the board
- Technical findings report with proof-of-concept, evidence and severity rating
- Prioritised remediation roadmap ranked by business impact, not raw CVSS
- Live debrief session with your engineering team
- Free retest of all remediated findings
- Attestation letter for customers, auditors and insurers
Frequently asked questions
What is the difference between a vulnerability assessment and a penetration test?
A vulnerability assessment is broad and mostly automated — it enumerates known weaknesses across many systems and tells you what could be a problem. A penetration test is narrow and human-led — a tester actively exploits those weaknesses to prove what an attacker could really achieve, including flaws no scanner can find, such as business-logic abuse and chained privilege escalation. VAPT means doing both: the assessment gives coverage, the penetration test gives certainty. Most compliance frameworks and enterprise customers expect the combination.
How much does a VAPT cost in Kenya?
Cost is driven by scope, not by a fixed price list. The main factors are how many applications, APIs and IP ranges are in scope, whether testing is black-box or credentialed, whether mobile apps and cloud environments are included, and how quickly you need the report. A single web application is a materially different engagement from an internal network test across several sites. We scope every engagement on a short call and quote a fixed price before any work begins, so there are no variable hourly surprises. Call +254 725 722 965 or request a scoping call to get a figure for your environment.
How long does a penetration test take?
Typical engagements run one to three weeks of active testing, depending on scope, with the report delivered within about a week of testing ending. A single web application usually sits at the shorter end; a combined web, mobile, API and internal-network engagement at the longer end. Scoping and rules of engagement are agreed before that clock starts, and the free retest is scheduled once your team has completed remediation.
Will penetration testing disrupt our production systems?
It should not, and preventing disruption is part of how we scope. Destructive tests — denial of service, aggressive fuzzing of fragile endpoints — are excluded by default and only ever run against staging with explicit written permission. We agree testing windows in advance, maintain a live escalation contact throughout, and stop immediately if anything unexpected happens. Where an application is business-critical, we recommend testing a production-identical staging environment and validating a smaller, agreed set of checks against production itself.
Do we need a penetration test for ISO 27001 or Kenya Data Protection Act compliance?
ISO 27001 does not name penetration testing as a mandatory control, but Annex A expects you to manage technical vulnerabilities and verify the effectiveness of your controls — and in practice auditors treat regular testing as the accepted evidence for that. Under the Kenya Data Protection Act, controllers and processors must implement appropriate technical measures to secure personal data, and independent testing is how you demonstrate you have done so. Enterprise customers and insurers increasingly ask for a recent report before they will sign. We frequently run VAPT as part of a wider ISO 27001 implementation.
How often should we run a VAPT?
Annually as a baseline, and additionally after any material change — a significant new feature, a migration to a new cloud provider, a merger, or a change in the sensitivity of the data you hold. Organisations shipping continuously often move to a lighter quarterly cadence against high-risk components with one deep annual test, so that testing tracks the pace of change rather than the calendar. Continuous vulnerability management between tests, which we also run, covers the gap.