THREATNEST
Application security audit

Application Penetration Test & Remediation Blueprint

ThreatNest performs fixed-scope application security audits for independent healthcare clinics, dental practices, and medical centers operating patient-facing web applications.

$2,000 Fixed

One fixed fee for the audit and remediation blueprint.

7-day delivery

Full documentation delivered within 7 days.

Complimentary retest

One retest after remediation is complete.

Healthcare focus

Built for patient-facing web applications.

In scope

Login, password reset, session handling, and account abuse checks.

Access control, user boundaries, and IDOR-style issues.

PHI tracking exposure from pixels, analytics scripts, and third-party JavaScript.

Forms, APIs, uploads, input handling, and common web vulnerabilities.

Security headers, TLS, cookies, exposed files, admin paths, and browser controls.

Out of scope

Anything destructive or availability-focused, including DDoS.

Social engineering unless it is agreed in writing.

Internal systems or third-party services you do not control.

Physical security and on-site access.

Method

How the audit runs.

We agree scope, test by hand, and write everything up with proof, severity, affected assets, business impact, and developer-ready fixes.

01

Surface review

We inspect browser behavior, public pages, patient forms, and exposed infrastructure.

02

Manual assessment

Every reachable application component is manually tested for security weaknesses.

03

Validation

Every finding is reproduced, verified, and documented with supporting evidence.

04

Developer blueprint

Every finding includes technical proof and remediation instructions your developer can implement.

Deliverables

Remediation blueprint and retest.

Manual application penetration test

PHI tracking exposure review

Security header assessment

Proof-of-risk screenshots

Developer remediation blueprint

One complimentary retest after fixes

Delivered within 7 days

Findings, screenshots, credentials, business data, and the report are treated as confidential.

01

Scope

We define the application, pages, and systems included in the assessment.

02

Manual Testing

The live application is assessed for application-layer vulnerabilities, configuration weaknesses, and data exposure risks.

03

Validation

Every finding is reproduced, verified, and documented with supporting evidence.

04

Delivery

You receive a remediation blueprint, technical evidence, and one complimentary retest after fixes.

Why after launch

Production is where compliance is proven.

A live patient-facing application shows the routes, headers, login flow, tracking scripts, and setup outsiders can actually reach.

What gets checked

Auth, sessions, and account abuse paths

Access control, input handling, and APIs

PHI tracking exposure and third-party JavaScript

Headers, cookies, TLS, and exposed files

Report and retest

Findings with proof, severity, and business impact

Developer-ready remediation guidance

One complimentary retest after fixes

Next step

Ready to send the target?

Send your website URL and a short description of your application. We will confirm scope, explain the assessment process, and provide the next steps.