What Does Each Assessment Cover?
Each assessment type maps to an industry-recognized security framework. This page describes exactly what Cipher tests for, so you know what to expect before your assessment starts.
API — OWASP API Security Top 10 (2023)
Cipher tests REST and GraphQL APIs against the OWASP API Security Top 10 (2023).
| ID | Category | What Cipher looks for |
|---|---|---|
| API1:2023 | Broken Object Level Authorization | Can user A access user B's resources by changing IDs? |
| API2:2023 | Broken Authentication | Token weaknesses, credential stuffing, missing rate limits |
| API3:2023 | Broken Object Property Level Authorization | Mass assignment, excessive data exposure in responses |
| API4:2023 | Unrestricted Resource Consumption | Missing rate limits, resource exhaustion, pagination abuse |
| API5:2023 | Broken Function Level Authorization | Privilege escalation, horizontal and vertical access control |
| API6:2023 | Unrestricted Access to Sensitive Business Flows | Automated abuse of business logic (e.g., ticket scalping, bonus abuse) |
| API7:2023 | Server Side Request Forgery (SSRF) | URL parameters triggering server-side requests to internal resources |
| API8:2023 | Security Misconfiguration | Verbose errors, unnecessary HTTP methods, CORS issues, missing headers |
| API9:2023 | Improper Inventory Management | Deprecated endpoints, debug endpoints, undocumented APIs |
| API10:2023 | Unsafe Consumption of APIs | Third-party API data handling, trust boundary issues |
Web — OWASP Top 10:2025
Cipher tests web applications against the OWASP Top 10:2025.
| ID | Category | What Cipher looks for |
|---|---|---|
| A01:2025 | Broken Access Control | IDOR, privilege escalation, forced browsing, missing access controls |
| A02:2025 | Security Misconfiguration | Default configs, verbose errors, missing headers, cloud misconfiguration |
| A03:2025 | Software Supply Chain Failures | Vulnerable dependencies, compromised components |
| A04:2025 | Cryptographic Failures | Weak encryption, exposed sensitive data, cleartext transmission |
| A05:2025 | Injection | SQL, NoSQL, OS command, LDAP, XPath, template injection, XSS |
| A06:2025 | Insecure Design | Missing threat modeling, insecure business logic |
| A07:2025 | Authentication Failures | Credential stuffing, brute force, weak passwords, missing MFA |
| A08:2025 | Software or Data Integrity Failures | Unsigned code, insecure deserialization |
| A09:2025 | Security Logging and Alerting Failures | Missing audit logs, insufficient monitoring |
| A10:2025 | Mishandling of Exceptional Conditions | Improper error handling, information leakage through errors |
Mobile — OWASP MASVS v2.1.0
Cipher tests iOS and Android apps against the OWASP Mobile Application Security Verification Standard (MASVS) v2.1.0.
| Code | Category | What Cipher looks for |
|---|---|---|
| MASVS-STORAGE | Storage | Sensitive data at rest, SharedPreferences, SQLite, Keychain misuse |
| MASVS-CRYPTO | Cryptography | Encryption implementation, key management, hardcoded keys |
| MASVS-AUTH | Authentication | Local auth (biometrics), session management, token storage |
| MASVS-NETWORK | Network | TLS configuration, certificate pinning, cleartext traffic |
| MASVS-PLATFORM | Platform Interaction | IPC, WebView security, exported components, excessive permissions |
| MASVS-CODE | Code Quality | Input validation, memory safety, dependency vulnerabilities |
| MASVS-RESILIENCE | Resilience | Root/jailbreak detection, anti-tampering, anti-debugging |
| MASVS-PRIVACY | Privacy | PII handling, tracking consent, data minimization |
Network — PTES v1.1
Cipher tests network infrastructure following the Penetration Testing Execution Standard (PTES) methodology.
| Category | What Cipher looks for |
|---|---|
| Service Exposure | Unnecessary open ports, management interfaces (SSH, RDP, admin panels) |
| Authentication | Default credentials, weak passwords, anonymous access |
| Outdated Software | Known CVEs, unpatched services, end-of-life software |
| Encryption | Weak TLS/SSL configurations, cleartext protocols, self-signed certificates |
| Misconfigurations | Directory listing, verbose banners, SNMP community strings, debug modes |
| Information Disclosure | Service banners, error messages, DNS zone transfers, SNMP enumeration |
The assessment follows the PTES phases: intelligence gathering, threat modeling, vulnerability analysis, exploitation, and post-exploitation. Cipher operates within your defined scope — no unauthorized lateral movement or destructive actions beyond your targets.
Need Help?
- Discord Community — Ask questions
- Email Support — Technical assistance