What is the difference between vulnerability scanning and penetration testing?

A vulnerability scan is an automated process that lists potential flaws. A penetration test is a manual, in-depth assessment where an expert actively attempts to exploit those flaws — chaining attack vectors and validating real technical and business impact, not just theoretical exposure.

What methodologies do you follow?

We follow OWASP Web Security Testing Guide and OWASP API Security Top 10 for web and API audits, PTES (Penetration Testing Execution Standard) and OSSTMM for infrastructure work, and NIST SP 800-115 as the overarching framework. Findings are scored with CVSS v4.0 and mapped to MITRE ATT&CK where applicable.

Do you work with companies outside Spain?

Yes. Although our office is in Oliva (Valencia, Spain), we work remote-first with companies across Spain and the European Union. Most of our engagements are delivered fully remote, with occasional on-site work where the scope justifies it.

Primitive Labs | Penetration Testing & Security Audits

Q: What do I receive at the end of the audit?

Two reports: an Executive report (for management, with risk summary, business impact and security posture) and a Technical report (for developers and SysAdmins, with reproduction steps, evidence, CVSS v4.0 scoring and a prioritised remediation plan). A retest session is included after fixes are applied.

Q: How often should I audit my systems?

At least once a year, and whenever significant changes are made to infrastructure, major code releases, cloud migrations or new internet-exposed integrations. If your company is subject to ISO 27001, PCI-DSS or NIS2, the standard already defines the minimum cadence.

Process

Phase _ 01

Reconnaissance (OSINT)

Passive and active information gathering. We identify exposed assets, subdomains and data leaks.

Phase _ 02

Vulnerability Analysis

Automated and manual scanning to detect configuration flaws, outdated software and logic errors.

Phase _ 03

Controlled Exploitation

Validation of findings. Our experts attempt to penetrate your systems safely to measure the real impact.

Phase _ 04

Reporting & Remediation

We deliver a detailed report with findings, business risk and exact steps to fix each flaw.

We identify your blind spots before they are exploited.

In the digital landscape, basic compliance is not enough. Our pentesting services go beyond a simple automated scan; we apply the creativity and persistence of a real attacker to ensure your business withstands sophisticated threats.

Key Benefits

Protect your reputation and avoid financial losses from data breaches.

Guaranteed compliance with international regulations (GDPR, SOC2).

// Audits & Pentesting //

Find your gaps before attackers do.

1,490 €990 €

Basic

For live websites & apps

Basic

Includes:

Web application audit (OWASP Top 10) — 1 domain/app
Automated scanning + manual expert validation
CVSS v4.0 scored vulnerability report
Prioritised remediation plan (Critical / High / Medium / Low)
1 free retest of critical findings (valid 30 days)
Delivery within 5–7 working days
30-day post-delivery Q&A support included

Get plan

3,190 €2,490 €

Pro

Full infrastructure pentesting

Pro

Includes:

Web + API + internal network pentesting (up to 3 targets)
Authentication, session & business logic testing
OWASP / PTES / NIST SP 800-115 methodology applied
Executive report (management) + technical report
CVSS v4.0 scoring + exploitation chain mapping
2h technical session with your dev team
Full retest included after remediation (valid 60 days)
Delivery within 10–15 working days

Get Plan

From 6,200 €From 4,900 €

Custom

Advanced Red Teaming

Custom

Includes:

APT (Advanced Persistent Threat) simulation — unlimited scope
Red Teaming using MITRE ATT&CK evasion techniques
SAST + DAST source code audit (full codebase)
Social engineering + targeted phishing campaign
Physical security assessment (available on request)
Executive report for management + comprehensive technical report
Unlimited retests throughout the full engagement duration
Delivery timeline agreed upfront; typically 3–6 weeks

Request info

FAQ

Frequently Asked Questions
about Audits.

What is the difference between vulnerability scanning and pentesting?

A vulnerability scan is an automated process that lists potential flaws. Pentesting is a manual and intensive test where an expert attempts to exploit those flaws to verify how far a real attacker could get.

Will pentesting affect my site's availability?

We conduct tests with maximum care. Although there is a minimal inherent risk with stress tests, we coordinate with your team to perform the most aggressive tests during low-traffic hours or in staging environments.

What do I receive at the end of the audit?

We deliver two reports: an Executive one (for management, with a summary of risks and security status) and a Technical one (for developers, with step-by-step details to reproduce and fix each vulnerability).

How often should I audit my systems?

We recommend performing a pentest at least once a year, or whenever significant changes are made to the infrastructure or application code.

Web Development

Cybersecurity

Security First

Contact

Language

Process

Reconnaissance (OSINT)

Vulnerability Analysis

Controlled Exploitation

Reporting & Remediation

We identify your blind spots before they are exploited.

Key Benefits

Find your gaps before attackers do.

Basic

Includes:

Pro

Includes:

Custom

Includes:

Frequently Asked Questions
about Audits.

Address

Web Development

Cybersecurity

Security First

Contact

Language

Security Audits & Ethical Hacking.

Process

Reconnaissance (OSINT)

Vulnerability Analysis

Controlled Exploitation

Reporting & Remediation

We identify your blind spots before they are exploited.

Key Benefits

Find your gaps before attackers do.

Basic

Includes:

Pro

Includes:

Custom

Includes:

Frequently Asked Questions about Audits.

Security Audits
& Ethical Hacking.

Frequently Asked Questions
about Audits.