Penetration testing

Last updated: 2026-04-11 • ← Security program

Backbuild treats adversarial testing as a continuous activity rather than a once-a-year event. Internal review runs throughout the software delivery process, and a formal external penetration test cycle is being established as part of the compliance roadmap.

Internal adversarial review

• Continuous red-team mindset: engineers review changes with an explicit "how could an attacker abuse this" checklist as part of code review.
• Security-focused reviews: security-sensitive changes — authentication, authorization, data export, payment handling — receive an additional review focused on abuse cases.
• Automated checks: static analysis, dependency scanning, and policy checks run in CI on every pull request.
• Threat modeling: new features that introduce trust boundaries or handle sensitive data are threat-modeled during design.

External penetration testing

• Annual engagement: an annual penetration test by an independent, qualified security firm is being planned.
• Target timeline: the first formal external engagement is targeted for Q3 2026.
• Scope: the engagement will cover the public API, web application, authentication flows, and multi-tenant authorization boundaries. Scope is defined per engagement.
• Methodology: test firms are selected based on industry reputation and the use of recognized methodologies such as OWASP ASVS and the PTES.
• Retesting: findings will be retested after remediation to confirm that they have been fully addressed.

Findings and remediation

Findings from internal and external testing are logged in the internal change management system, assigned an owner, prioritized by severity, and tracked through remediation in line with the vulnerability management SLAs. Completed remediations are subject to verification before the finding is closed.

Responsible disclosure

Security researchers who are not part of a formal engagement can report vulnerabilities through the responsible disclosure policy. Reports are acknowledged promptly, triaged, and remediated in line with the same severity-based SLAs.

Access to penetration test reports

Once external penetration tests have been completed, summary reports will be made available to qualified customers under a mutual non-disclosure agreement. Full technical reports containing exploit detail are not distributed. To request a summary report, email the security team with company name and evaluation context.