Find the weak points in your web apps, servers and networks — before attackers do.
OSS tooling × financial-grade engineering experience, balancing cost and precision.
Increasingly sophisticated attacks, regulatory pressure, and demands from business partners. For any public-facing web service, vulnerability assessment has shifted from "nice to have" to "too risky to skip".
Automated scanners and AI-powered attack bots probe newly launched sites within hours. Vulnerabilities are no longer a question of "if" — only "when".
Personal data protection law, PCI DSS, industry guidelines and financial regulations increasingly mandate assessments outright, across a growing range of domains.
Parent companies and business partners increasingly require vulnerability assessment reports — often as a precondition for deals and contract renewals. ASH also offers optional support for completing partner security questionnaires based on the assessment results.
Four types of assessment, offered individually or in combination, depending on your target and the depth required.
DAST (dynamic analysis) with OWASP ZAP, comprehensively detecting OWASP Top 10-class vulnerabilities: SQL injection, XSS, broken authentication and session management, and access control flaws. Supports form input, multi-step flows and authenticated areas.
Using OpenVAS / Nessus to detect known vulnerabilities (CVEs), misconfigurations, unnecessary open ports and missing patches across OS, middleware, servers and network equipment. In-depth assessments, including authenticated scans, of dedicated servers, on-premises systems and VPC resources.
We receive your source code and review it from the inside, reaching server-side logic invisible from outside — authorization checks, database operations, file I/O, hardcoded secrets and mail-sending routines. Combines SAST tooling such as Semgrep with manual code review by experienced engineers.
Combines black-box (ZAP) and white-box (SAST + manual review) approaches, compressing overlapping work while evaluating your system comprehensively from both outside and inside. Best suited to critical systems, financial services and systems handling personal data.
From corporate websites to mission-critical financial trading systems, we have performed assessments and remediation proposals across multiple production environments.
Black-box assessment of public websites with OWASP ZAP / OpenVAS. One-stop coverage from scope design — accounting for forms, authentication and shared-hosting constraints — through to remediation proposals.
Vulnerability assessment of financial-grade online trading systems (equities and derivatives). Non-disruptive assessment under high-availability, low-latency constraints, comprehensive staging-environment testing, and final pre-release checks.
For custom-built web applications and APIs, we received source code and combined SAST tooling such as Semgrep with manual code review — verifying server-side form handling, authorization control and the treatment of sensitive data from the inside.
The OWASP Foundation's official web application assessment tool (DAST). Supports Active Scan, Passive Scan and Ajax Spider for comprehensive dynamic analysis, including authenticated areas.
Open-source platform vulnerability scanner. Built on the CVE database, it detects known OS and middleware vulnerabilities, misconfigurations and open ports.
The de facto standard commercial platform vulnerability scanner. Enterprise-grade detection with support for authenticated scanning and compliance auditing (CIS, DISA STIG and more).
Static analysis tooling used in white-box assessments. Runs security rulesets for major languages including PHP, TypeScript and Python to detect dangerous implementation patterns.
While most assessment vendors offer only black-box (external) testing, ASH also performs white-box assessments — receiving your source code and reviewing it from the inside. Because we build production systems ourselves, we can deliver high-confidence findings that go straight to the code.
From the initial interview to report delivery and re-assessment, we work through five steps.
We clarify your objectives (regulatory compliance, partner requirements, pre-release verification) and the target scope (URLs, IPs, source code). Pinning down scope up front sharpens the estimate and avoids wasted effort.
Staging environment preparation, temporary WAF / IDS adjustments, scanning authorization requests to hosting providers (shared hosting, AWS and others), and NDA execution. We work alongside you on all pre-checks needed to avoid production impact.
We run automated scans with the selected tools (OWASP ZAP / OpenVAS / Nessus / SAST), and experienced engineers triage every finding — adding manual verification and manual code review where warranted. If a critical-level vulnerability is found, we alert you the same day with interim mitigation guidance, without waiting for the final report.
We deliver a report with risk ratings (CVSS-based) and concrete remediation guidance, including example fixes. An online debrief with your implementation team is also available for direct discussion.
After remediation, we verify that the fixes are effective — one post-fix re-assessment is included in the standard fee, so the deliverable is a fixed system, not just a report. We also offer recurring assessments built into your release cycle.
Not "detect and done" — one report covering both an executive-ready summary and remediation guidance developers can act on immediately. An anonymized sample report is available on request, so you can evaluate the report quality before ordering.
| Chapter | Content | Primary readers |
|---|---|---|
| 1. Executive summary | Overall risk rating, critical findings and prioritized recommendations, condensed into 1–2 pages | Executives & management |
| 2. Assessment overview | Scope, methodology and tools used, schedule, constraints | Management & staff |
| 3. Findings | Per-vulnerability risk level (CVSS-based), impact and reproduction steps | Staff |
| 4. Remediation proposals | Concrete fixes for each vulnerability; white-box assessments cite the affected code lines with example fixes | Developers |
| 5. Appendix | Raw scan data and references (links to CVE / CWE entries) | Developers |
| Level | Definition | Response guideline |
|---|---|---|
| Critical | Easily exploitable from outside, leading directly to data breach, tampering or system outage | Immediate action (including interim mitigation) |
| High | Exploitation requires specific conditions but has severe impact if successful | Fix within 1–2 weeks |
| Medium | Limited direct impact on its own, but exploitable in combination with other vulnerabilities | Fix in the next release |
| Low | Low likelihood of direct harm, but remediation is recommended for hardening | Address as planned work |
| Info | Not a vulnerability, but configuration details and recommended settings worth knowing | Use as reference |
* Same-day critical alerts: if a critical-level vulnerability is detected during the assessment, we notify you the same day with interim mitigation guidance — without waiting for the final report.
Quarterly-to-monthly automated scans with OWASP ZAP / OpenVAS, continuously monitoring risk from new CVEs and configuration changes. Low-cost and repeatable.
Before major releases, when critical features ship, and as an annual checkup — manual assessment and code review by experienced engineers, catching logic flaws that tools miss.
* We also advise on building scans into your release cycle (automated scanning in CI/CD = DevSecOps).
Pricing varies with target size, assessment depth and reporting requirements. The figures below are market-based approximations (excl. tax); a formal quote follows the initial interview.
| Assessment type | Indicative price | Notes |
|---|---|---|
| Web application (small) | JPY 200,000–500,000 (approx., excl. tax) | WordPress-class sites with few forms |
| Web application (medium) | JPY 400,000–800,000 (approx., excl. tax) | ~100 screens, multiple form flows |
| Platform assessment | JPY 50,000–200,000 per IP (approx., excl. tax) | OpenVAS / Nessus; suited to dedicated servers |
| White-box assessment | JPY 500,000–1,500,000 (approx., excl. tax) | Depends on custom code volume (SAST + manual) |
| Hybrid (black-box + white-box) | JPY 800,000–2,000,000 (approx., excl. tax) | For critical and financial systems |
| Re-assessment (post-fix verification) | One round included | Verification focused on remediated items (3–5 business days); subsequent rounds at 20–30% of the initial fee |
| Security questionnaire support | JPY 50,000–150,000 (approx., excl. tax) | Help completing partner / parent-company security questionnaires (offered alongside an assessment) |
* License costs are effectively zero, since we center on OSS tooling (OWASP ZAP / OpenVAS / Semgrep) — most of the cost is engineering time. Where the commercial Nessus scanner is used, license fees are quoted separately.
Companies with an ASH retainer — where we already support development and operations as your FDE (Forward Deployed Engineer) — can run vulnerability assessments on far better terms than engaging an external vendor from scratch.
Your FDE already knows the architecture, the code and the operations. The scoping and environment-survey effort that external assessments require (1–2 person-days) all but disappears, cutting both cost and lead time.
The usual cycle — assessment vendor's report, fix request to the development vendor, re-assessment scheduling — involves three-party coordination. With an FDE, the person who found the issue fixes it and re-scans immediately, shrinking time-to-resolution by a large factor.
Knowing which features touch revenue, personal data and core operations, we provide risk ratings and a response order that reflect your actual business — not just mechanical CVSS scores.
No new NDA, no shipping source code to another company. System internals and vulnerability findings stay within your existing retainer, without widening the circle of disclosure.
| Item | New engagement with an external vendor | Performed by your FDE (ASH retainer) |
|---|---|---|
| Pre-assessment interviews & environment survey | 1–2 person-days (billed separately) | Largely unnecessary (system already known) |
| Contract & NDA | New agreements required | Covered by the existing retainer |
| Post-detection fixes | Separate request and coordination with the development vendor | The FDE fixes it directly (immediate start) |
| Re-assessment | Separate quote and scheduling | Re-scanned immediately after the fix |
| Cost | Full market rate (full effort) | Below market thanks to reduced preparation and coordination; small scopes may fit within retainer hours |
| Recurring assessment | Contracted each time | Built into the release cycle and run continuously as DevSecOps |
* Where partners or auditors explicitly require an independent third-party assessment, we recommend pairing an external vendor assessment for your in-house-developed components — with the FDE acting as liaison, which still compresses coordination cost.
Preparing the items below improves estimate accuracy, smooths the assessment and keeps cost down. You don't need everything — we'll sort out open questions together in the interview.
Tell us about your target systems, the assessment type you have in mind and your preferred timing — we'll organize the scope and provide a quote. The inquiry form is in Japanese, but inquiries in English are welcome — we respond in English.