What does a SaaS pentest cover that a generic web pentest does not?

Tenant isolation across every endpoint, role-matrix probing of every action, plan and feature gating, billing flow tampering, SSO and SCIM provisioning, org and workspace switching, audit-log integrity, and B2B admin escalation. A generic web pentest can find injection and auth bypass, but only a SaaS-scoped pentest probes whether tenant A can read tenant B.

How does the pentest verify tenant isolation?

It signs up at least two tenants and at least one user per role inside each tenant. Then it asks: for every request user A in tenant A makes, does the same request from user B in tenant B return tenant A's data? Cross-tenant IDOR shows up as soon as the answer is yes.

Why are billing and subscription bugs so common in SaaS?

Because the billing UI is built early when the team is small and the business logic is built late when the team is big. The result: a feature gate enforced in the UI but not the API, a plan limit checked at signup but not on the create endpoint, a Stripe webhook that updates the subscription record without verifying the signature.

Should the pentest test SSO?

Yes. SAML and OIDC flows have well-known classes of bug — XML signature wrapping, IdP-initiated login bypassing relay state, missing audience checks, missing nonce. SCIM provisioning flows have their own bugs around role assignment from external IdPs. We probe both.

What is mass assignment in a SaaS context?

An endpoint accepts a JSON body and binds it to a record without an allowlist. In a SaaS app the dangerous fields are role, isAdmin, tenantId, and verified. A user updating their profile sets role to admin, and the framework writes it because the developer used `update(req.body)`.

Can the pentest test billing without breaking real payments?

Yes. The agent runs against staging where Stripe is in test mode, or works against production using documented test card numbers and reverts changes. It probes the webhook signature, plan-limit enforcement, and feature-gate enforcement without making real charges.

What about audit-log integrity?

Audit logs are a control. The pentest verifies that every privileged action emits an event, that events cannot be deleted by tenant admins (only the platform can), and that event tampering is detectable. A SaaS without audit-log integrity has no story when a customer asks who deleted their data.

Does the pentest cover free-trial abuse?

Yes. We probe whether free-trial limits can be bypassed by re-signup, by changing email casing, by adding plus-aliases, or by hitting the underlying API directly to skip the quota check.

AI Pentest for SaaS Applications: Security Testing for Multi-Tenant Platforms

What an AI pentest for SaaS actually covers

A SaaS pentest is a web pentest plus the multi-tenant tax. Every probe in the web application playbook and the API playbook still applies, layered with tenant scoping, role-matrix probing, and billing-flow checks. The agent signs up multiple tenants and multiple roles, then drives every action with every identity to find the gap.

Multi-tenant bugs are business-ending

A single tenant isolation failure means one customer can access another’s data, destroying trust overnight. These vulnerabilities are notoriously difficult to test manually but are systematically found by AI pentest agents.

SaaS pentest checklist

Test tenant isolation. Verify that one tenant cannot access, modify, or even detect another tenant's resources.
Verify data segregation. Ensure database queries, file storage, and caching layers scope all data to the authenticated tenant.
Probe subscription bypass. Test whether users can access premium features, exceed plan limits, or manipulate billing state.
Test admin panel security. Verify admin interfaces are protected and cannot be accessed by regular users or unauthenticated visitors.
Check payment flow integrity. Test Stripe webhooks for replay, amount manipulation, and subscription state tampering.
Verify webhook security. Ensure incoming webhooks validate signatures, reject replays, and handle malformed payloads safely.
Test API key management. Verify API keys are scoped, rotatable, and revocable without affecting other tenants.
Audit user role permissions. Test RBAC across all endpoints to ensure users cannot escalate roles or access admin functions.
Test SSO and OAuth flows. Probe SSO and OAuth integrations for account takeover, token leakage, and redirect URI manipulation.
Verify data export security. Ensure exports return only the authenticated tenant's data and cannot be abused for bulk extraction.

Benefits of AI pentest for SaaS

Catches tenant isolation failures

AI agents systematically test cross-tenant access paths that are the most critical and hard-to-find SaaS vulnerabilities.

Tests subscription and payment logic

Probes billing flows, plan limits, and feature gates to find bypass vulnerabilities that cost you revenue.

Verifies RBAC enforcement

Tests every endpoint against every role to find the authorization gaps that let regular users access admin functions.

Affordable for startups

Get enterprise-grade penetration testing at a fraction of the cost of traditional pentesting firms. See AI Security Audit for Startups.

Multi-tenant testing methodology

Tenant isolation is the headline. Everything below assumes the agent has signed up at least two tenants and at least one user per role inside each.

Cross-tenant probing

For every endpoint:

Hit it with the URL containing a known resource ID owned by tenant A, but the auth token of a user in tenant B. Anything other than 404 (or 403) is a finding.
Hit it with a list / search / pagination filter that includes the other tenant’s ID. The server should return zero results, not “access denied” — leaking existence is its own bug.
Hit it with the same tenantId query param a frontend would send, but a different tenant’s actual data. Confirm the server ignores client-side tenant claims and uses the session-bound tenant.

Role-matrix probing

Build the role matrix: for each role (owner, admin, member, billing, viewer, guest), test each privileged action.

Action	Owner	Admin	Member	Billing	Viewer	Guest
Read tenant data	✓	✓	✓	✓	✓	depends
Write tenant data	✓	✓	✓	—	—	—
Invite users	✓	✓	—	—	—	—
Change plan	✓	—	—	✓	—	—
Delete tenant	✓	—	—	—	—	—

The agent attempts each action with each role and confirms the matrix is enforced server-side. The most common finding is member able to invite users because the API checks “logged in” but not the role.

Tenant-switching exploits

Apps that support a user belonging to multiple tenants have to validate which tenant a request applies to. The agent:

Sends a request with the X-Tenant-Id header set to a tenant the user does not belong to.
Switches tenant in the UI, then replays a stale request with the previous tenantId cookie. Confirm the server treats the session-bound tenant as authoritative.
Probes for tenant lookup by slug — /<slug> URLs that 404 for non-members but 200 for members can leak existence by timing.

Plan-limit and feature-gate probing

Most plan limits are checked once and never again. The agent probes:

A free-tier user creating a resource until the limit is hit, then bypassing via the API directly with no UI gate
A free-tier user calling premium-only endpoints (export, advanced filters, integrations) to see if the gate exists server-side
A user changing their planId via mass assignment in a profile update

B2B SaaS specifics

B2B has its own surface — orgs, workspaces, SSO, SCIM, admin escalation.

Org-level access

Most B2B apps have at least two scopes: workspace and org. The agent tests both. Common finding: workspace admin can read org-level audit logs because the org scope was an afterthought.

Admin escalation

The single most expensive bug in B2B SaaS. Patterns we keep finding:

A profile update endpoint accepts role via mass assignment.
Inviting yourself by email to your own tenant lets you choose the role on the invite payload.
An old acceptInvite endpoint sets the role from the invite token without re-verifying that the inviter had permission to assign it.
A platform-level admin role exists for the SaaS team, accessible via a feature flag header that leaked into the bundle.

OAuth scope abuse

When the SaaS authenticates users via Google or Microsoft OAuth:

Confirm the app verifies the email domain matches the tenant’s allowed domains. Without this, anyone with acme.com can join the Acme tenant.
Confirm the app does not over-request scopes (Drive, Gmail) when only profile is needed.
Confirm the OAuth state parameter is verified to prevent CSRF on login.

SSO testing (SAML, OIDC)

SAML signature wrapping. The agent crafts an assertion where a wrapped signed element references a different ID than the response payload. A vulnerable verifier authenticates the wrong assertion.
Audience and recipient checks. Confirm the verifier rejects assertions whose Audience or Recipient does not match the SP entity ID.
Replay. Confirm the verifier tracks Assertion ID and rejects reuse.
OIDC. Confirm nonce is verified, iss is verified, aud is verified, and ID tokens are validated against the JWKS endpoint, not by hand.

SCIM provisioning

Confirm the SCIM endpoint authenticates the IdP token (not just any bearer token).
Confirm role mapping does not allow the IdP to provision a user as platform admin.
Confirm de-provisioning revokes sessions and API keys, not just the user record.

Audit-log integrity

Every privileged action emits an event with actor, action, resource, timestamp, and tenant.
Tenant admins cannot delete events, only the platform can.
Events are append-only at the storage layer (immutable bucket, write-only IAM).
The pentest deletes a resource and confirms the event is in the log.

Critical SaaS vulnerabilities AI catches

Tenant data leakage

AI logs in as different tenant users and attempts to access cross-tenant data through IDOR, API parameter manipulation, and shared resource endpoints. A single tenant isolation failure is an extinction-level event for a SaaS company.

Subscription bypass

AI tests whether premium features are enforced server-side. Can a free-tier user access paid API endpoints directly? Can they modify their subscription tier through the API? Billing logic bugs are surprisingly common in AI-generated SaaS apps.

Admin panel exposure

AI discovers and tests admin routes (/admin, /dashboard/admin, /api/admin/*) for authorization checks. Many AI-generated admin panels rely on client-side routing guards that can be bypassed.

Webhook manipulation

AI tests webhook endpoints for authentication, payload validation, and replay attacks. Unvalidated webhooks from Stripe, GitHub, or other services can be spoofed to trigger unauthorized actions.

Insecure invitation flows

AI tests team invitation, password reset, and magic link flows for token reuse, expiration enforcement, and privilege escalation. Can an invite link be used to create an admin account?

API key management

AI checks whether API keys are properly scoped, rotatable, and revocable. Tests for keys that grant excessive permissions or never expire.

Anonymized real-world findings

Examples from SaaS apps we have audited. Tenant identifiers and exact routes are altered.

Cross-tenant report-generation IDOR

Endpoint: POST /api/reports/generate. Evidence: the body accepted { "reportId": "<uuid>" } and the handler loaded the report by ID without scoping to the caller’s tenant. A user in tenant A could generate any report from any tenant by submitting the UUID. UUIDs were sequential v1, making enumeration easy. Impact: full cross-tenant data export. Fix: scope the query by tenantId = session.tenantId, switch to v4 UUIDs, return 404 on miss.

Admin role assignable via mass assignment

Endpoint: PUT /api/users/me. Evidence: the handler called User.update(req.body, { where: { id: user.id } }). The agent submitted { "role": "admin" } and the role updated. Impact: any logged-in user could become an admin in their own tenant, then read every other user’s data. Fix: explicit field allowlist of name, email, avatarUrl. Reject unknown keys with a 400.

Subscription-tier feature gate bypassable client-side

Endpoint: POST /api/exports/csv. Evidence: the UI hid the export button for free-tier users, but the API endpoint had no plan check. The agent on a free trial called the endpoint directly and received a full CSV export. Impact: paid feature given away to anyone who can read the network tab. Fix: check tenant.plan server-side at the top of the handler, return 402 on insufficient plan.

Stripe webhook missing signature verification

Endpoint: POST /api/webhooks/stripe. Evidence: the handler parsed the body and updated the subscription record without calling stripe.webhooks.constructEvent. The agent posted a forged event with subscription.status = "active" and the platform record updated. Impact: free upgrade to paid plan. Fix: verify the stripe-signature header against the webhook secret on every request.

Invite-link role takeover

Endpoint: POST /api/invites/accept. Evidence: the body accepted { "token": "...", "role": "admin" }. The handler used the token to find the invite and the body to set the role. Impact: any invitee could promote themselves to admin on accept. Fix: read the role from the invite record (set by the inviter) and ignore the body.

SAML missing audience check

Endpoint: SSO callback. Evidence: the SAML verifier did not check the <Audience> element. An assertion signed by the customer’s IdP for a different SP could be replayed against the SaaS to log the user in. Impact: SSO bypass. Fix: enforce Audience matches the configured SP entity ID, plus Recipient, NotOnOrAfter, and replay protection.

Fix prompts you can paste

Add tenant scoping to a query

The handler <route> loads the resource by ID without scoping to the caller’s tenant. Update the query to where: { id, tenantId: session.tenantId }. Return 404 (not 403) on miss to avoid leaking existence. Add a unit test that confirms a request from tenant A for tenant B’s resource returns 404.

Replace mass assignment with an allowlist

The handler PUT /api/users/me calls User.update(req.body). Replace with an explicit allowlist of name, email, and avatarUrl. Reject unknown keys with a 400. Never accept role, tenantId, planId, verified, stripeCustomerId, or any field beginning with is.

Verify Stripe webhook signature

The webhook POST /api/webhooks/stripe does not verify the signature. Update the handler to call stripe.webhooks.constructEvent(rawBody, signatureHeader, webhookSecret) and reject on failure. Read the raw body before any JSON parsing. Add a test that submits an event with a missing or invalid signature and confirms a 400.

SaaS security by growth stage

Pre-launch / MVP

Focus on authentication, basic authorization, and data encryption. AI pentest catches the foundational security issues that can kill trust before you have it. At this stage, a single data breach can end your company before it starts.

Growth stage (100–1,000 customers)

Add tenant isolation testing, payment security, and API security. As your attack surface grows, AI pentest scales with you — testing new features as you ship them. This is when most SaaS breaches happen: the team is growing fast and security gets deprioritized.

Scale (1,000+ customers)

Layer in compliance testing (SOC 2, GDPR), advanced authorization testing, and continuous monitoring. Enterprise customers will ask for security reports — AI pentest generates them automatically. See Compliance Penetration Testing.

Why multi-tenant security is hard

Multi-tenant SaaS applications share infrastructure, databases, and code paths between customers. A single missing WHERE tenant_id = ? clause in a database query can expose every customer’s data. AI pentest agents test every data-fetching endpoint with different tenant contexts to find these gaps.

The problem compounds with AI-generated code. When developers prompt Cursor or Lovable to “add a team management feature,” the AI generates CRUD endpoints that work correctly for a single tenant but often miss cross-tenant authorization. AI pentest catches these patterns because it systematically tests the same endpoint with credentials from different tenants, organizations, and roles.

AI Pentest for Web Applications — pentesting the SaaS frontend
AI Pentest for APIs — REST, GraphQL, WebSocket pentest
AI Pentest for Cloud Infrastructure — IAM, S3, IMDS
AI Security Audit for Startups — affordable security audits
Compliance Penetration Testing — SOC 2, ISO 27001, HIPAA
Continuous Penetration Testing — every-deploy SaaS coverage
AI Penetration Testing Guide — full methodology
Vibe Pentesting — generalized methodology for AI-built SaaS
Lovable Pentesting — Lovable + Supabase SaaS pentest playbook
Supabase RLS Checker — tenant scoping at the database layer
Firebase Scanner — Firestore Security Rules audit
Token Leak Checker — focused scan for keys exposed in bundles
VibeEval vs Burp Suite — manual vs autonomous pentest
Best Security Scanner for AI Apps — comparison

Pentest your SaaS platform today

VibeEval’s AI pentest agents test tenant isolation, subscription logic, and RBAC enforcement automatically. Enterprise-grade security testing at startup-friendly pricing.