Laravel Security Audits and Penetration Tests

Hey there,

Since you’re here, I’m guessing you’re after a Security Audit or Penetration Test for your Laravel app. Welcome, you’ve come to the right place. 🕵️

I’m Stephen Rees-Carter, and I run Valorin Security, specialising in Laravel and PHP application security. I’ve been building and hacking Laravel apps since 2013, which means I know the framework inside out – its quirks, its sharp edges, and the places vulnerabilities like to hide.

I’ve audited everything from small side projects to large production apps, so I know the trade-offs between shipping features and keeping things secure. My audits go beyond the code itself – covering authentication, authorisation, third-party packages, your Composer supply chain, and the things automated scanners reliably miss.

I hold a CompTIA Security+ certification and am a Certified Ethical Hacker, and I spend a lot of time teaching developers how to write secure code through my conference talks, the Securing Laravel newsletter, and working directly with teams.

Sound like what you need? Get in touch and let’s chat. 🤓

Thanks,
Stephen

How My Laravel Security Audits Work

My approach is a bit different to most pentests you’ll come across. I start by reading your code – properly reading it, looking for weaknesses, anti-patterns, and the kinds of issues I learnt to spot from years of building Laravel apps myself. I then take what I learn from the code and use it to drive the penetration test, targeting the weak spots I’ve already identified alongside the usual scans and security checks.

I never touch production beyond passive, unauthenticated scans – I don’t want to see your customer data, and I don’t want to risk modifying anything. Penetration testing runs against a staging or testing environment.

During the audit, we’ll stay in regular contact – usually Slack, but whatever works for you. I’ll share findings as I discover them rather than dumping everything in a final report. That way you can ask questions, push back, or even start fixing issues while I’m still in the codebase and available to help.

Once the audit’s wrapped up, I’m still around. Happy to clarify findings, answer follow-up questions, or come back later to review your fixes (we can figure out scope and pricing for that if it’s useful).

I also run developer workshops based on my hacking talks, if you’d like the team to come away thinking more like hackers — and writing more secure code as a result.

What Makes My Security Audits Unique

I don’t just pentest web apps – I pentest Laravel apps specifically. That’s the whole job.

Most pentests start (and often end) with an automated scanner pointed at your URL, producing a report padded with false positives. The testers running them rarely understand how Laravel apps actually work — what to do with a Livewire component, an Eloquent scope, or a queued job. I do.

I’ve been writing Laravel since 2013, I contribute to the framework, I write the Securing Laravel newsletter for thousands of Laravel devs, and I speak about Laravel security at conferences around the world. When I read your code, I read it as a developer who’s built apps like yours – but with the mindset of someone trying to break them.

That means I find issues an automated scanner won’t: insecure authorisation patterns, dangerous Livewire public properties, leaky validation, supply chain risks, dodgy package use — the things that come from understanding the framework, not just running a tool against it.

And when I find something, I can tell you how to fix it. In Laravel. Specifically.

Ready to Chat?

Drop me an email at [email protected] and let me know you’re interested. From there, we’ll figure out what your app needs.

To give you an accurate timeframe and price, it helps to know a bit about the app upfront. When you email me, please include:

  • Rough size of the codebase (number of routes, controllers, models – a ballpark is fine)
  • Hosting/infrastructure setup
  • Front-end stack (Blade, Livewire, Inertia, separate SPA, etc.)
  • Monolith or microservices (and how many)
  • What you’d like covered – code only, code and infrastructure, multiple apps?
  • Any budget or timeframe constraints

The more detail you can share, the better an idea I’ll have of what’s involved. Once I’ve got that, I’ll come back with a timeframe and price, and we’ll go from there.

Looking for Something Simpler?

If a full audit is more than you need right now, I also offer informal, budget-friendly Security Reviews — same eyes, smaller scope.

Testimonials

We worked with Stephen in the context of a Laravel app in e-commerce. The collaboration with Stephen was very professional, solution-oriented, and uncomplicated. His feedback was always very constructive and hands-on. We would be happy to work with him again at any time.

Patrick Körber ~ EYOND

We will absolutely recommend you. No concerns at all and appreciate how structured and efficient you were throughout. It was great to trust you to go about your work, without unnecessary oversight on our part. Your findings were clear and you gave great advice on how to remedy.

Nick Oskirko ~ DivergentSoft

Stephen helped us with a security audit and pentesting for one of our applications at WhyBravo. He was a huge help and a pleasure to work with. Particularly for me, I appreciated how flexible the audit was, allowing us to resolve issues along the way before the final report. He was also immensely knowledgeable and informative. I would definitely recommend him!

Brad Ahrens ~ WhyBravo

First, it has been a pleasure to work with you and a great help.

Despite the technicality of the topic, I could understand most of the issues, could fix them thanks to your guidance and very clear explanations, and your tailor-made help.

Although a security audit is not a trivial spending, I feel the return on investment is great for several reasons:

1/ You give immediate, tailor-made, actionable fixes, so ,the project’s security improves within the 3 week period.

2/ You helped me grow rapidly on the topics so I have the feeling the investment is also for myself 🙂

3/ You opened my eyes on the issues of security, and I just will not look at a controller or a route the same way in the future, for this project or for others.

Laurent Billon ~ AWKN