Laravel Security Audits and Pentesting

Hey there,

Since you’re here, I’m guessing you’re interested in security audits and penetration testing for Laravel apps. Welcome, you’ve definitely come to the right place!

Let me introduce myself, I’m Stephen Rees-Carter, and I specialise in security audits and pentesting for Laravel apps. I’ve been building and hacking Laravel apps since 2013, so I know how to help you secure your sites, and I’m excited to work with you!

I’ve worked as a Senior Developer on a wide range of apps, both large and small, so I know the challenges faced to keep everything secure while still providing all of the features required. I hold a CompTIA Security+ Certification and am a Certified Ethical Hacker. My focus for the past 6 years has been on teaching developers how to write secure code, through my talks, Laravel Security in Depth, and working directly with companies to audit and test their apps.

Please reach out via email and we can discuss what you’re looking for.


How My Laravel Security Audits Work

The way I work is a bit different from most pen tests that I’ve come across. Rather than simply point an automated scanner at your site and pass through the generated report, I take the time to read through and understand your code – looking for weaknesses and security anti-patterns (based on my extensive experience as a senior Laravel developer). I then take this knowledge and apply it to a penetration test of the app, trying to exploit any identified weaknesses, as well as perform other scans and security checks. I make it a policy to not touch production beyond passive unauthenticated scans, to ensure I don’t see or modify any of your customer’s data, and will run my penetration test against a staging/testing environment.

During the audit, we can connect via Slack, or a different communication tool of your choice. Rather than just give you a report at the end, I like to keep an open dialog during the process, updating you on my findings along the way. This gives you the opportunity to ask any questions you may have, as well as discuss and resolve any issues while I am directly available. I’m happy to explain my findings in depth, and help you work through possible fixes.

After the audit is complete, I’m happy to answer any questions or clarify any of the findings. If you’d like me come back and review your changes and fixes for the issues discovered during the audit, we can figure out a timeframe and pricing once we have any idea of might be required. Likewise, if you need any direct help resolving any issues found.

For further developer education, I also offer developer workshops based around my hacking talks, where I teach developers how to think like hackers, identify security issues in their apps, and write more secure code.

I look forward to working with you! 🙂

That Sounds Great, How Do We Get Started?

The first step is to reach out via email and let me know you’re interested, and we’ll go from there: [email protected].

Based on the way I work, knowing the size and structure of the app is important to work out how long I will need for the audit.

When you reach out, can you please let me know:

  1. Number of routes, controllers, commands, and models?
  2. Infrastructure/hosting environment?
  3. Front end framework/tooling?
  4. Monolith or microservices (and how many)?
  5. What areas you’re interested in having audited? (i.e. just the code, code and infrastructure, multiple apps, etc)

Once I’ve got an idea of the size of your app, I’ll let you know an estimated timeframe and price, and we can go from there.

The more info you can provide, the better an idea I’ll have for what will be involved. Also let me know if you’ve got any specific budgetary and/or timeframe requirements.

What Makes My Security Audits Unique

My methodology involves reviewing the code first, looking for potential vulnerabilities and weak points that could be exploited or improved. I then use what I learn from the code review to try and compromise the app, attacking the weak points, as well as checking other common areas and security features.

I use my knowledge of Laravel and many years of experience as a senior developer to look for weaknesses that will easily be missed by automated scanners and penetration testers who just check the common stuff. I can also work with you to fix any issues, and advise on specific code changes. Most pentests will simply give you a report, a leave you to figure it out how to fix them on your own.

A lot of penetration testers will simply throw an automated security scanner at your app, rebrand the results, run a few more generic tests, and then send you report filled with false positives. They have no understanding of how Laravel apps work, and don’t take into account the unique security features and design choices that go into building one.


We worked with Stephen in the context of a Laravel app in e-commerce. The collaboration with Stephen was very professional, solution-oriented, and uncomplicated. His feedback was always very constructive and hands-on. We would be happy to work with him again at any time.

Patrick Körber ~ EYOND

We will absolutely recommend you. No concerns at all and appreciate how structured and efficient you were throughout. It was great to trust you to go about your work, without unnecessary oversight on our part. Your findings were clear and you gave great advice on how to remedy.

Nick Oskirko ~ DivergentSoft

Stephen helped us with a security audit and pentesting for one of our applications at WhyBravo. He was a huge help and a pleasure to work with. Particularly for me, I appreciated how flexible the audit was, allowing us to resolve issues along the way before the final report. He was also immensely knowledgeable and informative. I would definitely recommend him!

Brad Ahrens ~ WhyBravo

First, it has been a pleasure to work with you and a great help.

Despite the technicality of the topic, I could understand most of the issues, could fix them thanks to your guidance and very clear explanations, and your tailor-made help.

Although a security audit is not a trivial spending, I feel the return on investment is great for several reasons:

1/ You give immediate, tailor-made, actionable fixes, so ,the project’s security improves within the 3 week period.

2/ You helped me grow rapidly on the topics so I have the feeling the investment is also for myself 🙂

3/ You opened my eyes on the issues of security, and I just will not look at a controller or a route the same way in the future, for this project or for others.

Laurent Billon ~ AWKN