What should be included in a SaaS penetration test scope?

A SaaS pentest scope should include all API endpoints (REST, GraphQL, WebSocket), authentication and authorization flows, multi-tenant isolation boundaries, webhook receivers, third-party integrations (OAuth apps, Zapier, marketplace plugins), payment processing logic and role-based access controls across every user tier.

Why do most pentest vendors miss critical SaaS attack surface?

Most vendors scope SaaS tests like traditional web applications. They test the UI layer but skip internal APIs, background job processors, webhook endpoints and integration callback URLs. They also frequently omit multi-tenant isolation testing because it requires multiple test accounts across separate tenants, which adds complexity to the engagement.

Should API-only testing be sufficient for a SaaS pentest?

No. API-only pentests miss authentication bypass vulnerabilities that exist in the UI layer, such as client-side authorization checks, exposed admin routes and session fixation through browser-based flows. A complete SaaS pentest must cover both the API surface and the application UI to identify the full range of vulnerabilities.

How do you scope multi-tenant isolation testing?

Multi-tenant isolation testing requires at least two test accounts on separate tenants with different permission levels. The tester systematically attempts to access Tenant B resources from Tenant A through API parameter manipulation, direct object references, shared caching layers, file storage paths and background job queues. Every data retrieval endpoint must be tested for cross-tenant leakage.

Scoping a SaaS Penetration Test: APIs, Auth Flows, and What Most Vendors Miss

Scoping Is Where Most SaaS Pentests Fail

The difference between a useful penetration test and a compliance checkbox exercise is almost always the scope. Most pentest vendors treat a SaaS application the same way they treat a corporate website: they scan the login page, crawl a few authenticated routes and deliver a PDF full of informational findings. The attack surface that actually matters, the APIs, the tenant boundaries, the integration callbacks, never gets tested.

If you have already read our complete guide to SaaS penetration testing, you understand the methodology. This article focuses on the practical scoping decisions that determine whether your pentest finds real vulnerabilities or wastes your budget.

The Minimum Viable SaaS Pentest Scope

Every SaaS penetration test should include these six components at a minimum. If your vendor's scoping document does not address each one, you are paying for incomplete coverage.

All API Endpoints (REST, GraphQL, WebSocket): Not just the documented ones. Export your API routes from your framework, compare them against your public documentation and identify every undocumented or internal endpoint. Shadow APIs, the endpoints that exist in production but are absent from your docs, are where we find the most critical vulnerabilities. Your pentest vendor needs a complete endpoint inventory before testing begins.
Authentication Flows: Every method your application uses to verify identity: password login, SSO/SAML, OAuth 2.0, magic links, API key issuance and MFA enrollment. Each flow has distinct failure modes. An API-only pentest that skips the browser-based OAuth callback flow will miss redirect URI manipulation, state parameter fixation and token leakage through referrer headers.
Authorization and Role Hierarchy: Map every user role and the permissions each role should have. Then provide test accounts for each role so the tester can verify that the boundaries hold. We routinely find that admin API endpoints accept requests from standard user tokens because authorization was enforced in the UI but not at the API layer.
Multi-Tenant Isolation Boundaries: If your application serves multiple customers on shared infrastructure, tenant isolation must be in scope. This requires test accounts on at least two separate tenants. The tester will attempt to access Tenant B data using Tenant A credentials across every data retrieval endpoint, file storage path and background job processor.
Webhook Receivers and Event Handlers: Inbound webhooks from payment processors, CRMs, CI/CD pipelines and other services are frequently deployed without signature verification or input validation. These endpoints accept external data and often trigger privileged internal actions. They must be in scope.
Third-Party Integrations and OAuth Apps: Marketplace plugins, Zapier/Make connections, OAuth app installations and any endpoint that accepts callbacks from external services. These integration surfaces are a direct path into your application from outside your trust boundary.

What Most Vendors Leave Out of Scope

Based on our review of pentest reports from other vendors, the following areas are routinely excluded from SaaS engagements. Each one represents real attack surface that adversaries will target.

Commonly Excluded SaaS Pentest Scope Items
Scope Item	Why It Gets Excluded	Why It Matters
Internal/undocumented APIs	Vendor only tests documented endpoints	Shadow APIs account for a significant share of critical findings in SaaS pentests
Background job processors	Not accessible through the UI	Job deserialization and queue poisoning can lead to remote code execution
Webhook signature validation	Requires environment-specific setup	Unsigned webhooks allow attackers to forge payment confirmations and status updates
Cross-tenant cache poisoning	Complex to test without multi-tenant accounts	Shared Redis or Memcached instances can leak data between tenants
OAuth/SAML SSO edge cases	Vendor lacks IdP test environment	SSO bypass and account takeover through misconfigured SAML assertions
File upload and storage isolation	Scoped as "infrastructure" and excluded	Predictable S3 key patterns enable cross-tenant file access

Why API-Only Pentests Miss Auth Bypass

Some vendors pitch "API-first" testing as sufficient for modern SaaS applications. It is not. API-only testing misses an entire class of vulnerabilities that exist in the interaction between the browser client and the server.

Client-side authorization checks are a common finding. The UI hides admin buttons from non-admin users, but the underlying API endpoint accepts requests from any authenticated session. An API-only test might find this, but only if the tester knows to look for it. Testing through the UI makes these gaps immediately visible because the tester can compare what the interface shows against what the API actually permits.

Session management vulnerabilities, token storage in localStorage, missing secure/HttpOnly flags on cookies and session fixation through OAuth flows all require browser-based testing to identify. A curl-based API test will not catch them.

Scoping Multi-Tenant Isolation Correctly

Tenant isolation testing is the most important component of a SaaS pentest and the one most frequently underscoped. Here is what proper scoping requires.

Test accounts on separate tenants. At minimum, two tenants with two user roles each (admin and standard). More complex applications may require three or more tenants to test scenarios like reseller hierarchies, parent-child tenant relationships and shared resource pools.

Enumerate all data retrieval paths. Every API endpoint that returns data must be tested for tenant scoping. This includes list endpoints, detail endpoints, search functionality, export features, reporting dashboards and GraphQL queries. If an endpoint returns data, the tester must verify it cannot return another tenant's data.

Test indirect data access. Shared caching layers, message queues, file storage buckets, logging pipelines and analytics systems all represent indirect paths to cross-tenant data leakage. These are frequently missed because they require understanding the application architecture beyond the API surface.

Building Your Scoping Document

Before engaging a pentest vendor, prepare the following for accurate scoping and pricing:

API Endpoint Inventory: Export your route table. Include internal and undocumented endpoints. Note which endpoints handle sensitive data (PII, payment information, authentication tokens).
User Role Matrix: Document every role, its intended permissions and which API endpoints each role should access. This becomes the authorization test plan.
Integration Map: List every third-party service your application connects to, including inbound webhooks, outbound API calls, OAuth app installations and marketplace integrations.
Tenant Architecture Diagram: Describe how tenant isolation is enforced: database-level, row-level, application-level or a combination. Identify shared infrastructure components (caches, queues, storage).
Compliance Requirements: Specify which frameworks apply (SOC 2, PCI DSS, HIPAA, ISO 27001) so the report maps findings to the relevant controls. See our analysis on whether SOC 2 requires a SaaS pentest for compliance-specific guidance.

The OWASP API Security Top 10 as a Scoping Baseline

The OWASP API Security Top 10 provides a solid baseline for API-focused scoping. Every SaaS pentest should test for each category: broken object-level authorization, broken authentication, broken object property-level authorization, unrestricted resource consumption, broken function-level authorization, unrestricted access to sensitive business flows, server-side request forgery, security misconfiguration, improper inventory management and unsafe consumption of APIs.

However, OWASP alone is not sufficient for SaaS. It does not address multi-tenant isolation, webhook security, integration callback validation or cross-tenant data leakage through shared infrastructure. Use OWASP as the floor, not the ceiling.

Get the Scope Right the First Time

A pentest is only as good as its scope. If you exclude your webhook endpoints, your background job processors and your tenant isolation boundaries, you are paying for a false sense of security. The vulnerabilities that lead to SaaS breaches live in the components most vendors never test.

We scope every SaaS penetration test to include the full attack surface: APIs, auth flows, tenant boundaries, integrations and the infrastructure that connects them. If your current vendor's scope document fits on a single page, it is probably missing something critical.