Recurring visibility into how your web application risk is changing, not a one-off snapshot.

We reassess your web applications on a regular schedule, for example quarterly, and show what improved, what is new, and what still needs attention. Each cycle produces an updated report your management team can review.

Deliverables

What you actually receive

Every engagement ends with concrete artifacts your team can use. Not slides. Browse sample outputs below.

Trend dashboard

Quarter-over-quarter score movement with new, resolved, and open finding counts.

Periodic trend dashboard

app.example.com · FY 2025 · Q4 close

NX-PRD-2025-Q4+1.9 ptsSample
B

Overall rating

7.8

3

New

8

Resolved

5

Open

Score trend · FY 2025

Q1Q2Q3Q4

Quarterly activity

PeriodScoreΔNewResolvedOpen
Q1D5.84214
Q2C6.4+0.63512
Q3B7.1+0.7268
Q4B7.8+0.7385

Domain grades by quarter

DomainQ1Q2Q3Q4Δ Q4
Transport & TLSAAAA
Security headersDCBB+2
AuthenticationDDCC+1
API securityCCBB+1
Information disclosureDCCB+2
Noctulux · Confidential samplePage 1 of 18

Practical

What to expect

Who it's for, how we work together, and where we draw the line.

Best for

  • Organisations with multiple web applications or a changing estate
  • Vendor or subsidiary oversight programmes
  • Demonstrating continuous improvement to management or risk forums
  • Ongoing visibility after an initial external rating or penetration test

How the engagement runs

  1. 1. Programme scoping

    applications, cadence, and reporting format agreed upfront

  2. 2. Baseline report (or alignment with a prior Noctulux report) established

  3. 3. Recurring assessment cycles executed per agreed schedule

  4. 4. Trend and delta analysis produced for each reporting period

  5. 5. Report delivery with optional periodic readout for risk teams involved

Honest boundaries

  • Cadence and application count affect depth. Scope is agreed per programme
  • Periodic external reporting does not replace targeted penetration testing where risk is high
  • Trends depend on consistent scope between reporting periods
  • Not a substitute for your own secure development lifecycle practices

Engagement package

What you get. And what you don't.

Fixed outputs and scope, agreed before we start. No surprises afterward.

Periodic External Web Application Rating Report per cycle (PDF)

  • Trend summary: overall score and domain changes between periods
  • Delta finding register (new, resolved, and open items)
  • Remediation progress table linked to prior finding IDs
  • Executive summary for management

Detailed examples are shown in the deliverables section above.

Plan a conversation

Starting from €500 excl. VAT per reportPricing guidance