Penetration testing is fundamentally different from a regular automated scan. A scanner only looks for known patterns, while a pentester thinks like a real attacker and creatively tries to defeat defenses. This is often the only reliable way to learn the true security posture of a company. The Sayt.uz infrastructure is regularly checked by external pentest teams.
Black box, white box and grey box
Pentests come in three flavors. Black box — the pentester gets no information and works from an external attacker's point of view. White box — the pentester has source code, diagrams and admin access, producing the deepest audit. Grey box — an intermediate option with partial information. Each approach has its merits: black box delivers realism, white box delivers depth of coverage.
Pentest stages
A classic pentest goes through five stages. Reconnaissance — gathering information from open sources, including DNS records, business hours and social media. Scanning — technical mapping of ports, services and versions. Exploitation — practical use of discovered vulnerabilities. Post-exploitation — evaluating what is possible after a breakthrough. Reporting — documenting findings and giving recommendations.
Burp Suite and OWASP ZAP
For web pentests, the two most popular tools are Burp Suite and OWASP ZAP. Burp Suite Professional costs 449 dollars per year and is considered the industry standard. It intercepts traffic, lets you modify requests, has an automated scanner and a large ecosystem of extensions. OWASP ZAP is a free open source alternative, functionally very close to Burp. The Sayt.uz security team uses both tools in parallel.
Pentest versus bug bounty
Many people confuse pentests with bug bounty programs. Bug bounty is a permanently open program where any outside researcher can find a vulnerability and earn a reward. A pentest runs for a fixed period with a pre-agreed team and ends with a report. Most organizations use both — one or two pentests a year plus an ongoing bug bounty.
Pentest companies in Uzbekistan
Professional pentesting is still a fresh field in Uzbekistan. The service is offered by a few local IT security firms and offices of international auditors. Prices range from 30 to 200 million soum depending on scope and depth. Sayt.uz recommends trusted partners to corporate customers.
Sayt.uz in practice
Sayt.uz hands its infrastructure over to external pentest teams twice a year, and any finding is closed within 30 days. Corporate customers receive one free pentest per year, with extra audits starting at 15 million soum. As of 2026, our pentests have helped clients close 312 critical and 890 high vulnerabilities. A package of 2 pentests per year costs 28 million soum.