Select Page


VarBITS was founded in 2015, to work with various international companies and governments. Since our inception, we have consistently delivered high-quality penetration testing reports to our clients, that focuses in particular on the broad security posture of their applications.

An example of this, is that we utilise the OWASP ASVS [External Link] from an attacker’s perspective, along with customized in-depth checks for the majority of our projects, so that we cover the application’s attack surface thoroughly.


The primary service that we provide is penetration testing, more specifically for web applications and web services. VarBITS has extensive professional experience with applications written in PHP, .NET and Java.

Do you need to complete a Facebook Vendor Security review for a web application and/or web service? Then contact us as we’re more than familiar with all the checks required to do this in an efficient manner.

VarBITS also provides other services such as:

  • Forensic review of compromised websites;
  • Configuration review of web servers, databases, etc.;
  • Internal and external penetration tests;
  • Review of physical access controls; and
  • Custom penetration tests. (Ask us, we test almost everything.)


We offer penetration testing services directly to businesses that want (or require) a third-party to review their security posture. The type of clients we typically work with, are medium to large sized businesses in the financial, transport, medical and telecommunication industries and governments.

Send us an email and we will get back to you within 24 hours, to talk about the type of project we can work on together, to further improve your security posture.



We use almost the same tools as every other company who performs web application penetration tests. In other words, Burp Suite Pro with custom in-house developed tools and plugins for additional checks, that a lot of other penetration testing companies will likely miss at the moment.



We currently charge 1 000 DKK (~150$ USD) excl. VAT per working hour.

A small to medium-sized and dynamic website (i.e. accepts user-input and processes it server-side) typically takes a week – 35 to 40 hours – to test and report on.


• Hans-Michael Varbaek presents “From XSS to RCE 3.0” at Black Hat Europe 2018 [External Link]

• VarBITS commences work on penetration testing book for beginners. (Release date late 2018 / early 2019)

• VarBITS releases “From XSS to RCE 2.75 + Extras” source code. [External Link]

• Hans-Michael Varbaek presents “From XSS to RCE 2.75” at Black Hat Europe 2017 [External Link]

• VarBITS commences online courseware contract with well-known information security training provider. (Release date late 2018 / early 2019)

• Hans-Michael Varbaek presents “From XSS to RCE 2.5” at Black Hat Europe 2016 [External Link]

• Hans-Michael Varbaek presents “From XSS to RCE 2.0” at Black Hat Europe 2015 [External Link]




Scroll down for contact details.

Contact form

7 + 5 =


Do you need to send an encrypted email? 

0x54 [at]

59AB 18B7 6E4D C1CB

Where are we located?


Njalsgade 76, 2300 Copenhagen S