Pentest Pricing
Fixed-scope engagements for web, API, mobile, and cloud. No hourly surprises—executive-ready reporting and a free re-test window on qualifying plans.
Looking for Surface Monitor (agentless external monitoring) pricing? See Surface Monitor plans →
Authorized testing only • NDA available • Free re-test on qualifying plans
Readiness Review (Pilot)
$990
60–90 min scope workshop + light surface review. Credited to any pentest.
- Scope & goals alignment call
- High-level threat model & risk areas
- Quick misconfig/surface review
- Written recommendation & next steps
- Credit of $990 toward a pentest
Starter
$3,500
Single web app or API. Fast, focused, and standards-aligned.
- 1 target (web app OR API) • up to 1 auth role
- OWASP Top 10 + misconfiguration review
- Light auth/session testing
- PDF report with prioritized fixes
- 1-hour findings walkthrough
Standard
$7,500
Most popular
Our most popular. Web + API depth with basic cloud checks.
- Up to 2 targets (web + API) • up to 2 auth roles
- Auth, access control, multi-role tests
- Basic cloud review (IAM & perimeter)
- Executive summary + CVSS scoring
- 2-hour remediation workshop
- Free re-test of critical/high within 30 days
Enterprise
From $15,000+
Multi-surface testing (web/API/mobile) with cloud/K8s options. Typical range $15k–$40k depending on targets and roles.
- 3–5 targets (web, API, mobile)
- Cloud/Kubernetes security review
- Secure code review (sample repos)
- Threat modeling session
- Scoped adversary simulation (opt-in)
- Full technical report + exec deck
- 30-day remediation support
Custom
Contact us
Tailored to unique environments and compliance drivers.
- Bespoke scope across apps/APIs/infra
- Workshops (onsite/remote)
- Custom reporting/mapping to stakeholders
- Shared Slack for faster iteration
Need help scoping? Start with a $990 Readiness Review (credited to any pentest). .
What’s included in every engagement
- • Written authorization & Rules of Engagement
- • Standards alignment (OWASP / NIST)
- • Screenshots/PoC and reproducible steps
- • Clear remediation guidance with examples
- • Executive summary for leadership
- • Secure data handling & access controls
What’s a “target”?
One application surface: a single web app (same domain) or a single API surface (REST/GraphQL). Separate domains, additional auth roles/tenants, or mobile apps count as additional targets.
Add-ons & accelerators
- • SOC 2 / ISO 27001 control mapping
- • Remediation sprint (paired engineering)
- • Cloud hardening (AWS/Azure/GCP guardrails)
- • Source code review (critical paths)
- • Threat modeling workshop
- • Additional retest window
At-a-glance comparison
| Capability | Pilot | Starter | Standard | Enterprise |
|---|---|---|---|---|
| Purpose | Scope & readiness | Pentest (1 target) | Pentest (2 targets) | Multi-surface program |
| Targets | — | 1 (1 role) | 2 (up to 2 roles) | 3–5 (multi-role) |
| Cloud/K8s review | — | — | Basic | In-depth |
| Credit | $990 credit to pentest | — | — | — |
Request a Proposal
We’ll respond within 1 business day.