Frequently Asked Questions

Most web application pentests take 5-10 business days of active testing. Network assessments take 1-3 weeks. Mobile app testing takes 1-2 weeks per platform. Timeline depends on scope and complexity. Every engagement is 100% manual testing by experienced security researchers - no automated scanners generating false positives.

A vulnerability scan is an automated tool that identifies known vulnerabilities based on signatures and version numbers. A penetration test is a manual, hands-on security assessment where experienced researchers actively attempt to exploit vulnerabilities, chain findings together, and test business logic flaws that automated tools cannot detect. Pentests find the complex issues that scanners miss. Read our full comparison.

A code review analyzes your source code for insecure patterns, hardcoded secrets, and logic flaws. A penetration test attacks your running application from the outside like a real attacker. For AI-generated or vibe-coded apps, a code review is often more cost-effective. For production apps with real users and data, you want both. Read our detailed guide.

At minimum, annually. Most compliance frameworks (SOC 2, PCI-DSS, HIPAA, CMMC) require annual testing. We recommend additional testing after major releases, infrastructure changes, mergers/acquisitions, or when adding features that handle sensitive data. Some clients engage us quarterly for continuous security validation.

Maybe not a full pentest right away, but you definitely need a security review. AI-generated code consistently ships with hardcoded secrets, missing server-side authorization, and open APIs. A targeted vibe coding security review ($2,500-$5,000) catches the most dangerous issues without the cost of a full engagement. If you are processing payments or storing user data, we will help you figure out the right scope.

Web application pentests start at $7,500, network testing starts at $8,000, mobile app testing starts at $9,000 per platform, and compliance-focused testing starts at $7,599. We also offer code reviews and vibe coding security assessments from $2,500 for early-stage companies. See our full pricing page.

Yes. All penetration testing engagements include one round of free retesting after you remediate the findings. This validates that your fixes work and gives you a clean report for compliance or stakeholder purposes.

Typical lead time is 1-2 weeks from scoping to kickoff. For urgent engagements like compliance deadlines, cyber insurance requirements, or pre-launch testing, we can often accommodate faster timelines. Contact us to discuss your schedule.

Every engagement delivers an executive summary, detailed technical findings with CVSS severity scores, proof-of-concept exploits, step-by-step reproduction instructions, prioritized remediation guidance, and compliance framework mapping. Reports are formatted for both technical teams and executive stakeholders. You also get access to our client portal for tracking findings and remediation progress.

Yes. We offer three dedicated startup bundles: the Offensive Security Bundle ($37,500/yr), Defensive Security Bundle ($39,500/yr), and Compliance Package ($42,500/yr). Each includes testing hours, retesting, vulnerability management, and client portal access saving 40-50% vs. purchasing services individually. We also offer portfolio pricing for VCs that engage us across multiple portfolio companies. See startup bundles or learn about our VC portfolio program.

SOC 2 does not explicitly require a penetration test, but auditors consistently expect one as evidence that your security controls work in practice. Most organizations pursuing SOC 2 Type II include annual penetration testing as part of their control environment. Our SOC 2 pentest reports are specifically formatted for auditor review. Learn more about SOC 2 testing.

Yes. Our PCI-DSS penetration testing meets Requirement 11.3 specifications including internal and external testing, network-layer and application-layer testing, and segmentation verification. Reports are formatted for QSA review and include the specific evidence and documentation that PCI assessors require. Learn more about PCI-DSS testing.

Yes. We work with organizations that need penetration testing to meet cyber insurance requirements. We can review your insurer's specific requirements letter, scope the exact assessment they need, and deliver reports in a format that satisfies underwriters. We understand insurance timelines and can often accommodate tight renewal deadlines. Learn about our insurance compliance testing.

Absolutely. Many of our clients need to satisfy SOC 2, HIPAA, PCI-DSS, or other frameworks simultaneously. We scope engagements that cover overlapping requirements, reducing cost and testing fatigue while delivering separate compliance-mapped reports for each framework. One engagement, multiple compliance outcomes.

We take extreme care to avoid impacting production availability. Dangerous tests (like DoS or destructive payloads) are never run against production without explicit agreement. For sensitive environments, we can test against staging. If we discover something that could cause an outage, we report it immediately without exploiting it. We carry professional liability insurance for additional protection.

Our methodology is based on OWASP Testing Guide, PTES (Penetration Testing Execution Standard), and NIST SP 800-115. For web applications, we cover the OWASP Top 10 and ASVS. For networks, we follow PTES phases. For mobile apps, we use OWASP MASVS/MSTG. Every engagement is customized based on your technology stack, threat model, and compliance requirements. Read our full methodology.

Both, but manual testing is the core of every engagement. We use automated tools for reconnaissance and initial coverage, then spend the majority of time on deep manual testing. Business logic flaws, chained vulnerabilities, and authentication bypasses are found through manual analysis - not scanners. Our reports clearly distinguish between automated and manual findings.

We immediately notify your team through our agreed communication channel (usually Slack or email). Critical findings are reported in real-time rather than waiting for the final report. This gives your engineering team a head start on remediation while we continue testing other areas of the application.