Your customer’s security review
Enterprise procurement sends a questionnaire and asks for third-party testing evidence from the last twelve months. The deal stalls until you produce it.
Our smoke test runs daily and proves what’s exploitable. A pentest is a different thing: agreed scope, rules of engagement, and an audit-grade report signed by the engineer who ran it.
Not sure you need one yet? Run the $19 smoke test first — most teams find their criticals there.
A scan result is not a pentest report. If any of these landed in your inbox this quarter, a smoke-test dashboard won’t close it.
Enterprise procurement sends a questionnaire and asks for third-party testing evidence from the last twelve months. The deal stalls until you produce it.
Your auditor wants scope, methodology, findings, and remediation evidence. See the compliance pentest requirements for what each framework actually asks for.
Cyber insurance underwriting and technical due diligence both ask the same question: has an independent party tried to break this, and what happened?
Both are agent-driven. Both are verified by a human before you see them. They answer different questions, cost different money, and you probably want both.
Most teams start on the smoke test, fix what it proves, then book a pentest once a customer asks. Read the full scanning-vs-pentest breakdown.
Autonomous agents are fast and occasionally confidently wrong. So nothing reaches you until a security engineer has reproduced it by hand — on the pentest, and on the $19 smoke test too.
The agent maps the app and fires its probes, chaining three to five steps to reach a proven exploit. Everything it does is logged.
Anything unproven is discarded on the spot. What survives carries a captured request, a captured response, and a replayable PoC.
A human reproduces the exploit against your app, checks the severity is honest, and kills anything that doesn’t hold up. This is the step scanners skip.
Only verified findings ship. That’s where the zero-false-positive number comes from — it isn’t a model claim, it’s a person’s job.
The same engineer writes the remediation guidance and, on a pentest, runs your retest. Our methodology page spells out what we look at and what we refuse to claim.
Every package includes scope intake, authenticated testing, sandbox exploit proofs, an audit-grade PDF, and a 30-day retest window.
Scope drives price. A single-page app and a multi-tenant marketplace are not the same engagement — the call is how we find out which you are. Just want continuous coverage? The smoke test starts at $19/mo.
Four artifacts. Each one exists because a buyer, an auditor, or an engineer asked for it.
Scope, methodology, findings by severity, remediation guidance, and the engineer’s name on the last page. Written to survive an auditor reading it.
Per finding: the request, the response, the sandbox replay, and a cURL you can run yourself. No “possible SQL injection” hand-waving.
Remediation written for your stack, plus a paste-ready prompt for Claude Code or Cursor. Same format as the smoke test ships.
Fix the findings, tell us, we re-run the engagement against them and issue a clean-bill letter you can forward to procurement.
Including the ones that are awkward for us.
Something we didn’t answer? → ask the team
Thirty minutes on a call. What you built, who's asking for the report, and when they need it. You leave with a fixed quote and a date.