We do not publish a rate card and we do not quote pentests by the page-load. Every engagement is scoped on a call and quoted as a fixed price with no per-finding or per-day variability after signature.
Pick the one that looks closest to your scope. We will confirm exact fit and price on a quick scoping call.
Typical timeline. Two to three weeks of testing, four to five weeks end-to-end with reporting and retest.
Right fit. Series A SaaS with one product surface; first-year SOC 2 pentest; first compliance audit.
What is in scope
Typical timeline. Three to four weeks of testing, five to six weeks end-to-end.
Right fit. Series A or Series B SaaS preparing for SOC 2 Type II, ISO 27001, or PCI DSS — with a real API surface and AWS, GCP, or Azure footprint.
What is in scope
Typical timeline. Quoted per engagement after scoping call.
Right fit. Multi-product, multi-environment, internal and external scope; service providers under PCI DSS 11.4.6; healthcare under HIPAA with BAA-aligned boundaries.
What is in scope
Fixed price, not time-and-materials.
We quote the engagement after the scoping call. The price does not change for the duration of the engagement.
No per-finding fees.
You pay for the engagement, not for what we find. Critical findings during testing are flagged immediately at no additional cost.
No surprise change orders.
If you ask us to extend scope mid-test, we tell you the additional days and cost in writing before any new work starts. You decide.
Retest included.
One round of remediation verification is included in every engagement at no additional cost — appended to the original report so your auditor sees the finding and its closure together.
No platform lock-in or referral kickbacks.
We do not have paid integrations with Vanta, Drata, or Secureframe. We have no incentive to recommend one compliance platform over another.
Two reasons. First, pentest pricing is genuinely scope-dependent — a one-product SaaS and a multi-environment platform are different engagements. A blanket number invites misalignment. Second, publishing rates encourages comparison-shopping on price rather than on what is actually being tested. A quick scoping call gives you a fixed price tied to the work that needs to happen.
For Pattern 01 (single web application, no API or cloud scope), most Series A SaaS engagements land in the upper-four-figure to low-five-figure range. For Pattern 02 (web + API + cloud), it is typically a step up from there. We will give you a specific number on the scoping call — and that number does not change.
Scoping call, manual testing led by a senior tester, automated tooling for breadth, severity-ranked findings, evidence and reproduction steps, control mapping to your compliance framework, attestation letter on our letterhead, one round of remediation retest, and a final report your auditor can drop directly into their evidence file.
Anything not in the signed engagement letter. We do not perform unauthorized testing, social engineering without explicit scope, or destructive proof-of-concept exploitation that could disrupt production. Additional retest rounds beyond the first are quoted separately if you need them.
We offer a modest annual-cadence rate for customers who book a year ahead. The discount comes from us locking calendar time, not from cutting depth — every engagement gets the same senior tester staffing.
AICPA CC7.1 specifically expects testing after significant changes. We quote the change-driven engagement separately, scoped to the change rather than the full surface. Customers on annual contracts often roll this into their existing engagement window.
A quick scoping call gets you a fixed price, a fixed timeline, and a defined statement of work. No follow-up required.