Question 1

Will your pentest report be accepted by my auditor?

Accepted Answer

Our reports follow OWASP Testing Guide and PTES methodology standards, use CVSSv3 severity ratings, and include dedicated sections for scope confirmation, methodology disclosure, and evidence of retest. We've had reports accepted by Big Four auditors, PCI QSAs, and ISO 27001 certification bodies. If your auditor has specific format requirements or a pre-defined evidence checklist, share it before testing begins, we'll structure deliverables accordingly. Download a sample report to review the format before you commit.

Question 2

Do I need both a penetration test and a risk assessment, or just one?

Accepted Answer

It depends on your framework. PCI DSS has explicit penetration testing requirements that are separate from its risk management process, you need both. SOC 2 auditors typically expect penetration test evidence alongside broader control testing. ISO 27001 and HIPAA center on risk assessment as the primary audit artifact, with penetration testing as supporting evidence. GDPR doesn't mandate penetration testing explicitly but requires documented evidence of appropriate technical measures. We'll confirm exactly what your framework requires in the scoping call, no upselling.

Question 3

Can I define the testing scope, or do you determine it?

Accepted Answer

You define the scope. We advise on what your framework requires to be included, flag any gaps in your proposed scope that an auditor might question, and then test exactly what's been agreed in writing. If you're unsure where your compliance boundary falls, which systems are in scope, which aren't, and why, that's part of what the scoping call resolves.

Question 4

What happens if a critical vulnerability is found right before our audit?

Accepted Answer

This comes up more often than you'd expect. The audit-ready response isn't to suppress the finding, it's to document it, initiate remediation, and produce a formal risk acceptance or remediation plan with a dated action timeline. An auditor reviewing a critical finding alongside a credible, documented response is looking at a mature security program. One who discovers the same vulnerability independently is looking at a different outcome entirely. We'll advise on how to frame the finding so it works for your audit, not against it.

Question 5

How is pricing structured?

Accepted Answer

Risk assessments start at $4,500 depending on framework, systems in scope, and documentation depth. Penetration testing is priced by scope, see the Pricing page for ranges by service type. Combined assessment and remediation kickstart engagements start at $9,500. Ongoing compliance support starts at $3,500 per month. All engagements are fixed-price from scope confirmation, no hourly overruns.

Compliance Security Testing That Produces Audit Evidence

🔍 Risk Assessment Services

🛠 Remediation Services

💰 Discover the Ideal Compliance & Risk Management Plan for Your Budget

From $4,500+

From $9,500+

From $3,500/month

Note (optional for early-stage teams): Limited-scope security sprints are available from $3,500+ (e.g., baseline pentest or readiness check). Pricing depends on scope, systems, and timeline.

Common Questions From Buyers Preparing for Audits

Will your pentest report be accepted by my auditor?

Do I need both a penetration test and a risk assessment, or just one?

Can I define the testing scope, or do you determine it?

What happens if a critical vulnerability is found right before our audit?

How is pricing structured?

Company

Compliance

Penetration Testing

Resources

Privacy Policy | Terms of Use