Questions buyers actually ask us.

Engagements are scoped per surface (cloud config, web/API, mobile, LLM) and per environment size. Most active design-partner pilots land between the cost of one traditional pentest and one mid-tier scanner subscription, billed annually with unlimited retests included. There's no per-finding charge and no per-retest fee. We share a written quote after the scoping call.

A traditional pentest is a one-shot invoice for a fixed window. We're a continuous engagement at a fraction of that cost on an annualized basis, with retests, monitoring, and new-release coverage included. The shorthand: roughly the cost of one traditional pentest, for a year of continuous coverage. Your mileage will depend on scope.

Yes, for cloud config and one-off pre-launch engagements. The continuous model is the default because that's where the value compounds, but we'll run a single point-in-time engagement when a customer needs one for a specific audit or release.

For pilots, yes. If we don't find at least one High-or-Critical validated finding in the first engagement, you don't pay. We've never had to exercise this, but we put it in writing on every pilot SoW.

Scoping call (30 min), read-only access provisioning, kickoff. The AI starts within hours. First validated findings inside a week for most engagements. Full report inside two weeks. Then continuous coverage, with monthly reviews and report regeneration on demand. Retests run minutes after you push a fix.

For cloud config: a read-only IAM role in your AWS, GCP, or Azure account. No keys, no console access, no write permissions. For web and API: test credentials at the user roles you want covered. For mobile: a copy of the binary (signed test build is fine) and test credentials. For LLM features: API access to the application surface, no model weights needed.

Either, you choose. Default is staging for the initial deep dive, production for continuous monitoring (with explicit go-ahead and guardrails). Our exploits are non-destructive by design: we prove impact, we don't cause it. No destructive actions, no data exfiltration, no service disruption.

You decide. Scope is agreed in writing before kickoff, and changes need your sign-off. Common in-scope items: your hosted app, your APIs, your mobile binaries, your cloud accounts. Common out-of-scope items: third-party services you don't own, social engineering, physical access, denial-of-service testing. We will not touch anything outside the agreed scope.

No. The AI runs under graduated autonomy levels defined per engagement, with hard scope boundaries enforced before any action. Anything that would require leaving scope, touching production with side effects, or chaining into systems we don't have explicit permission for, stops and routes to a human. The OWASP APTS standard calls this "scope enforcement", we treat it as table stakes.

We hold the minimum data needed for the engagement, encrypted in transit and at rest. Findings and reports live in our platform; raw scan data is purged on a rolling 90-day window unless you ask us to keep it longer for audit purposes. Full data-handling policy on the trust page.

Executive summary, full finding list ranked by severity, per-finding reproduction steps, blast radius assessment, remediation guidance, and compliance mapping (SOC 2, ISO 27001, GDPR, PCI-DSS, HIPAA as applicable). PDF and JSON formats. Designed to pass an auditor's review without rework. Sample available on request, and every customer can regenerate the report any time the scope changes.

Yes. Reports are mapped to the specific control families auditors cite (SOC 2 CC6.1 / CC7.1, ISO 27001 A.12.6.1 / A.14.2.8, etc.), with a senior pentester named on every report, which is what auditors actually want to see. Customers have used our reports for SOC 2 Type II audits, ISO 27001 surveillance audits, and PCI-DSS Requirement 11.4 evidence.

Highly variable by surface and maturity. Indicative for a first engagement on a mid-maturity SaaS: 2 to 8 Critical/High validated findings, 10 to 30 Medium, plus a long tail of Low/Info. Most teams ship fixes for Critical/High inside two weeks. Retests confirm in minutes.

OWASP is the floor, not the ceiling. The AI runs OWASP and CWE coverage as baseline. The human side of the engagement is where the business-logic, multi-step, and tradecraft-driven findings come from. The ones a scanner could never reason about. Methodology page has the full vulnerability-class list.

The AI does almost all of the discovery, the first-pass probing, the retest execution, and the report drafting. A senior pentester reviews every Critical and High finding, runs the business-logic and multi-step chain hunts, signs the report, and is named on it. The handoff between AI and human isn't soft, it's a documented decision tree, on the methodology page.

No. We use frontier LLMs where they're the right tool, but the offensive-security reasoning is in our own orchestration layer, exploit corpus, and replay infrastructure. The thing that makes a finding land is not which LLM is in the loop, it's two decades of offensive tradecraft, encoded in how the system is set up and supervised.

Every High and Critical finding is reproduced end-to-end before it ships. If the reviewer can't reproduce it, it doesn't enter the report. We've turned away more AI-flagged candidates than we've shipped. That's a feature, not a bug.

Several platforms (RunSybil, XBOW, NodeZero) run without humans in the loop. They scale better than us on pure coverage. We scale better than them on business-logic findings, on findings that need judgment about severity, and on reports that auditors don't push back on. Comparison page goes deeper.

We're slower than them on the very first day of an engagement, because the AI does discovery first. We're 10x faster than them across the rest of the engagement, and across every release after. We deliver continuous coverage at a fraction of the per-engagement cost, with retests that run in minutes instead of weeks.

Yes, on the roadmap for self-serve and available today as a managed integration. We can run a retest on every merge or every deploy, fail builds on Critical findings, and post results to Slack, Linear, Jira, or GitHub. API is documented; the docs page has the endpoints.

In our platform first, then mirrored anywhere you want: Jira, Linear, GitHub Issues, Slack, or via webhook to wherever you triage. Each finding ships with the reproduction steps, the reviewer's annotation, and the remediation guidance, in your tracker's native format.

For enterprise customers, yes. The report can be co-branded or fully white-labeled with your name on it, with our senior reviewer named as the attesting party. Often used by SaaS vendors who pass the report through to their own enterprise customers for vendor-risk reviews.

For a pilot, you don't pay. For an ongoing engagement, "we didn't find anything new this month" is a legitimate outcome, and you still get the regenerated audit-ready report for compliance. We'd rather tell you the truth than manufacture findings to justify the invoice.

It's possible. Nobody finds everything, not us, not Mandiant, not the best human pentester alive. If a bug surfaces in production that we didn't catch, we add it to our regression suite, write up what we missed, and run the engagement again at no cost. We've done this twice; it's how we get better.

Because we onboard design partners by hand, and our senior reviewers are a finite resource. Once the queue compresses and the platform self-serves on more of the workflow, we'll open up. Today, joining means we can actually give your engagement the attention it deserves.

Senior offensive engineers with 12+ years on web/API/mobile, CVE disclosures across SaaS, fintech, and healthtech, and prior work at the kind of firms most pentest buyers have already worked with. About page lists the names; the report has the named reviewer on the cover.

Email us, or use the request-access form. A human reads every one, usually within a few hours during the working week. We don't have a sales BDR layer; the first reply comes from someone who'd actually be working your engagement.