How is pricing determined?+
Every engagement is tailored to your attack surface, objectives, timeline, and required testing depth. We confirm the full scope and a custom proposal in writing before kickoff.
What counts as a scope unit?+
One application, one API group, one mobile app platform (iOS or Android), one cloud account, or one internal network segment of reasonable size. We confirm the units and their scope in writing before kickoff.
Do you offer a POC or pilot?+
Yes — the single Engagement tier is effectively a pilot. Most customers start there and convert to the Retainer in the second month.
Can we bring our own scanners?+
Yes. We'll triage, dedupe, and extend them. Customers typically see a 60–80% reduction in raw scanner noise after our first pass.
How does compliance-aligned reporting work?+
Every finding is tagged with CWE, CAPEC, CVSSv4, and optionally your framework (SOC 2 TSC, ISO Annex A, PCI-DSS). Reports export to your auditor in their preferred format — we've worked with Deloitte, PwC, EY, KPMG, Drata, Vanta, and Secureframe.