PentStark
Pricing

Transparent retainers. Scope units, not consultant-days.

Three plans that cover most of what customers ask for. All include live findings, retest coverage, and auditor-ready artifacts — the difference is cadence and scope.

Engagement
Single scope · fixed window
from $24k
per engagement

One app, one API, one cloud account. Fixed window with a report, retest, and debrief.

  • 1 scope unit (app / API / cloud account)
  • Up to 3 operators assigned
  • Findings platform access during the window
  • One free retest after fix submission
  • Executive + technical report (auditor-ready)
  • Continuous retainer
  • Unlimited retests
  • Red team scenario
Scope engagement
PTaaS Retainer
Most picked
Continuous · quarterly commit
from $9.5k
per month, billed quarterly

Always-on offensive testing. Findings land live. Delta-retests on every deploy. Our most-picked plan.

  • Up to 4 scope units rotating monthly
  • Dedicated operator pod (2–4 people)
  • Live findings + CI/CD + ticketing integrations
  • Unlimited retests within the window
  • Quarterly executive report + board summary
  • Slack / Teams channel with direct operator access
  • Atomic tests for your blue team
Talk to an expert
Program
PSaaS + PTaaS + RTaaS · annual
Custom
annual agreement

Embedded product security, continuous pentesting, and one red team scenario per year. Board-level program.

  • Everything in PTaaS Retainer, plus:
  • Embedded product security engineer
  • Threat modeling + secure design reviews
  • One red team scenario per year
  • Quarterly purple team workshop
  • Executive sponsor + quarterly business review
  • Priority response (same-day for critical)
Book a scoping call

Prices indicative. Final pricing depends on scope-unit count, depth (grey-box vs. black-box), and cadence. All plans include mutual NDA and DPA at no additional charge.

Feature comparison

FeatureEngagementRetainerProgram
Live findings dashboard
Jira / Linear / GitHub sync
Dedicated Slack / Teams channel
Unlimited retests
Delta retests on deploy
Red team scenario included
Threat modeling (embedded)
Quarterly purple-team workshop
Same-day critical response

↔ Scroll horizontally to see all plans

Pricing FAQ

Why scope-unit pricing instead of per-day?
Per-day billing aligns us with running the clock. Scope units align us with the thing you actually care about: coverage of your real attack surface. The result is transparent and doesn't drift during the engagement.
What counts as a scope unit?
One application, one API group, one mobile app platform (iOS or Android), one cloud account, or one internal network segment of reasonable size. We confirm the units and their scope in writing before kickoff.
Do you offer a POC or pilot?
Yes — the single Engagement tier is effectively a pilot. Most customers start there and convert to the Retainer in the second month.
Can we bring our own scanners?
Yes. We'll triage, dedupe, and extend them. Customers typically see a 60–80% reduction in raw scanner noise after our first pass.
How does compliance-aligned reporting work?
Every finding is tagged with CWE, CAPEC, CVSSv4, and optionally your framework (SOC 2 TSC, ISO Annex A, PCI-DSS). Reports export to your auditor in their preferred format — we've worked with Deloitte, PwC, EY, KPMG, Drata, Vanta, and Secureframe.
Not sure which plan fits?

A 30-minute scoping call gives you a recommendation and a rough price within 24 hours. No sales dance.

Scope an engagement
Talk to an operator

Your next finding is one scoping call away.

Thirty minutes with a real operator tells us what you need and what we can deliver. No BDR handoff, no sales engineer theater — the person you talk to is the person who scopes the work.

hello@pentstark.com
Talk to an expertBook a demo
Responses in < 1 business day