Pentest Reports · Delivered in Days

Your pentest report.
Ordered online.
Delivered in days.

Select a package, verify your domain, pay securely. receive a full security report in 3 to 7 days. No calls required.

// Start your pentest

$3,500 · Delivered in 3–5 business days

Authorization agreement included · Domain verification required · Stripe payment

37
Day turnaround
100%
Retest included
SOC2
Ready reports

Process

Four steps. No back and forth.

The entire process happens online. From order to report, we handle everything asynchronously.

01

Select & order

Choose your package, enter the domain you want tested, and sign the authorization agreement digitally.

02

Verify ownership

Add a TXT record to your DNS to confirm you own the domain. Takes 2 minutes. No ownership, no test.

03

We run the pentest

Our senior testers execute the full assessment. You get a progress update when we start and when we finish.

04

Receive your report

Get a full technical + executive report by email. Retest of critical findings is included at no extra cost.

What you get

Everything included.
Nothing left to wonder.

Each package is designed for a specific stage. Here's exactly what you get. plain language.

Starter · $3,500

Built for startups that are just starting to think about security.

You've built an MVP or early product and you want to know what vulnerabilities are out there before a customer or investor asks. This is your first security checkpoint. Fast, affordable, and actionable.

Who it's for
Founders and CTOs at pre-seed or seed stage who need a baseline security assessment before their first enterprise customer or angel investor asks about it.
What problem it solves
You don't know what you don't know. This test surfaces the most common and critical vulnerabilities in your web app. The ones attackers look for first. you can fix them before they become a real incident.
When you need it
Before your first enterprise sales conversation, before sharing your product with a large user base, or when you want to show early investors that security is taken seriously.

What you receive

Prioritized findings report
Every vulnerability ranked by severity (Critical → Low) with a plain-English explanation of the risk and step-by-step fix instructions.
Free retest of critical findings
Once you fix the critical issues, we retest them at no extra cost to confirm they're fully closed.
OWASP Top 10 coverage
Full manual + automated testing against the 10 most critical web security risks. The standard used by security auditors worldwide.
Delivered in 3–5 business days
No 6-week waiting periods. You have the full report in less than a week from when testing begins.
Most Popular · $8,000

For startups in production with real users and real risk.

You're past MVP. You have paying customers, an API, multiple user roles, and business logic that could be exploited. This assessment goes deep. The way a real attacker would. gives you the documentation you need for your next funding round.

Who it's for
Startups at Seed or Series A stage with a live product, an API, and multiple user permission levels. Your product is handling real customer data and you need to prove it's secure.
What problem it solves
Can user A access user B's data? Can a regular user escalate to admin? Can someone manipulate your pricing logic? This test finds the business-critical vulnerabilities that automated scanners completely miss.
When you need it
Before your Series A close, before signing your first enterprise contract, or when your product is handling sensitive customer or financial data at scale.

What you receive

Executive + technical report
Two versions: one for your engineering team with full technical detail, one for your board or investors in plain business language.
Deep API & business logic testing
Manual testing of your API endpoints, authentication flows, role-based access controls, and business logic, not just surface-level automated scans.
Retest included
Full retest of every critical and high severity finding after you fix them, with written confirmation that each issue is closed.
Up to 50 endpoints tested
Manual exploitation by senior pentesters across your full API surface, not just the happy path.
Enterprise · $20,000

The full picture for companies where security is now a business requirement.

You're raising a large round, closing an enterprise deal, or going through a SOC2 audit. You need a comprehensive assessment of your entire attack surface: web, API, and cloud infrastructure, with documentation that satisfies auditors and investors.

Who it's for
Companies at Series A or beyond preparing for SOC2 Type II certification, closing a large enterprise contract, or going through investor due diligence that requires a full security assessment.
What problem it solves
Your auditor, your enterprise customer, or your lead investor has asked for evidence of a formal penetration test. This gives you that evidence, plus the peace of mind that your cloud infrastructure is as secure as your application.
When you need it
When your SOC2 audit is scheduled, when an enterprise customer sends a vendor security questionnaire, or 60-90 days before closing a Series A or B round.

What you receive

SOC2-ready compliance report
A formal report structured to satisfy SOC2 Type II auditors, including an attestation letter you can share directly with auditors, investors, and enterprise customers.
Cloud infrastructure testing
Full assessment of your AWS, Azure, or GCP environment: misconfigurations, exposed storage, IAM privilege escalation, and lateral movement paths.
Stakeholder readout call
A live call with your CTO and relevant stakeholders to walk through findings, explain risk in business terms, and answer questions before you share the report externally.
Full retest included
Retest of all critical, high, and medium findings with written confirmation. Essential for demonstrating remediation to auditors.
Talk to us about Investor-Ready →

Coverage

What we test

Every engagement covers the attack surface that matters for your stage, from OWASP Top 10 to cloud infrastructure.

OWASP Top 10 REST & GraphQL APIs Authentication & AuthZ Business Logic Flaws AWS / Azure / GCP Privilege Escalation Lateral Movement JWT & Session Security SQL & NoSQL Injection SSRF & XXE

Typical finding distribution

Critical
~2
High
~3
Medium
~4
Low
~2

Based on average across engagements · results vary by target

Download sample report

Packages

Pick your package.
Order in minutes.

Fixed prices. No negotiation, no hidden fees. What you see is what you pay.

Starter

Launch Security Scan

Early-stage startups · MVP / pre-seed

$3,500
3–5 days

Includes

OWASP Top 10 coverage
Automated + manual testing
1 web app (~15 endpoints)
Authentication checks
Prioritized findings report
Order now →

Most Popular

Scale Security Assessment

Startups in production · Seed → Series A

$8,000
1–2 weeks

Everything in Starter, plus

Web app + API testing
Deep auth / roles / business logic
Up to 50 endpoints
Manual exploitation · senior testers
Retest included + executive report
Order now →

Enterprise

Investor-Ready Pentest

SOC2 / due diligence · Series A+

$20,000
2–4 weeks

Everything in Scale, plus

Web + API + cloud (AWS/Azure/GCP)
Grey/white-box testing
Lateral movement & privilege escalation
SOC2-friendly compliance report
Stakeholder readout + retest
Order now →

Security & legal

Built to protect you. your clients.

Every engagement is covered by a formal authorization process so testing is always legal, documented, and traceable.

Authorization agreement

Before any payment is processed, you digitally sign a Scope of Work + Authorization Agreement. This confirms you own or have legal permission to test the target system.

Domain ownership verification

We require a DNS TXT record verification before starting any test. The same method Google uses. If you can add it, you own the domain. No exceptions.

Secure & confidential

All findings are encrypted in transit and at rest. Your report is sent only to you. We sign an NDA as part of every engagement. Your data never leaves our secure environment.

FAQ

Common questions.

Do I need technical knowledge to order a pentest?+
No. You just need to know the domain you want tested and have access to its DNS settings (to add a TXT record for verification). Our team handles everything else and explains findings in plain language.
What happens if you find critical vulnerabilities?+
We notify you immediately by email if we find a Critical severity issue during the engagement. You don't have to wait for the full report. We include step-by-step remediation guidance for every finding.
What is the retest and how does it work?+
After you fix the issues we found, you let us know and we run a targeted retest of every Critical and High severity finding to confirm they're fully resolved. This is included in every package at no extra cost.
Can I use the report for SOC2 or investor due diligence?+
Yes. Every report includes an attestation letter signed by Silentfault that confirms the engagement took place. This satisfies the penetration testing requirement for SOC2 Type II and is accepted by most VCs and enterprise security questionnaires.
What if I don't own the domain? Can I test a third-party app?+
No. We only test systems you own or have explicit written authorization to test. Our domain verification step ensures this. Testing a system without authorization is illegal under the CFAA and we will not proceed without confirmed ownership.

Get started

Order your pentest.
Ship with confidence.

No calls. No waiting. Your report delivered in days.

Start a pentest now

From $3,500 · 3–7 day delivery · Retest included