Simple answers to tough questions

Your questions answered

Table of Contents

How do you price your pentests?

Pricing for pentesting services is based on the scope of the attack surface. This is determined by assessing the number of endpoints, IPs, network assets, authorization roles, and authentication methods. Check out our 5 Steps to Scoping a Penetration Test document here.

What information do you need to provide me with a quote?

We will need the number of API endpoints, GraphQL mutations and queries, Controllers, or Routes for web applications. For mobile apps, the number of screens. For networks, the number of IPs, and network assets such as VPCs, S3 buckets, EC2 instances, API Gateways, load balancers, as well as an understanding of your business objectives for this pentest.

How long does a pentest take?

The length of pentests depends on the attack surface. On average, manual network pentests take between 3-7 days and web applications average 7 to 20 days of testing. When conducting your due diligence between vendors, consider asking questions such as:

how many projects will my pentester be managing at one time? What percentage of the effort is manual vs conducted by automated tools? How are you calibrating risk? On average what quantity and quality of vulnerabilities should I expect? In what formats? What level of guidance and support is offered for remediation?

How much in advance should I plan my pentest?

Most pentests are scheduled within 3 - 6 weeks. Occasionally, we can accommodate pentests sooner than 3 weeks based on our calendar availability. If you are working towards a compliance framework for the first time, a good rule of thumb is to engage a pentest vendor 2-3 months before your audit window begins. This allows you to remove administrative controls, unnecessary once you’ve conducted a quality third party security assessment on your product and environment and get a head start on remediation in line with your Vulnerability Management Policy SLAs, to avoid pre-audit late nights.

Why is comprehensive pen testing important for my business?

Comprehensive pentesting is critical for identifying and addressing vulnerabilities across applications and networks, ensuring the protection of financial assets, safeguarding customer data, and maintaining a strong market reputation. It plays a pivotal role in accelerating sales as enterprises increasingly scrutinize their software supply chains for security risks. Pentesting ensures compliance with industry standards, demonstrating due diligence to clients and stakeholders while providing a competitive edge through a clear commitment to robust security practices.

Other vendors say they are comprehensive too, what’s the difference?

Software Secured differentiates itself through a tailored and in-depth approach to pentesting, addressing unique client needs rather than offering one-size-fits-all solutions.

With a team of seasoned Canadian full-time security experts, the company goes beyond surface-level assessments to deliver detailed, actionable insights that strengthen long-term security. Business logic testing involves Software Secured’s team receiving a demo of your product suite, understanding the use cases for your clients, partners and stakeholders, conducting OSINT activities and customizing industry specific test plans for your attack surface.

Unlike many vendors, Software Secured emphasizes business enablement by helping clients meet compliance standards, accelerate sales processes, and showcase security diligence to stakeholders.

Multiple rounds of retesting enable development teams to work security remediation into their sprint cycles without sacrificing product roadmaps, and clear, actionable, benchmarked communication ensures a seamless and impactful security partnership.

How long until I receive a report?

Our clients receive the report 2 days after active pentesting is done. We know you have at times urgent business requirements, please share these specifics with us so we can adapt accordingly.

How many rounds of retesting do I get?

The Essential package receives 1x round of retesting. Pentest 360 receives 3x rounds of retesting. Penetration Testing as a Service clients receive unlimited rounds of retesting at no cost to you. Retesting is included in your initial quote, so there are no surprises.

What else should I know?

The downstream process of real vulnerability management can be a pain for fast-moving development teams. Within Portal, your pentest lead (technical or business) can immediately observe your vulnerabilities (how many, what severity and how many days until you need to remediate to remain inline with your SLAs). All proof of concepts, details and steps to remediate are also found for your technical team to action. Reports can be downloaded for internal or external use, and development teams love CSV file downloads and our direct integrations with ticketing systems and GRC tools.

Is Portal secure?

Our portal is built with robust security features to ensure the highest level of protection for your data. It uses OAuth-based authentication, ensuring your existing policies are seamlessly carried through. With a single-tenant architecture, your data is kept entirely separate from others, providing an added layer of confidentiality. Additionally, all data is encrypted both in transit and at rest. At rest, data is encrypted, and keys are automatically rotated to maintain stringent security standards.

To further bolster security, the portal undergoes quarterly penetration testing to identify and mitigate vulnerabilities proactively. Granular role-based access control (RBAC) permissions allow precise management of user access, ensuring that only the right people have access to the right resources. This combination of advanced security measures ensures your peace of mind and safeguards your sensitive information.

Sounds good, why haven’t I heard about you?

Software Secured has been in business since 2010. We began serving Canadian startups, government agencies and Financial Institutions. Over the past 5 years, we have been growing rapidly, expanding across the United States, into Europe and beyond. Our clients are primarily high-growth SaaS startups, scaleups and SMBs, with a high concentration (50%) in healthcare, fin-tech and security sectors. We also serve firms whose clients have stringent security requirements or whose leadership have experienced what solid security partners can do for their Go To Market strategies and growth goals. We aren't focused on having a massive brand presence. We are interested in your reputation and helping you maintain it to prove security maturity and get on with your day. However, we understand social proof is important as you conduct your due diligence. Check out our testimonials and case studies. If you like what you see, tell your friends.

Twitter

Clutch

Github

Have a question not listed here?

Get answers: info@softwaresecured.com

Helping companies identify, understand, and solve their security gaps so their teams can sleep better at night

Services

Pentest Essentials Pentest 360 Penetration Testing as a Service Secure Code Review Secure Cloud Review Developer Training

Industries

Healthcare Finance Security SaaS

Resources

Blog Case Studies News & Press Webinars Help Center

Company

About Careers Partners Contact Pricing Legal

Security & Compliance Terms Privacy Contact us