How would you like to proceed?
Ready-made packages
Quick and easy - preconfigured solutions for common requirementsCustomized configuration
Tailor-made - detailed adaptation to special requirementsSelect your package
{{ package.name }}
{{ package.description }}
- {{ feature }}
What service do you need?
{{ service.name }}
{{ service.description }}
You have already configured {{ cartItems.length }} service(s)
{{ currentPackage.name }} - Additional information
Your selected package:
- {{ feature }}
Company details
Your priorities
Additional information
{{ currentConfiguration.service.name }} configuration
{{ field.title }}
{{ field.description }}
{{ configGroup.title }}
{{ configGroup.description }}
Additional services
Request a quote
Your configuration:
{{ item.name || item.service?.name }}
Contact details
Well prepared for the pentest
Take advantage of the waiting time and find out about the process of a penetration test
Do you have any questions?
Our team of experts will be happy to answer any questions you may have about your penetration test.
FAQ
How is it ensured that the pentest is conducted professionally and methodically sound?
Our penetration tests follow established standards such as the OWASP Testing Guidelines, ASVS
(Application Security Verification Standard) as well as PTES (Penetration Testing Execution
Standard).
This ensures that both technical vulnerabilities and typical
attack vectors (e.g. authentication, access control, API abuse) are covered.
Additionally, we rely on manual testing by experienced security experts – not
pure scanner reports.
Why is the test so configurable in detail? Doesn't this become too complex?
We offer these configuration options because every web application is unique. Through
parameterization, we can assess the effort and risk landscape more precisely –
and you only pay for what actually needs to be tested.
For customers who don't know all the details, we also offer:
Consulting for configuration
Pre-configured "typical scenarios" (e.g. SaaS, e-commerce, internal business application)
Why is the re-test not always included?
In many cases, simple fixes are sufficient – in other cases, a complete re-test is necessary. Therefore, we offer the re-test as optional quality assurance – we explicitly recommend it especially for security-critical applications.
Can I skip the PDF report? What do I get then?
Yes, you can consciously skip a formatted PDF report if you have, for example, an internal security team or prefer technical exports. In this case, we deliver the results in structured format (Excel / Markdown / JSON) – functionally equivalent, but without visual formatting. Important: The management summary is independent of this and can be booked separately.
How do the three package options differ?
Mini-Pentest: Focus on critical vulnerabilities, 1 business day, compact
email report
Standard-Pentest: Comprehensive OWASP Top10 review, 5 business days, detailed
PDF report with results discussion
Extended Pentest: Full-scope testing including external
attack surface, 9 business days, management summary
What does "OWASP Top10" mean?
The OWASP Top10 is a list of the ten most common and critical security risks for web applications, updated annually by the Open Web Application Security Project (OWASP). It serves as an international standard for web security testing.
What is CVSS scoring?
The Common Vulnerability Scoring System (CVSS) is an international standard for rating the severity of security vulnerabilities. Values above 7.0 are considered critical and require immediate attention.
Can I combine multiple services?
Yes, you can add any number of services to your cart. For example, you can simultaneously commission a web application, an API, and a phishing test.
Why does a CMS-based system cost less than a custom development?
CMS systems like WordPress or Drupal have known structures and common vulnerabilities, making the test more efficient. Custom developments require more analysis and individual testing approaches.
What is a test/staging environment and why is it important?
A test environment is a copy of your production application where testing can be performed safely. Tests on production systems are riskier and require more caution, leading to higher costs.
What does "external attack surface" mean?
These are all systems of your company accessible from outside (Internet): websites, email servers, VPN access, etc. An analysis helps identify forgotten or unknown systems.
What is a "retest"?
After fixing identified vulnerabilities, we verify that the fixes have been correctly implemented and no new problems have emerged. This also includes tests for bypass possibilities.
What is "Argos EASM"?
External Attack Surface Monitoring (EASM) continuously monitors your external attack surface and notifies you of new systems or vulnerabilities. Argos is our proprietary tool for this.
When do I need a management summary?
A management summary summarizes technical findings in understandable language for executives and shows business risks as well as recommended actions.
Are the displayed prices fixed prices?
Yes, all displayed prices are fixed prices including all services. Additional costs only occur if you commission additional services or the test object differs significantly from your specifications.
Why are some features charged extra?
Certain features significantly increase the testing effort.
What happens if my application is more complex than expected?
With fixed prices, we take on the risk. Should unforeseen complexities occur, we discuss possible adjustments with you before additional costs arise. This usually happens before the pentest starts.
How does a pentest work?
- Preliminary discussion: Clarification of details and access
- Test execution: Analysis and tests according to defined methods
- Report creation: Documentation of all findings
- Results discussion: Explanation of findings and recommendations
- Optional: Retest after implementation of fixes
Do you need access credentials?
Yes, for authenticated tests we need valid access credentials for various user roles. These are handled securely and deleted after the test.
Can you also test outside business hours?
Yes, this is possible and often sensible to avoid disrupting ongoing operations. We arrange this individually.
Does a pentest help with ISO 27001 or other standards?
Yes, regular penetration tests are required or recommended in many standards like ISO 27001, PCI DSS, or GDPR. Our reports can serve as evidence.
Will I receive a certificate or confirmation?
You receive a detailed test report. With the extended pentest, a confirmation letter for customers/suppliers is additionally included.
Is a pentest legally required?
Not directly, but GDPR and other laws require "appropriate technical measures". Penetration tests are considered best practice for demonstrating due diligence.
Do you offer support with remediation?
We explain all findings thoroughly and provide concrete recommendations for action. The implementation is usually handled by your internal teams or service providers.
How current are your testing methods?
Our methods are continuously adapted to new threats. We use current tools and techniques according to international standards.
What if the effort turns out to be less than expected?
Our prices are maximum prices - if it turns out that the pentest will be finished faster, you naturally pay a lower price.