Pentesting for SaaS teams

Pentests in under two weeks. Reports your auditors accept.

Manual-quality penetration testing at automation speed. For SaaS teams prepping for SOC 2, ISO 27001, or enterprise security reviews — without the €20k bill or six-week wait.

Fixed-price proposal in 24 hours. No call required.
intruso@engagement-acme ~ engagement in progress
LIVE · AGENTS ONLINE
[boot] orchestrator v4.12.1 — agents synced
[boot] scope: *.acme.io, api-*.acme.io
[boot] starting continuous engagement — rate-limited 40 rps
intruso:~$
uptime312d
findings (7d)84
critical3
avg. TTFF14m
SYNC ● --:--:--
Why pentesting is broken

The four ways security testing fails founders.

Big-name firms: a 200-page PDF and a €20k invoice

You wait six weeks for a junior consultant to run the same scripts you could, then receive a binder padded with informational findings. By the time it lands, half of what they tested has already shipped twice.

Vulnerability scanners stop where the interesting bugs start

Nessus, Qualys and friends flag missing headers and outdated libraries all day. They will not find broken access control, IDORs in your API, or the auth flow your engineer rewrote on Friday afternoon.

Bug bounties without a deadline or a deliverable

Crowdsourced testing is great for breadth, terrible for compliance. There is no scope guarantee, no fixed timeline, and no signed attestation — so you still have to commission a real SOC 2 or ISO 27001 pentest anyway.

Pure-AI scanners that cannot chain an exploit

An LLM can spot a textbook reflected XSS. It cannot pivot through your tenant boundaries, abuse your billing logic, or put a name on the report your auditor needs to see. Without a human in the loop, the output is a demo, not evidence.

Pricing

Clear scope. Transparent pricing. No surprises.

Three tiers built for where you are. Pick one, get a fixed-price proposal in a day, start within the week.

Sprint

One web app or API, delivered in 5 to 7 business days

From €2,900per engagement
  • OWASP Top 10 2021 + ASVS L1/L2 coverage
  • Backend auto-detection (Supabase, Firebase, WordPress, Strapi, REST, GraphQL)
  • Authenticated gray-box testing
  • Every finding human-verified with reproducible PoC
  • CWE, CVSS 4.0, OWASP, ASVS, and MITRE ATT&CK mapping per finding
  • CISA KEV cross-reference for actively-exploited CVEs
  • Signed letter of attestation for auditors
  • One free retest within 30 days
  • Slack or email channel during testing
Book a Sprint
Most popular

Range

Up to 3 apps, APIs, or environments — delivered in 8 to 10 business days

From €6,900per engagement
  • Everything in Sprint, plus:
  • Cross-tenant isolation testing
  • Cross-app trust-boundary review
  • Business-logic deep-dive (auth flows, billing, RBAC)
  • Compliance mapping included (SOC 2, ISO 27001, GDPR Art. 32, PCI DSS 11.3)
  • Two free retests within 60 days
  • Auditor liaison call included
Book a Range engagement
Always-on

Continuous

Always-on testing across your stack — up to 5 apps, APIs, or environments

From €2,400/mobilled annually · €28,800/yr
  • Everything in Range, plus:
  • Pre-release scan on every deploy (CI hook)
  • Unlimited retests as you ship fixes
  • Continuous CISA KEV monitoring on your detected stack
  • Cloud configuration & IAM review (AWS, GCP, or Azure)
  • External perimeter & subdomain coverage
  • Monthly human-reviewed findings report
  • Quarterly executive briefing and board-ready summary
  • Annual threat-modeling workshop with your engineers
  • Annual evidence-pack refresh
  • Dedicated Slack with our security team
Talk to us about Continuous

Tailor it to your audit

Source-aware testing+30%

Read-only repo access on top of dynamic testing. Static analysis catches logic flaws and dead-code vulnerabilities that black-box misses, and shortens the path from finding to fix for your engineers. Available on Sprint and Range.

Compliance mapping+€800

Findings cross-referenced to SOC 2, ISO 27001, GDPR, or PCI DSS controls. We hand your auditor a report that maps cleanly to their checklist, so you skip the back-and-forth and close evidence requests faster. Sprint only — included in Range and Continuous.

Cloud & IAM review+€2,500

AWS, GCP, or Azure configuration and IAM audit on top of the application pentest. Surfaces over-permissive roles, public buckets, and infra misconfigurations your code review can't see. Sprint or Range — included in Continuous.

How it works

From scope intake to a report you can act on in under two weeks.

Six steps, async by default. No discovery call, no procurement gauntlet, and critical findings hit your inbox the moment we confirm them.

01
Free, 2 min

Scoping form

Submit a quick form with your app details, stack, and what the test needs to cover. We send back a fixed-price proposal within 24 hours. No call required.

02
Same day as signed SOW

Kickoff and credential handoff

You hand over test credentials and access. We lock in scope, prepare our testing environment, and agree the rules of engagement.

03
3 to 8 business days

Testing

AI-augmented testing aligned with the PTES framework, signed off by a senior pentester. Every finding ships with a working proof-of-concept, and anything critical is escalated the moment it's confirmed.

04
Within 2 days of testing

Report delivery

An executive summary, technical write-ups with CVSS scores and CWE mappings, per-finding remediation guidance, a full attack narrative, and a signed attestation letter for your auditors.

05
Async

Report walkthrough and Q&A

We share a detailed walkthrough of each finding with remediation steps. Your team raises questions on their schedule; we reply within one business day. Live call on request.

06
Optional, 1 to 2 days

Retest

After fixes ship, we verify they hold. You receive an updated report confirming closure — ready to hand to your auditor.

Why Intruso

AI speed. Senior judgment.
Reports auditors actually accept.

Six reasons SaaS teams pick us over consultancies, scanners, and bug bounty platforms when they need a real pentest without losing six weeks of engineering focus.

01

Every finding ships with a working exploit.

No "potential XSS" or theoretical CVSS scores. You get the raw HTTP request, the server's response, and step-by-step repro your engineers can paste into a terminal. If we can't prove it, we don't report it.

CriticalCWE-89SQLi in POST /api/login
HighCWE-639IDOR in GET /accounts/:id
MediumCWE-942Reflected CORS with credentials
LowCWE-1275Cookies missing SameSite
02

Backend-aware playbooks for the stacks you actually use.

Supabase RLS, Firebase rules, WordPress plugins, Strapi roles, GraphQL introspection, REST auth flows, multi-tenant isolation. We carry pre-built attack chains for each — not a generic OWASP checklist run by someone who's never touched your framework.

SupabaseOpenAPI · RPC · Realtime
FirebaseRTDB · Firestore · Functions
WordPressREST · plugins · XML-RPC
Strapidraft preview · roles
GraphQLintrospection · depth probe
RESTOpenAPI/Swagger · headers

A report in under two weeks, not six.

Most engagements wrap from kickoff to delivered report inside two weeks. Critical findings are escalated the moment they're confirmed, so you can patch in parallel and start closing audit evidence this sprint — not next quarter.

We talk during the test. Not just after.

Critical bugs hit your channel the moment we confirm them, with the exact payload and a one-line repro. You can ship a fix while we keep testing the rest of the surface — no surprises buried in a PDF a week later.

Production-safe by design.

Scope is locked before we start, traffic is rate-limited, destructive payloads are gated, and any test writes are reverted on completion. Run us against staging or live — we've never taken down a customer environment.

06

AI does the grunt work. A human signs the report.

AI handles fuzzing, payload generation, and first-pass triage at machine speed. A senior pentester validates every finding, eliminates false positives, and signs off the deliverable — so your SOC 2, ISO 27001, and GDPR auditors accept it without questions.

CWE-89
CWE-79
CWE-639
CWE-918
CWE-287
CWE-942
CWE-915
CWE-862
Real finding, real engagement

A finding from last month's report.

Below is a redacted excerpt from a recent engagement. Every finding you receive follows the same shape: severity context, reproducible proof, exploitation path, and a remediation you can ship the same afternoon.

finding-006

Cross-tenant data leakage in GET /rest/v1/profiles

High · Confirmed
CWE-639CVSS 4.0/8.4OWASP A01ASVS V4.2.1MITRE T1190
endpoint/rest/v1/profiles?org_id=eq.{other}
methodsGET
authauthenticated_user (cross_tenant)

Request

curl -X GET 'https://app.example.com/rest/v1/profiles?org_id=eq.org_2' \
     -H 'apikey: <ANON_KEY>' \
     -H 'Authorization: Bearer <REDACTED_TOKEN>'

Response · 200 OK

[{"id":"u_***","email":"j***@example.com",
  "org_id":"org_2","role":"admin"}, ...]
How to fix

Enable Row Level Security on the profiles table and add a policy that restricts SELECT to rows where org_id matches the authenticated user's tenant claim, e.g. USING (org_id = (auth.jwt()->>'org_id')::uuid). Keep service-role access narrow and add a regression test that asserts cross-tenant reads return 0 rows.

Effort: medium — one migration, one policy, one test
Get the full sample (PDF)
FAQ

The questions every buyer asks us.

Real objections from founders, CTOs, and security leads — answered straight, with the trade-offs on the table.

Will testing break our production environment?
Production safety is non-negotiable. Scope is locked at kickoff and three violations abort the engagement entirely. Every write, upload, or delete the AI performs is logged, reverted before the report ships, and the reversal is verified by re-reading the affected resource. Destructive checks — writes, uploads, rate-limit floods, privilege escalation — are strictly opt-in. If you'd rather we stay read-only, we stay read-only.

Ready to find out what's exposed?

Fill out a 2-minute scoping form and get a fixed-price proposal within 24 hours. No call required, no commitment, no sales pitch.

Start your assessment