Trustivum Services/Penetration Testing
One platform · external pentest + Sentry continuous coverage

Penetration testing,
end to end.

A modern penetration testing platform that goes beyond the once-a-year PDF. Run an audit-credible external pentest for your SOC 2 or HIPAA evidence package, drop a Trustivum Sentry on your LAN for continuous internal coverage, or step up to Sentry Pro for full credentialed vulnerability assessment. Same platform. Same audit-ready reporting. Three ways to use it.

Request a Pentest → See the three tiers ↓
SOC 2 + HIPAA mapped Branded PDF reports Sentry: drop-in, no install Free retest on every external
Three ways to use the platform

Pick where you want coverage. Or pick all three.

Most teams start with the external pentest because that is what their auditor circled in the last SOC 2 report. Then they add a Sentry once they realize the rest of the year still has 364 days in it. Sentry Pro is for teams that need authenticated, deep-coverage internal assessment without standing up their own enterprise scanner stack.

Tier 1 External

External Pentest

A one-shot, audit-credible external pentest mapped to SOC 2 and HIPAA. The thing your auditor wants in your evidence package.

  • Up to 3 external assets (web apps, APIs, domains)
  • Automated scanning + manual analyst verification
  • Branded PDF report with confidentiality stamp
  • SOC 2 + HIPAA control mapping on every finding
  • One free retest within 30 days
  • 7-business-day turnaround
What's in the report ↓
Tier 2 · Recommended Continuous

Sentry Standard

Drop-in pentesting appliance. Plug it in and it runs scheduled internal-network scans for the rest of the year.

  • Compact appliance, ships pre-imaged
  • Connects automatically — no install, no firewall changes
  • Network discovery, CVE checks, share enumeration, service fingerprinting
  • Weekly or monthly scan windows, configurable
  • Findings stream live to your customer portal
  • Quarterly trend report (PDF) for board + audit
What Sentry Standard does ↓
Tier 3 · Pro Deep coverage

Sentry Pro

High-performance appliance with a full enterprise-grade authenticated scanner and web application scanner onboard. For teams that need credentialed, deep-coverage internal assessment.

  • High-performance hardware — full vuln scanner runs on-prem
  • Enterprise vulnerability scanner: tens of thousands of checks
  • Authenticated web application crawling
  • Credentialed scans against your hosts (insider view)
  • Customer data never leaves the LAN — only metadata leaves
  • Includes everything Sentry Standard does
What Sentry Pro does ↓
Why a Sentry beats an external-only test

An annual external test catches what an attacker sees on one day.
A Sentry catches what changes the other 364.

External pentests are still the right deliverable for your SOC 2 evidence package — but on their own they leave a year-long visibility gap. Most breaches start at things that move between annual tests: a new CVE drops, a developer spins up a forgotten dev VM, a misconfigured share appears on the network, a printer joins the wrong VLAN. The external pentest can't see any of that. A Sentry sees all of it, the day it happens.

Continuous, not point-in-time

External tests are a snapshot. Sentries scan on a recurring schedule (weekly default for Standard, daily for Pro) so a new vulnerability surfaces in days, not next year.

Inside the perimeter

The most damaging findings are usually inside — exposed admin panels, default credentials, forgotten dev databases, SMB shares. An external test never sees them. A Sentry lives there.

Δ

Change detection

Every scan is diffed against the last. A new open port, a new host, a new service — flagged. You stop finding out about shadow IT during your incident response.

CVE

Same-week CVE coverage

The CVE feed is refreshed on every scan. When a new CVE drops, your next Sentry run picks it up — without you doing anything.

Audit-grade evidence

SOC 2 CC6.6 (boundary protection) and CC7.1 (system monitoring) want continuous evidence. The Sentry quarterly PDF drops directly into your audit binder.

$

Fixed-fee, no surprises

One contract, one appliance, one scan cadence. You're not paying analyst hours for every recurring scan — the platform automates the boring parts.

External-only vs. external + Sentry — what your security posture actually looks like

What you'd want to know about External pentest only External + Sentry Standard External + Sentry Pro
Public web apps + APIs✓ Yes (annual)✓ Yes (annual)✓ Yes (annual + continuous)
Internal network hosts✗ Not seen✓ Scanned weekly✓ Scanned daily
New device on network✗ Found at next audit✓ Flagged in days✓ Flagged in hours
Same-week CVE coverage✗ Wait for next test✓ Every scan refresh✓ Every scan refresh
Authenticated host scans✗ Out of scope~ Network-layer only✓ Credentialed (insider view)
Misconfig / SMB share / open RDP✗ Outside scope✓ Detected✓ Detected + impact analysis
Authenticated web app crawl~ During engagement✗ Network only✓ Continuous
SOC 2 CC7.1 evidence~ Annual snapshot✓ Continuous trend reports✓ Continuous trend reports
Customer-side install✓ None✓ None — plug in and go✓ None — plug in and go
Customer data leaves LAN~ Findings only✓ Findings only✓ Findings only
What every Trustivum report gives you

A real pentest, mapped to the controls your auditor cares about.

No theatrical "executive narrative" or AI-generated padding. Just the findings, the evidence, the remediation path, and the citations your SOC 2 or HIPAA auditor will need. Reports are delivered as branded PDFs with a confidentiality stamp and a closing audit trail. The same reporting pipeline drives external pentests, Sentry findings, and quarterly trend reports.

  • Branded PDF report — confidentiality stamp + closing audit trail page
  • Executive summary — written, not AI-padded; reviewed by an analyst
  • Per-finding evidence — request/response, screenshots, command output
  • Remediation guidance — concrete steps, not "implement defense in depth"
  • SOC 2 control mapping — CC6.1, CC6.6, CC6.7, CC7.1, CC7.2 on every finding
  • HIPAA Security Rule citations — §164.308 / §164.312 references
  • MITRE ATT&CK + CWE tagging — every finding
  • CVSS v3.1 base scores — every finding
  • Free retest within 30 days — applies to external pentests; delta report on remediated findings
  • Audit-ready packaging — drops straight into Type 1 or Type 2 evidence binders
Sentry Standard

A drop-in box that scans your network all year.

Sentry Standard is a compact appliance, pre-imaged at the factory and shipped to your office. The customer experience is: open the box, plug in power, plug in ethernet. The appliance connects securely on first boot, registers with the Trustivum platform over an outbound encrypted connection, and waits for its first scheduled scan window. No agent on your servers, no firewall changes, no VPN client.

What it scans

Network-layer continuous coverage

Sentry Standard runs the lightweight half of the Trustivum scan stack. It maps your network, identifies every live host and open service, fingerprints what's running, checks each service against the latest CVE feed, and enumerates network shares looking for misconfiguration. Every scan is diffed against the previous one — new hosts, new ports, new services are flagged as deltas.

For most teams this catches the bulk of internal-network risk: the dev VM that opened SSH to the world, the new CVE that just dropped against your web server software, the file share that lost its ACL when someone migrated a server.

Form factor

  • Compact, low-power appliance
  • Hardened OS image, signed updates
  • Power-over-Ethernet option available
  • Tamper-evident asset tag

What it covers

  • Network discovery, port enumeration, service detection
  • CVE checks, refreshed every scan
  • Network share enumeration
  • Internal name resolution

Cadence

  • Weekly scan windows by default
  • Configurable per-customer schedule
  • On-demand scans from the portal

Network

  • Outbound HTTPS only — no inbound rules required
  • Mutually authenticated to the Trustivum platform
  • Locked-down network interface, isolated by firewall
Sentry Pro

The full vuln scanner stack — but the data stays in your office.

Sentry Pro is the heavy-duty appliance. It runs the same connection protocol as Standard, but on high-performance hardware that can host a full enterprise-grade vulnerability scanner and web application scanner locally. That means authenticated, deep-coverage scans — the kind a compact appliance can't run — happen entirely inside the customer's network. Only finding metadata leaves; raw scan output, packet captures, and credentials never go anywhere except onto the appliance itself.

What it scans

Authenticated, credentialed, deep coverage

Pro adds two capabilities Standard can't: authenticated host scanning with credentials you provide, so the Sentry can log into hosts and assess what an insider or compromised user account could actually see, and authenticated web application crawling, so internal apps with login walls are tested with real session state.

It also runs a full enterprise vulnerability test catalog — tens of thousands of checks covering OS-level, application-level, and network-service vulnerabilities, refreshed daily. This is what most enterprise vulnerability management teams use; Pro brings it to teams that don't want to stand up their own scanner stack.

Form factor

  • High-performance appliance with ample memory and SSD storage
  • Hardened OS image, signed updates
  • Local encrypted scratch storage
  • Tamper-evident asset tag

What it covers

  • Enterprise vulnerability scanner — tens of thousands of checks, daily feed
  • Authenticated web application scanner
  • Industry-standard network and service scanners
  • Authenticated host scans using credentials you provide

Cadence

  • Daily light scans + weekly deep authenticated scans
  • On-demand triggered scans from the portal
  • Critical-finding alerts via email + webhook

Data residency

  • Raw scan output stays on the appliance
  • Only finding metadata is sent to the Trustivum platform
  • Customer credentials encrypted at rest, never exfiltrated
How it works

From request to first scan in five clean steps.

The same onboarding flow drives every tier. The only thing that changes is where the scan runs — our infrastructure (external pentest) or your office (Sentry).

1

Request

Two-minute form on this site. Pick a tier or ask for a recommendation. We follow up within one business day.

2

Terms + agreement

Click-through Terms of Service, then a contract. No hour-long discovery calls — we want you running, not negotiating.

3

Scope + SOW

Fill the scoping form (assets, contacts, test windows). We draft the SOW and send for e-signature. For Sentries, we ship the appliance once the SOW is countersigned.

4

Test

External: scans run from our infrastructure on the agreed schedule. Sentry: plug it in. It connects securely, registers, and waits for its first scan window. Status visible in your customer portal.

5

Report + ongoing

External: branded PDF delivered, free retest within 30 days. Sentry: findings stream live to the portal, quarterly trend report drops automatically into your audit binder.

Trust + safety

Built so security people can hand it to their boss.

Pentesting platforms can be risky to deploy — a misbehaving scanner can knock over production. Trustivum is built around the assumption that the customer's environment is irreplaceable.

  • Signed SOW on every engagement — scope, test windows, rules of engagement (no destructive tests, no DoS, no social engineering unless explicitly scoped)
  • Rate-limited scanning — Sentries throttle automatically based on observed network response; the platform does not allow scans to degrade production
  • Per-engagement isolation — every customer's findings, raw output, and report drafts live in an isolated workspace; multi-tenant from day one
  • Mutually authenticated outbound connection — Sentries connect outbound only, with cryptographic identity tied to the appliance asset tag
  • Encrypted at rest — credentials, raw scan output, and report drafts
  • Hash-chained audit log — every state change recorded; tamper-evident chain you can hand to your auditor
  • 90-day data retention — by default; longer retention available on request
  • Analyst review on every report — automated output never ships unreviewed
FAQ

Common questions about the platform.

If your question isn't here, ask it on the request form — we read every submission.

Why a Sentry instead of just an annual external pentest?
An external pentest tells you what an attacker sees from outside the firewall on a single day. A Sentry tells you what is changing inside your network all year — every new device, every new open port, every new vulnerability the moment a CVE is published, every misconfiguration that creeps in between audits. SOC 2 CC6.6 and CC7.1 increasingly expect this kind of continuous evidence. An external test plus a Sentry is the modern compliance posture; an external-only test is the 2018 version.
What is the difference between Sentry Standard and Sentry Pro?
Standard is a compact appliance running lightweight network-layer scanners (network discovery, CVE checks, share enumeration, service fingerprinting). Pro is a high-performance appliance with a full enterprise vulnerability scanner (tens of thousands of checks) and an authenticated web application scanner. Pro can run credentialed scans against your hosts using credentials you provide; Standard is unauthenticated network-layer only.
Will my data leave the network with a Sentry?
No. Customer data never leaves the LAN. The Sentry scans locally and sends only finding metadata — host IPs, port numbers, CVE IDs, severity, brief descriptions — back to the Trustivum platform over an outbound, mutually authenticated HTTPS connection. Raw scan output, packet captures, and any sensitive content stay on the appliance. The Sentry never accepts inbound connections from the public internet.
Do I have to install anything?
No. Sentries ship pre-imaged. Plug into power and the LAN. The appliance connects securely on first boot, registers with the Trustivum platform, and waits for its first scheduled scan. No agent installs on your servers, no firewall changes, no VPN client.
Is the Sentry sold or loaned?
Sentries are loaned for the term of the contract. Each unit has an asset tag, ships in a return-ready box with a pre-paid return label, and is reclaimed at end of contract. This avoids capex on your side and lets us refresh hardware on a predictable cadence.
Will the report be acceptable to my auditor?
Yes. Reports are mapped explicitly to SOC 2 Trust Services Criteria (CC6.1, CC6.6, CC6.7, CC7.1, CC7.2) and reference HIPAA Security Rule citations where applicable. Methodology follows the OWASP Web Security Testing Guide. The PDF includes a confidentiality stamp and closing audit page, structured to drop straight into a Type 1 or Type 2 evidence package.
Do I still need an external pentest if I have a Sentry?
For SOC 2 / HIPAA evidence, yes — auditors expect the external pentest as the primary deliverable. The Sentry covers the year-round internal-monitoring requirement (CC7.1 and CC7.2) that an external test can't satisfy on its own. Together they cover both halves of the criterion. We sell them separately or together.
How long does the external pentest take?
7 business days from signed SOW to delivered report. Breakdown: 1 day for scoping and authorization, 3 to 4 days of active testing, and 2 to 3 days of analyst review and report polish. Expedited turnaround is available.
Is this real manual penetration testing or just an automated scan?
Both. Automated scanning catches the long tail of known vulnerabilities; manual verification confirms findings, eliminates false positives, and tests for business-logic flaws scanners miss. We deliberately keep the external scope limited so the manual phase has time to be meaningful. If you've ever paid for a pentest that was just a Nessus dump in a PDF, that's not what we do. Every finding ships only after a human analyst reviews it.
What testing methodology does the platform use?
OWASP Web Security Testing Guide (WSTG) and OWASP API Security Testing Guide. Toolchain: industry-standard open-source vulnerability and web application scanners. Findings tagged with MITRE ATT&CK technique IDs and CWE references. CVSS v3.1 base scores computed for every finding.
Can I expand the scope of an external pentest?
Yes. Common add-ons include authenticated web application testing, additional external assets, mobile application testing, and full internal network coverage (where a Sentry is the recommended path). Check the expanded scope option on the request form.
How do you protect our data and systems during testing?
Every engagement starts with a signed SOW documenting scope, test windows, and rules of engagement (no destructive tests, no DoS, no social engineering unless explicitly scoped). Testing is rate-limited. All findings, customer data, and report drafts live in an isolated per-engagement workspace on encrypted infrastructure. Reports are delivered as signed PDFs and the workspace is wiped 90 days after delivery unless you ask us to retain it longer.
Who performs the testing?
A Trustivum analyst, using our proprietary platform that combines industry-standard open-source scanners with a manual review pipeline. Every finding is reviewed and accepted by an analyst before it ships in the final report — automated output never goes out unreviewed.

Ready to get audit-ready and stay there?

Two-minute request form. Tell us which tier interests you, or ask for a recommendation — we'll come back with a custom proposal.

Request a Pentest →