Trustivum Services/Penetration Testing
Built for compliance audits — SOC 2, HIPAA, & vendor questionnaires

External penetration testing,
priced for growing teams.

Most pentests are either $25,000+ from a boutique firm or $500 from a freelancer. Neither works for a SaaS startup that just needs an audit-credible external assessment for SOC 2. Trustivum's flat-fee external pentest is built for the middle. Limited scope, real manual verification, audit-ready report — for $2,495.

Request a Pentest → See What's Included ↓
$2,495 flat — no discovery call 7-business-day turnaround Free retest within 30 days SOC 2 + HIPAA mapped
What you get

A real pentest, mapped to the controls your auditor cares about.

No theatrical "executive narrative" or AI-generated padding. Just the findings, the evidence, the remediation path, and the citations your SOC 2 or HIPAA auditor will need. Reports are delivered as branded PDFs with a confidentiality stamp and a closing audit trail.

  • Up to 3 external assets — web apps, APIs, or public domains
  • Automated scanning — Nmap, ZAP, OpenVAS, nuclei, testssl.sh
  • Manual verification — false-positive elimination + business logic
  • Branded PDF report — confidentiality stamp + audit closing page
  • SOC 2 control mapping — CC6.1, CC6.6, CC6.7, CC7.1, CC7.2
  • HIPAA Security Rule citations — §164.308 / §164.312 references
  • MITRE ATT&CK + CWE tagging — every finding
  • CVSS v3.1 base scores — every finding
  • Free retest within 30 days — delta report on remediated findings
  • 7-business-day turnaround — from signed SOW to delivered report
How it works

From request to report in five clean steps.

Every step has a fixed-fee, fixed-time deliverable so you always know where the engagement stands.

1

Request

Fill the request form. We follow up within one business day to confirm fit.

2

Terms + Pay

Click-through Terms of Service, then a Stripe link. Flat fee — no discovery call.

3

Scope

Fill the scoping form (assets, contacts, test windows). We draft the SOW and send for e-signature.

4

Test

Automated + manual phases run from your scheduled start date. Status visible in your portal.

5

Report

Branded PDF delivered. Free retest within 30 days. Drop straight into your audit package.

Pricing

Flat fee. No surprise add-ons.

One number. The same number every time, regardless of which assets you pick or how the scoping conversation goes. If your scope outgrows the limit, we'll quote add-ons separately on the request form.

Trustivum External Pentest
$2,495

Up to 3 external assets · automated + manual · branded PDF report mapped to SOC 2 and HIPAA · one free retest within 30 days · 7-business-day turnaround.

Request a Pentest →

Need expanded scope, authenticated testing, internal network coverage, or mobile? Check the "Expanded scope" box on the request form — we'll quote it during scoping.

FAQ

Common questions about external penetration testing.

If your question isn't here, ask it on the request form — we read every submission.

Do I need a penetration test for SOC 2?
SOC 2 doesn't strictly require an external penetration test, but most auditors expect to see one as evidence for Common Criteria CC6.6 (Boundary Protection) and CC7.1 (System Monitoring). Without a pentest, auditors will note it as a deficiency or require compensating controls — usually more expensive than the pentest itself. Annual external pentests are the industry-standard approach. The same applies to HIPAA Security Rule §164.308(a)(8) (Evaluation).
How much does an external pentest typically cost?
$4,000 to $30,000+ depending on scope. Boutique firms charge $15,000 to $50,000 for full-scope engagements. Trustivum's $2,495 flat fee covers a deliberately limited external scope built for the SOC 2 / HIPAA compliance use case. If you need full-scope offensive security work, internal testing, or red team services, we'll quote those separately.
What scope is included for the flat $2,495 fee?
Up to three external assets — any combination of web applications, REST or GraphQL APIs, and public-facing domain names or IP addresses. Testing is conducted from outside your network (no VPN, no internal credentials). If you need authenticated testing, internal network access, mobile applications, or more than three assets, we'll quote those add-ons during scoping.
How long does it take?
7 business days from signed SOW to delivered report. Breakdown: 1 day to set up scoping and authorization, 3–4 days of active testing, and 2–3 days of analyst review and report polish. Expedited turnaround available for an additional fee.
Will the report be acceptable to my auditor?
Yes. Every finding is mapped to SOC 2 Trust Services Criteria (CC6.1, CC6.6, CC6.7, CC7.1, CC7.2) and references HIPAA Security Rule citations where applicable. Methodology follows the OWASP Web Security Testing Guide. The PDF includes a confidentiality stamp, audit trail, and is structured to drop straight into a Type 1 or Type 2 evidence package.
Do you provide a retest after we fix the findings?
Yes. One free retest within 30 days of report delivery is included. The retest re-runs the same testing methodology against any findings you've remediated and produces a delta report. This is the same evidence auditors expect when SOC 2 controls require remediation timelines.
Is this real manual penetration testing or just an automated scan?
Both. Automated scanning catches the long tail of known vulnerabilities; manual verification confirms findings, eliminates false positives, and tests for business-logic flaws scanners miss. We deliberately keep scope limited so the manual phase has time to be meaningful. If you've ever paid for a pentest that was just a Nessus dump in a PDF, that's not what we do.
What testing methodology do you use?
OWASP Web Security Testing Guide (WSTG) and OWASP API Security Testing Guide. Toolchain: Nmap, OWASP ZAP, OpenVAS, nuclei, ssh-audit, testssl.sh, plus manual analyst verification. Findings are tagged with MITRE ATT&CK technique IDs and CWE references where applicable. CVSS v3.1 base scores computed for every finding.
How do you protect our data and systems during testing?
Every engagement starts with a signed SOW documenting scope, test windows, and rules of engagement (no destructive tests, no DoS, no social engineering unless explicitly scoped). Testing is rate-limited. All findings, customer data, and report drafts live in an isolated per-engagement workspace on encrypted infrastructure. Reports are delivered via signed PDF and the workspace is wiped 90 days after delivery unless you ask us to retain it longer.
Who performs the testing?
A Trustivum analyst, using our proprietary platform that combines OSS scanners (OpenVAS, OWASP ZAP, nuclei, etc.) with a manual review pipeline. Every finding is reviewed and accepted by an analyst before it ships in the final report — automated output never goes out unreviewed.
Can I expand the scope beyond three assets?
Yes. Check the "expanded scope" box on the request form and we'll follow up with a custom quote. Common add-ons: authenticated web app testing ($600 per app), additional external assets ($400 each), internal network testing (custom quote), mobile app testing (custom quote).

Ready to get audit-ready?

Two-minute request form. No sales call required to see a quote.

Request a Pentest →