Three services, clearly labeled. An automated security assessment for the day-to-day. A real pen test when that's what the question actually calls for. A 90-day SOC 2 readiness program when the buyer wants a Type I report. Never confused with each other.
You're a small SaaS company. Maybe a few engineers. Maybe a few months from raise. A prospect's procurement team just asked for "your most recent security assessment" and you don't have one — or the one you have is from a vendor whose marketing oversells what they actually did.
You also don't want to lie. You want to give your customers something they can verify, that's honestly described, that survives scrutiny if a security-conscious procurement team actually reads the fine print. CyberGrid is for you.
You're a security professional looking for a vulnerability scanner? You already know about nuclei, ZAP, and the rest of our toolchain — you can run them yourself. We're not selling to you. We sell the wrapper — the orchestration, the report, the attestation, the public verification — to teams that need the output but don't want to build the infrastructure. And when you need a real pen test on top, we deliver that too.
CyberGrid started as an honest automated-assessment service: scanners run, findings reported, attestation issued, never called a "pen test." That product still exists and is still the right tool for many customers.
We've now also added a real penetration testing service — methodology-based (PTES, OWASP WSTG v4.2, OWASP ASVS), led by a senior engineer, with manual exploitation and chained-exploit hunting. Same honesty principle: the automated tier is never relabeled a pen test, and the pen test is actually one.
The automated scan is an automated scan, never a "pen test." The pen test is a real pen test, never a relabeled scan. Mixing the labels is the single biggest thing that erodes trust in this market.
Every report lists every tool that ran, with versions. You can audit our methodology against the report. No black boxes.
Every attestation has a public URL anyone can check. Customers cannot suppress it. This is non-negotiable.
The homepage shows what we catch and what we miss. The marketing literally documents our limitations. We think this is a feature.
Automated tier: annual flat. Pen-test tier: per-engagement quote with the hours broken out. You see exactly what you're paying for.
Findings are confidential to the customer. The verification page proves an assessment happened — it does not publish your findings.
Small. Engineering-led. Reachable directly — when you email hello@thecybergrid.com, a real engineer writes back. No tiered support queue, no qualification call.
Integrations the engineering teams we work with actually want (Slack, GitHub issues, Jira), continuous PTaaS arrangements for teams that want quarterly engagements + on-demand retests, and a partner program for compliance consultants and vCISOs. Email us if any of those are interesting.