This page exists because the most important things we have to say to our customers are also the things most companies bury in their legal pages. We'd rather you read them.
CyberGrid offers three distinct services and never confuses them:
Automated Security Assessment — scanner-driven, annual, $1,999/yr. Runs an open-source toolchain (nuclei, httpx, testssl.sh, nmap) against your application on a quarterly cadence. Detects a defined subset of issues (security headers, TLS, known CVEs, exposed surfaces). It is not a penetration test and does not satisfy compliance requirements that specifically mandate one.
Penetration Testing — methodology-based, per-engagement, $4,999 flat fee plus a $1,999 retest. A senior engineer manually probes for IDOR, business logic flaws, authentication bypass, and chained exploits — the class of finding scanners genuinely can't produce. See our penetration testing page for scope, methodology, and process.
Continuous Security (bundle) — $999/month or $9,999/year. The Automated Security Assessment plus one Penetration Test per year plus one retest per year. The bundle is a billing convenience — the two underlying services are not merged or relabeled. The pen-test and retest entitlements are use-or-lose within each 12-month subscription period and do not roll over.
SOC 2 Readiness — fixed-fee consulting engagement, from $5,999 (Starter, ≤25 employees) or $9,999 (Standard, 25-100 employees), with optional $1,499/mo ongoing retainer. A 90-day readiness program: policy library deployment, control implementation, evidence collection, GRC platform setup, and CPA audit firm referral. See our SOC 2 readiness page.
If a vendor sells you "automated penetration testing" as one product without distinguishing the underlying services: read carefully. They are not the same thing, and the difference matters to your auditor.
This is the single most important thing to understand about our SOC 2 service. CyberGrid is not a licensed CPA firm. We do not perform the SOC 2 audit and we do not issue SOC 2 reports. The audit and the report itself are performed and issued by an independent CPA firm we refer to you — a firm with which you have a separate, direct engagement letter. We charge for readiness work; the audit firm charges separately for the audit. We do not receive a commission or referral fee from the audit firm. Audit firms typically charge $8,000 to $15,000 for a Type I engagement and $15,000 to $30,000 for Type II, depending on scope.
Our SOC 2 service is implemented on top of established GRC platforms (Sprinto, Drata, Vanta, Secureframe — chosen based on your stack and budget). The platform license and ongoing subscription fees are paid directly by you to the GRC vendor and are not included in our readiness engagement fee. We will tell you, up front, which platform we recommend for your situation and why. We do not pretend the work is being done by software we built.
A readiness engagement substantially improves the odds of a clean Type I report by ensuring policies are in place, controls are implemented, and evidence is collected before the audit fieldwork begins. It does not guarantee the audit will pass. Auditors exercise independent judgment, may issue qualified opinions, and may identify findings during fieldwork that require remediation. If the audit firm requests corrective action, we will help with remediation under the original engagement scope.
Even a finding-free scan does not mean your application is secure. It means the specific patterns our automated tooling tests for were not detected within the scope and time window of the engagement. The absence of findings is informative but not conclusive.
CyberGrid produces information. Acting on that information — fixing findings, prioritizing remediation, deciding when issues are accepted risks — is your responsibility. We do not provide remediation services, code review, or ongoing security advisory.
We do not promise that our reports satisfy any specific compliance framework. Some auditors will accept an automated vulnerability assessment as evidence of certain controls; many will not. The decision belongs to your auditor, not to us. Our methodology and report format are designed to be transparent so your auditor can make an informed decision.
Active security scanning, even when conservatively configured, can in rare cases trigger rate limiters, fill log files, alert WAFs, or exercise unusual error paths in your application. We minimize this risk through rate limiting and non-destructive defaults, but cannot eliminate it. You may schedule scans during off-hours to mitigate impact.
You may scan only what you own or have explicit authorization to test. Unauthorized scanning is illegal in most jurisdictions. CyberGrid will not scan a target that has not been verified, and reserves the right to refuse service, terminate accounts, and cooperate with law enforcement in cases of suspected unauthorized scanning.
A successful verification of a CyberGrid attestation confirms that an automated security assessment was performed by us against the named target on the stated date. It does NOT confirm:
Procurement teams and auditors should evaluate attestations alongside whatever other evidence they require, not in place of it.