How can we help?

What is CyberGrid, exactly?

CyberGrid offers two clearly-labeled services:

01Automated Security Assessment — $1,999/year. A subscription that runs open-source security scanners (nuclei, httpx, testssl.sh, nmap) against your applications on a quarterly cadence, produces a PDF report, and issues a publicly-verifiable attestation.

02Penetration Testing — $4,999 per engagement, $1,999 retest. A senior engineer manually probes your application for the things scanners can't find: IDOR, business logic flaws, chained exploits, authentication bypass.

The two are never confused. The automated scan is never relabeled a "pen test." The pen test is a real pen test.

How do I sign up?

1. Visit /signin and enter your work email.
2. Click the magic-link in the email we send (arrives in <30 seconds, check spam if it doesn't).
3. You land on the dashboard. Create your workspace (name your organization) and click Subscribe — $1,999/yr.
4. Stripe handles checkout. Once payment succeeds you're redirected back with an active subscription.
5. Add your first target hostname and verify it via DNS TXT record (see the Targets section below).

The whole sign-up takes ~3 minutes if you have the DNS access ready.

I don't have a password. Why?

CyberGrid uses passwordless magic-link authentication. Every time you sign in, we email you a one-time link that expires in 15 minutes. There's no password to phish, no password to remember, and no password database we could leak.

If you'd prefer SSO or SAML for enterprise teams, email hello@thecybergrid.com.

How do I add a target?

Open /app, scroll to Targets, type the hostname (e.g. app.yourcompany.com), click Add target. We immediately generate a DNS TXT record for you to set.

How does DNS verification work?

Before any scan runs, we verify you own (or have authority to test) the target. The verification flow:

1. Add the hostname in the dashboard.
2. We display a TXT record like:

   Name:   _cybergrid.app.yourcompany.com
   Type:   TXT
   Value:  cybergrid-site-verification=Dnl0xJGSdpDk_tA41AdvzA

3. Add that record at your DNS provider (Cloudflare, Route 53, Squarespace, etc.).
4. Click Verify in the dashboard. We resolve the TXT and match it against the expected value.
5. Once verified, the target's status flips to verified and is scannable.

DNS propagation usually takes 30 seconds to 5 minutes. Some providers (older Squarespace, GoDaddy basic) can take up to an hour.

The TXT record is set but verification fails. What now?

• Confirm the record name is exactly _cybergrid.<your-hostname> (note the leading underscore). Some DNS UIs add a trailing domain automatically — double-check the final rendered name.
• Confirm the value matches exactly: cybergrid-site-verification=<your-token>. No surrounding quotes, no trailing whitespace.
• Wait 5 minutes after saving and retry. Some providers cache up to 30 min.
• Verify externally with dig +short txt _cybergrid.your-hostname.com — if dig doesn't see it, our verifier won't either.
• Still stuck? Reply to the engagement thread or email hello@thecybergrid.com with the output of dig and the hostname.

How many targets can I add?

The $1,999/year subscription includes up to 3 verified targets. If you need more, email hello@thecybergrid.com — we'll quote add-on targets at a fair per-target rate.

Can I remove a target?

Yes. From the dashboard, expand the target and click Remove. The target is deleted, its DNS TXT record is no longer checked, and historical scan reports for that target remain accessible.

Can I scan a target I don't own?

No. The verification step is enforced. We don't scan targets you can't prove control of. Attempting to register targets you don't own is a hard ToS violation under our Terms Section 3 and we cooperate with law enforcement on unauthorized-scanning reports.

How do I run a scan?

In the dashboard, after a target is verified, scroll to Run a scan, pick the target + profile, click Queue scan. The scan enters the queue and a Fly.io worker picks it up within 30 seconds. Most scans complete in 5–20 minutes depending on profile + target size.

What scan profiles are available?

All three profiles are included in the $1,999/year subscription — there are no tier restrictions.

What does CyberGrid actually catch?

The automated tooling detects a defined subset of issues:

• Missing or misconfigured security headers (CSP, HSTS, X-Frame-Options, Permissions-Policy, etc.)
• TLS / cipher misconfigurations (TLS 1.0/1.1 enabled, weak ciphers, certificate chain issues)
• Known CVEs in disclosed software versions
• Exposed admin panels, .git folders, .env files, backup files
• Verbose error / stack trace disclosure
• Open redirects, basic injection patterns (templated checks)
• Subdomain enumeration + port exposure (in the full profile)

What it can't catch (and why a pen test is a different product): IDOR, broken access control across tenants, business logic flaws (coupon stacking, race conditions), authenticated session attacks, chained exploits, anything that requires reasoning about the application's intended behavior.

How often do scans run automatically?

The subscription includes 4 scheduled scans per year (quarterly). You can also trigger manual re-scans at any time after remediation — those don't count against the quarterly allotment.

My scan is stuck on "queued" for a long time. What's wrong?

The Fly.io worker normally claims a queued scan within 30 seconds. If a scan has been queued for more than 5 minutes, one of the following is happening:

• The worker is busy with a previous long scan (full-profile scans take ~20 min). It's first-come-first-served.
• The worker is unhealthy. Email hello@thecybergrid.com with your engagement ID and we'll investigate immediately.

The dashboard auto-refreshes the scan list every 20 seconds while any scan is queued or running — you don't need to manually reload.

Will scanning impact my production app?

Default profile is non-destructive — no fuzzing of inputs that could cause data corruption, no DoS-style traffic spikes. We rate-limit to 50 requests per second by default. You can request a lower rate limit by emailing support. That said, any active scanning carries some risk of triggering rate limiters, WAFs, or unusual error paths — schedule scans during low-traffic windows if your environment is sensitive.

How are findings prioritized?

Each finding has a severity level computed from the CVSS v3.1 base score:

• Critical (CVSS 9.0–10.0) — same-day notification, 24-hour remediation target
• High (7.0–8.9) — 72-hour remediation target
• Medium (4.0–6.9) — 30-day remediation target
• Low (0.1–3.9) — 90-day remediation target
• Informational (0.0, no impact) — best-practice recommendation

I think a finding is a false positive. Can I dismiss it?

Yes. Open the finding in your dashboard, click Mark as false positive, and add a one-line justification. The finding stays in the report (auditors want to see what was tested) but is annotated as customer-disputed with your justification. The retest will not re-flag dismissed findings unless new evidence emerges.

We review false-positive justifications during the retest. If we agree, the finding is removed from the active list. If we disagree, we'll engage in a written exchange in the engagement thread to resolve it.

What's CWE / OWASP mapping?

Every finding is tagged with:

• A CWE identifier (e.g. CWE-79 for XSS) — the canonical taxonomy of weakness types maintained by MITRE
• An OWASP Top 10 category (e.g. A03:2021 Injection) — the auditor-facing classification
• A CVSS v3.1 vector (e.g. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) — the explicit calculation that produced the severity

The compliance mapping page at /compliance shows how each finding's metadata maps to SOC 2, ISO 27001, PCI DSS, and HIPAA controls — so your auditor can drop the report directly into evidence collection.

When is a report generated?

Automatically, the moment a scan completes. The PDF is rendered in the background (usually 30–90 seconds) and appears in Reports & attestations in your dashboard. You'll also receive an email notification.

What's in the report?

1. Cover page with target, dates, scan profile, methodology references
2. Executive summary with severity counts
3. Methodology coverage matrix (what was tested)
4. Per-finding detail: description, evidence, remediation guidance, CVSS/CWE/OWASP tags
5. Compliance control mapping (SOC 2 / ISO 27001 / PCI DSS / HIPAA / NIST CSF) per finding
6. Tooling appendix (every tool + version that ran)
7. Severity model + disclaimers

Browse the sample report to see the exact format.

What's an attestation, vs the report?

The report is detailed (12–25 pages) with findings + evidence + remediation. The attestation is a one-page document that says "CyberGrid assessed this target on this date, the report was issued." No findings shown.

The point of the attestation is to be shareable: every attestation has a public URL (e.g. https://thecybergrid.com/verify?id=CG-2026-05-XXXXXX) that any third party can visit to confirm it's real. Customers, prospects, and auditors verify directly — you can't fake an attestation and you can't suppress one once issued.

Can I share the report with my auditor / prospect?

Yes. The report is yours. Share it freely with auditors, prospects, customers, your board. Many customers attach the PDF to vendor security questionnaires.

The attestation is what you typically share publicly (in a status page, in a sales deck). The full report is usually shared under NDA because it lists specific findings.

How does public verification work?

Every attestation has a unique verification ID like CG-2026-05-3F1A8B. Anyone — not just you — can visit https://thecybergrid.com/verify?id=<verification-id> and see:

• The organization name
• The target hostname assessed
• The assessment date
• The status (valid / revoked)

The verification page does NOT show specific findings — those are confidential to the customer. It only confirms the attestation is real and was issued by CyberGrid.

Can I revoke an attestation?

Customers can't revoke attestations after issuance — the point of public verification is that the record can't be suppressed. If the underlying scan turns out to be flawed (e.g. tested wrong environment), CyberGrid can mark an attestation as revoked, with a public reason. Email hello@thecybergrid.com with the verification ID and the reason if this comes up.

When should I request a pen test instead of the automated scan?

Request a pen test when:

• A customer, prospect, or auditor specifically asked for a "pen test"
• Compliance requires manual testing (PCI DSS 11.4, parts of SOC 2 CC4.1, HIPAA §164.308(a)(8))
• Your application has complex authorization (roles, tenants, multi-step sensitive flows)
• You've fixed everything the automated scanner catches and want adversarial review of business logic

If you're not sure: the automated scan ($1,999/year) is usually the right starting point. You can always layer a pen test on top.

How do I request a pen test?

Either:

1. Visit /quote and fill out the form. We reply within one business day with a confirmed scope + kickoff date.
2. Or, if you're already a customer, request one from your dashboard under Penetration testing engagements.

Pricing is flat: $4,999 for the initial engagement, $1,999 for the retest. No hourly billing, no scope-creep surprises.

What's the typical engagement timeline?

• Day 0 — request submitted, confirmation email sent within minutes
• Day 1 — confirmed scope, Statement of Work, NDA execution
• Day 2 — kickoff call (optional), engagement starts
• Days 2–8 — active testing
• Days 9–11 — draft report
• Day 12 — final report + attestation delivered
• (30–60 days later) — you remediate, schedule retest ($1,999)
• (2–4 days later) — retest complete, remediation addendum issued

Larger scopes (multi-app, internal network, cloud) extend the testing window. We'll explicitly quote the timeline before kickoff.

What paperwork do you need to start?

For most engagements:

• Mutual NDA — usually executed within hours of request acknowledgement
• Statement of Work — defines scope, timeline, deliverables, retest policy
• Authorization letter — confirms you own/have authority to authorize testing
• MSA + DPA — if your procurement team requires them (we provide templates at /trust-package)

Most teams sign the templates as-is. We'll execute your procurement team's paper too if they prefer.

What happens if you find a critical vulnerability mid-engagement?

We notify you the same day with a proof-of-concept and remediation guidance, rather than wait for the final report. You decide whether to pause and remediate first or continue with the rest of the scope. Critical findings never sit on the shelf.

Is the retest mandatory?

No — it's optional. But customers almost always do it: it produces a separate signed Remediation Report with its own letter grade (green A if all findings fixed) that you can hand to your auditor or to enterprise procurement teams as proof of remediation. It also updates the publicly-verifiable attestation.

Schedule the retest within 12 months of the original engagement. Most teams do it 30–60 days after delivery — enough time to remediate, not long enough to lose context.

What's a Remediation Report and how do I get one?

A separate dated artifact issued after the retest. Different from a "report update" or addendum — it's its own signed PDF, ~7 pages, with the same visual format as the original pen-test report: cover with the testing date, a 3-date timeline (Remediation Kickoff / Remediation Testing / Report Delivery), a big colored letter grade (green A if every finding was fixed), the scope, an exec summary, and a single table listing each original finding with status (Fixed / Still Vulnerable / Not Tested) plus the analyst's verification notes. The severity appendix is included for reference.

Procurement teams at enterprise customers often ask specifically for "the remediation report" when they want proof your team closed the issues — not just the original report PDF. The Remediation Report is the single-document answer to that question.

To get one: after we deliver your original pen-test report, you remediate, then click Request retest from your dashboard. A senior engineer re-runs the original scan, marks every finding, and the Remediation Report is generated within 2–4 business days. One retest + Remediation Report is included free with every Penetration Test engagement; additional retests are $1,999.

How do you make sure findings are real and not hallucinated?

Four pre-publication verification controls fire on every finding before it reaches your report:

1. PoC re-fire. Every critical/high finding's captured HTTP request is replayed against the target within minutes of ship. If the response no longer matches the original capture, the finding is downgraded one severity level with a verification note appended explaining what diverged.
2. Schema-name verification. Any GraphQL type / mutation / field name referenced in a finding is verified against the live schema (via introspection or known schema input). If the name doesn't exist on your application's schema, the finding is downgraded with a note.
3. Infrastructure grounding. If a finding's text mentions a cloud provider (AWS / GCP / Azure), we cross-check against your target's actual cloud (derived from IP/ASN). Mismatched mentions hold the finding for analyst review.
4. HTTP capture provenance. Every captured request and response is stamped with timestamp, scan ID, and a replay token. Any reviewer (you, your auditor, a third party) can audit-replay any capture to verify it was real.

The first two of these are what catch the "hallucinated finding" failure mode — references to things that don't exist on your application. The structural fix is that a finding referencing a non-existent operation can never ship without being explicitly flagged.

What's the difference between Type I and Type II?

Type I is a point-in-time report: "as of date X, these controls were designed effectively." It's what most early-stage SaaS teams need first — buyers and auditors accept it, and it's faster & cheaper to obtain. Typical timeline: ~90 days from kickoff to report.

Type II is an observation-period report (usually 3-6 months minimum, up to 12 months): "across the period, these controls operated effectively." It's what most enterprise buyers eventually require. Typical timeline: kickoff → 90 days Type I readiness → 3-6 month observation window → Type II report. Our Ongoing Compliance retainer ($1,499/mo) is designed for the observation-window phase.

Which GRC platform do you use? Can I bring my own?

We work on top of Sprinto, Drata, Vanta, or Secureframe. We recommend the platform that best fits your stack and budget — they all do roughly the same thing, but pricing and developer experience differ. The GRC platform license is paid directly by you to the vendor (~$8k-$25k/yr depending on platform & size) and is not included in our readiness fee.

If you already have a GRC platform we're not yet certified on, tell us during scoping — we can usually accommodate it but may need additional setup time.

Do you issue the SOC 2 report?

No. We are not a licensed CPA firm and we do not perform SOC 2 audits. The audit is performed and the report issued by an independent CPA firm we refer you to. We coordinate the relationship — intro you to the firm, prepare the evidence package for them, sit in on fieldwork — but the engagement letter and audit fees are directly between you and the auditor. We do not take referral commissions.

Audit firm fees: typically $8k-$15k for Type I, $15k-$30k for Type II, depending on scope and firm.

Which audit firms do you partner with?

We work with several boutique CPA firms that specialize in SOC 2 for SaaS — chosen based on responsiveness, technical depth, and price (not relationship terms with us). We'll introduce you to 2-3 candidates during kickoff so you can pick the one that fits.

What if my audit doesn't pass?

The Starter and Standard engagements include remediation support if the auditor identifies findings during fieldwork. Most "failures" aren't binary fails — they're findings that need to be addressed before the report is issued, and that addressing happens under the original engagement scope. If you need a fundamentally new control implemented (e.g., the auditor decides your data classification policy is insufficient), we'll quote any out-of-scope work transparently before doing it.

Can I bundle SOC 2 with a pen test?

Yes — and many auditors require evidence of a current pen test for CC4.1 / CC7.1 / CC7.2 controls. We bundle our Penetration Test ($4,999) into the SOC 2 evidence package so the auditor gets a single, methodology-mapped report. Pen test scheduling typically lines up with the readiness window so the report is fresh at audit time.

I'm a 5-person team — do I really need to be SOC 2 ready?

Probably not yet. SOC 2 readiness makes sense when (a) a real prospect or customer is asking for it, (b) you're entering enterprise sales motion, or (c) you're raising a Series A+ where investors expect it. If none of those are true, your $5,999 is better spent elsewhere. If one is, the math is straightforward: SOC 2 readiness costs about as much as one month of an engineer's salary and unlocks deals worth 10-100x that.

Does the $1,499/mo ongoing retainer auto-renew?

Yes, monthly. Cancel anytime via your billing portal — no notice period. We don't lock you in, because if we're not earning the monthly fee through actual posture maintenance, you should stop paying it.

How does billing work?

Three options:

• Automated Security Assessment — annual subscription, $1,999/year, charged via Stripe on Subscribe.
• Continuous Security (bundle) — $999/month or $9,999/year (≈ 2 months free). Includes everything in Automated + 1 pen test + 1 retest annually.
• Penetration Test (standalone) — per-engagement, $4,999 (initial) and $1,999 (retest), invoiced at SoW execution. ACH/wire/credit card all accepted.

What's in the Continuous bundle vs buying à la carte?

Continuous bundles two products you'd otherwise buy separately:

• Automated Security Assessment (otherwise $1,999/yr)
• 1 senior-engineer Penetration Test per year (otherwise $4,999)
• 1 retest per year (otherwise $1,999)

À la carte: $8,997/year. Continuous Annual: $9,999/year. The bundle is priced slightly higher because scheduling certainty matters — your pen-test slot is reserved for you in advance. Continuous Monthly ($999) is for teams that need flexibility; annual works out cheaper if you're committed.

How do I redeem my annual pen test on the Continuous plan?

Once subscribed, open /app → Penetration testing engagements → Request your annual pen test. The lead engineer reaches out within 1 business day to scope and schedule. Your retest is requested the same way after you remediate findings from the report.

Both entitlements are use-or-lose within each 12-month subscription period. You cannot bank them or roll them over to the next year.

Can I switch from Automated to Continuous (or vice versa)?

Yes. From your billing portal, change the subscription. Stripe handles proration automatically. If you're upgrading mid-year, you get a credit for unused Automated time toward the Continuous price. Email hello@thecybergrid.com if anything looks off.

Does my subscription auto-renew?

Not by default. We email you 30 days before your annual term ends with a renewal link. If you don't renew, scans stop running but your past reports + attestations remain accessible forever.

Can I cancel?

Yes, anytime from the dashboard. We don't pro-rate refunds on partially-used annual terms, but you keep access to all past reports and attestations.

How do I update my card / see invoices?

The Stripe customer portal handles card updates, invoice downloads, and tax-ID management. We're working on surfacing the portal link directly from the dashboard. In the meantime, email hello@thecybergrid.com and we'll send you a direct portal link.

Do you offer discounts?

Yes — 50% off the automated subscription for registered 501(c)(3) nonprofits and actively-developed open-source projects. Pen-test discounts case-by-case. Email hello@thecybergrid.com with your situation.

What payment methods are accepted?

Credit / debit card via Stripe for the automated subscription. Pen-test engagements can be billed via credit card, ACH, or wire — invoice issued at SoW execution for procurement teams that require it.

How do I change my email address?

Email hello@thecybergrid.com from your current address and tell us the new one. We'll send a confirmation link to the new address before switching. This avoids a self-service flow that could be abused for account takeover.

How do I sign out everywhere?

Visit https://thecybergrid.com/r/signout — that clears the session cookie on the current device. To force sign-out on other devices, email hello@thecybergrid.com and we'll invalidate all your sessions server-side.

How do I delete my account?

Email hello@thecybergrid.com from your account email. We delete personally identifiable data within 30 days of confirmation. Attestation verification records remain valid for the lifetime of issued attestations so third parties relying on them continue to receive accurate verification (the verification page shows status only, never PII).

Is there an audit log of what I've done?

Internal audit logs of authentication, target changes, and admin actions are kept for 12 months. Customer-facing audit log UI is on the post-launch roadmap. If you need a specific historical query — "did anyone scan us between dates X and Y?" — email us and we'll run the query.

Will a CyberGrid report satisfy my SOC 2 / ISO 27001 / PCI DSS audit?

It maps to specific controls — see the full mapping at /compliance. Most auditors accept a CyberGrid report as evidence for the relevant controls (CC4.1, CC6.1, A.8.8, A.8.29, 11.3, 11.4, etc.).

Final acceptance is between you and your auditor. We don't issue audit opinions — we provide the evidence your auditor needs to evaluate.

Do you sign a BAA (HIPAA)?

Yes — for engagements involving Protected Health Information. Email hello@thecybergrid.com to request the BAA template before kickoff.

Do you sign a DPA (GDPR / CCPA)?

Yes. Our standard DPA covers GDPR Article 28 processor terms, CCPA/CPRA service-provider terms, and includes a TOMs annex + sub-processor list. Download the template at /trust-package.

Where's your security questionnaire / SIG?

Pre-filled at /docs/cybergrid-security-questionnaire. 60+ standard procurement security questions answered, aligned with SIG Lite / CAIQ. Hand it to your procurement team and skip three weeks of back-and-forth.

Is there an API for the customer dashboard?

The Netlify functions at /.netlify/functions/* are session-cookie-authenticated. Programmatic API access (API-key authentication, REST endpoints for listing scans / triggering scans / fetching findings) is on the post-launch roadmap. If you have a specific integration in mind (CI/CD scan triggers, Slack notifications, Jira ticket creation), email hello@thecybergrid.com and we'll prioritize.

Webhook for scan completion?

The completion-webhook endpoint exists internally for our scan worker. We can wire a customer-facing outbound webhook to your endpoint on request — POST with JSON payload, signed with HMAC SHA-256, retried with exponential backoff. Email us to set it up.

My magic-link email never arrived.

1. Check your spam / promotions folder for noreply@thecybergrid.com.
2. Confirm the email is correctly typed. Magic links are sent only to addresses that look like valid email; typos silently fail.
3. Some corporate filters delay magic-link emails by 1–3 minutes.
4. Still nothing after 5 minutes? Email hello@thecybergrid.com from any working email and we'll mint a one-time access link manually.

My scan finished but the report PDF says "generation failed."

PDF generation occasionally fails on cold serverless function starts. We auto-retry within 60 seconds. If after 5 minutes the report is still missing, click Regenerate report in the dashboard or email us with the scan ID.

The dashboard shows a scan as "queued" but it never moves to "running."

Most likely the Fly.io scan worker is busy with a previous full-profile scan (those can take ~20 min). The dashboard auto-refreshes every 20 seconds while any scan is queued or running. If "queued" persists past 30 minutes, the worker may have hit an issue — email hello@thecybergrid.com, we'll investigate immediately.

The /verify page shows "Invalid verification ID" for an attestation I have.

Confirm you're using the full ID (format: CG-YYYY-MM-XXXXXX, e.g. CG-2026-05-3F1A8B). Trailing slashes or extra characters break the lookup. If the ID is correct and the lookup fails, email us — most likely the attestation was issued before a database migration and we'll re-link it.

I get a Stripe error trying to subscribe.

Most subscribe errors come from declined cards (insufficient funds, expired card, foreign-transaction block). If your card is fine and Stripe is still rejecting, try a different card or email us — we can issue an invoice for direct bank transfer.

I found a security issue in CyberGrid itself.

Thank you. Please report to security@thecybergrid.com. See our /trust page for the full responsible-disclosure program. We commit to acknowledge within 2 business days, triage within 5, and remediate per severity.