Pricing

Honest security testing, plus a SOC 2 program. Transparent prices.

Automated Security Assessment at $1,999/year. Continuous Security bundle (automated + 1 pen test/yr + 1 retest) at $999/month — saves ~$3,000 vs à la carte. Standalone Penetration Test at $4,999/engagement with a $1,999 retest. SOC 2 readiness programs from $5,999 — a 90-day path to an audit-ready Type I report.

JUMP TO Automated Continuous Pen Test Mobile SOC 2 Compare
Automated

Automated Security Assessment

Open-source toolchain (nuclei, httpx, testssl.sh, nmap) runs against your application on a quarterly cadence. Detects a defined subset of issues: missing security headers, TLS misconfigurations, known CVEs, exposed surfaces, info disclosure. The right tool when you need an honest artifact for vendor questionnaires and a baseline for any team.

// Not a penetration test. We never call it one. For that, see Penetration Testing below.
Automated Security Assessment
$1,999
per year · all-in, no tiers

Everything our automated service does, for everyone. One price, one product, no upsells.

  • Up to 3 web application targets
  • 4 full scans per year (quarterly cadence)
  • All scan profiles (web app · web+TLS · full external)
  • Unlimited re-scans after remediation
  • PDF report + publicly-verifiable attestation
  • Critical-finding rapid alert (email + Slack)
  • Compliance-mapped report (SOC 2 / ISO / PCI / HIPAA references)
  • Direct engineer support (real human reply)
→ Lifetime · Limited launch tier
Pay $299 once, scan a single domain forever.
Launch promo. Single domain, monthly scan, signed PDF, lifetime — no recurring charge. 250-code cap. After that, the regular $1,999/yr tier is the only option.
See the lifetime deal
Continuous · Bundle

Continuous Security

Everything in Automated Security Assessment plus one full penetration test per year and one retest. The bundle most growing SaaS teams should buy. Predictable monthly cost, full security coverage, no per-engagement bookkeeping.

// Saves \$3,000+ vs à la carte. One subscription, one invoice, one vendor.
Continuous · Monthly
$999
per month · cancel anytime

Pay monthly while you ramp. Same access as annual, no commitment.

  • Everything in Automated Security Assessment
  • 1 penetration test per year ($4,999 value)
  • 1 retest per year ($1,999 value)
  • Quarterly automated scans (4/yr)
  • Up to 3 verified targets
  • Compliance-mapped report bundle
  • Public attestation + verifiable URL
  • Cancel anytime from the billing portal
Save 2 months
Continuous · Annual
$9,999
per year · equivalent to 10 months

Pay yearly, save $1,989 vs monthly. Same benefits, lower price.

  • Everything in Monthly
  • 2 months free ($1,998 saved vs monthly)
  • Locked-in price for the year
  • Invoiced annually (Stripe / ACH on request)

Bundle math. À la carte: Automated $1,999/yr + Pen Test $4,999 + Retest $1,999 = $8,997/yr. Continuous Annual: $9,999/yr. The bundle is priced slightly higher than à la carte because scheduling certainty has real value — your pen-test slot is reserved for you, scoped in advance, no waiting in queue. Monthly buyers pay $11,988/yr equivalent for the flexibility.

Penetration Testing

Penetration Testing

A senior engineer manually probes your application for the things scanners genuinely can't find: IDOR, broken access control, business logic abuse, chained exploits, authenticated session attacks. Methodology-based (PTES, OWASP WSTG v4.2, OWASP ASVS, MITRE ATT&CK). One engineer, one report, one retest at a fixed follow-up price.

// Flat pricing — not consultancy hourly. You know the bill before kickoff.
→ Initial engagement

Penetration Test

$4,999
flat fee · single web application or API · larger scope quoted separately
  • Senior engineer (no junior offshoring)
  • Manual exploitation + chained-exploit hunting
  • Sequential-ID IDOR fuzzing on authenticated GraphQL/REST operations
  • User-enumeration mutation diff (resetPassword, sendInvite, magicLink)
  • Authenticated session, authz, and tenant-isolation testing
  • Business logic probing + multi-step attack chain detection
  • Pre-publication verification gate (every finding's PoC re-fired before ship)
  • Reproducible PoCs with Burp-style request/response evidence + screenshots
  • CVSS-scored, CWE-tagged, OWASP-mapped findings
  • Compliance-mapped to SOC 2 / ISO 27001 / PCI DSS / NIST / HIPAA
  • NDA + scope-of-work executed at kickoff
  • Remediation Report included free after you fix and request retest
  • 5–10 business day turnaround
Book a pen test — $4,999 How it works
→ Follow-up

Retest

$1,999
flat fee · verify your fixes on a prior CyberGrid engagement
  • Re-runs each finding from the original report
  • Marks every finding fixed / still vulnerable / not tested
  • Issues a separate signed Remediation Report — its own dated artifact, with its own letter grade (green A if all fixed)
  • This is the document procurement teams ask for when they want proof of remediation
  • Updates the publicly-verifiable attestation
  • Same senior engineer who ran the initial test
  • 2–4 business day turnaround

Available within 12 months of the original engagement. One retest is included free with every Penetration Test engagement — request it from your dashboard once remediation is complete. Additional retests at $1,999 each.

Request a retest
Mobile pen test · Add-on or standalone

Mobile Application Penetration Test

For iOS and/or Android apps. Same flat-fee model, same senior engineer. Covers static binary analysis (decompiled IPA/APK, hardcoded secret hunting, weak crypto detection), dynamic analysis (instrumentation, runtime hooks, traffic interception, cert-pinning bypass), local data storage (Keychain/Keystore, AsyncStorage), deep-link / URL-handler abuse, and the mobile-facing API auth flow. Methodology: OWASP MASVS + MSTG.

Can run in parallel with a web/API pen test by the same engineer — usually shaves 2-3 days off the combined timeline.

Retest: $1,999 (within 12 months)
SOC 2 Readiness · Compliance Program

SOC 2 Readiness

A different category of service — not a security test, but a 90-day program that gets you to an audit-ready SOC 2 Type I report. Policy library, control implementation, GRC tooling setup, evidence collection, and a referred CPA audit firm. Optional ongoing retainer ($1,499/mo) maintains your posture between audits and adds Type II observation.

// CPA audit fees billed separately by the audit firm — typically $8k-$15k for Type I.
→ Starter

SOC 2 Type I · Starter

$5,999
one-time engagement · ≤25 employees · ~90 days to audit-ready
  • 20+ customized policies deployed
  • Controls implemented across your stack
  • GRC platform setup on your behalf
  • Evidence collection across readiness window
  • Risk assessment + vendor reviews
  • CPA audit firm referral & coordination
Start Starter — $5,999
Most chosen
→ Standard

SOC 2 Type I · Standard

$9,999
one-time engagement · 25-100 employees · ~90 days to audit-ready
  • Everything in Starter
  • Multi-team rollout across departments
  • Custom control mappings (your stack)
  • Dedicated readiness lead (weekly syncs)
  • Internal security awareness training
  • Audit firm liaison through report issuance
Start Standard — $9,999
→ Ongoing

Ongoing Compliance

$1,499/mo
retainer · maintains your posture · enables Type II
  • Continuous evidence monitoring
  • Quarterly access reviews orchestrated
  • Vendor risk reviews refreshed
  • Policy updates as standards evolve
  • Type II observation window managed
  • Cancel anytime via billing portal

Starts after Type I report issued. Required for Type II annual renewal.

Discuss ongoing program

What we do behind the scenes. We operate on top of a proven GRC platform (Sprinto / Drata / Vanta — chosen based on your stack & budget) and partner with licensed CPA firms for the audit itself. You get a clean readiness program + audit referral; we handle the platform setup, control implementation, and auditor coordination. Enterprises (100+ employees) — contact us for custom scoping.

→ Days 1-14
Scoping & kickoff

Trust services criteria scoping, audit firm intro, GRC platform selection, control mapping.

→ Days 15-60
Policy & control implementation

20+ policies deployed, controls implemented in your stack, evidence pipelines wired.

→ Days 61-90
Audit & report

Audit firm reviews evidence, conducts fieldwork, issues your Type I report.

Full SOC 2 program details
→ At a glance

Three services, side by side.

Capability Automated Assessment Continuous · Bundle Penetration Test
Header / TLS / known-CVE / config issues
Scanner toolchain (nuclei, testssl.sh)
✓ (baseline)
External network scanning
nmap top-1000 ports + subdomain discovery
✓ (in scope)
IDOR / broken access control
User-A reads User-B data
✓ (annual pen test)
Business logic flaws
Coupon stacking, workflow bypass, race conditions
✓ (annual pen test)
Authentication bypass
MFA bypass, session fixation, token reuse
✓ (annual pen test)
Chained exploits
Low → critical via multi-step paths
✓ (annual pen test)
Senior engineer conducting the testing
Manual, human-led
Automated toolingSenior tester (annual)Senior tester, human-led
Cadence
Quarterly (4/yr)Quarterly automated · annual pen testPer engagement
Retest after remediation
Unlimited re-scansUnlimited re-scans · 1 pen-test retest/yr$1,999 flat (within 12 months)
Compliance-mapped report
SOC 2 / ISO / PCI / HIPAA control refs
Publicly-verifiable attestation
Turnaround
~24 hrs per scanScans ~24 hrs · pen test 5–10 days5–10 business days
Price
$1,999 / yr$999 / mo
or $9,999 / yr		$4,999 / engagement
→ Pricing FAQ

Things buyers ask before signing up.

Which service do I actually need?

If your customers, prospects, or auditors specifically ask for a penetration test, you need the Penetration Test. If they're asking for any "security testing artifact," "vulnerability assessment," or "automated scan," the Automated Assessment is usually fine — and far cheaper. Many teams run the automated assessment annually and a pen test before raising or before signing a large enterprise customer.

Why is the pen test more than 2× the automated assessment?

The automated service runs a toolchain. The pen test is a senior engineer spending real time inside your application — 5 to 10 working days of expert hours. You can't replace that with compute, and we won't pretend you can.

How does the $1,999 retest work?

After we deliver the initial pen-test report, you have 12 months to schedule a retest. We re-run every finding from the original report, mark each as fixed / partial / not fixed, issue a remediation addendum to the original PDF, and update the public attestation. Same engineer who ran the initial test does the retest, so no re-onboarding cost.

Is there a free trial?

No. Scans cost real money to run, free scans create an abuse vector, and pen tests obviously can't be free. We publish full sample reports and a sample attestation so you can see exactly what you're paying for before you commit.

Can I pay monthly?

the Automated Assessment is annual prepaid ($1,999). the Penetration Test is per engagement (billed at kickoff). If monthly billing is a hard requirement, email hello@thecybergrid.com.

What payment methods do you accept?

Credit card via Stripe for the Automated Assessment. Pen-test engagements can be billed via ACH or wire with a standard invoice for procurement teams that require it.

Does my plan auto-renew?

the Automated Assessment: not by default. We email you 30 days before your term ends with a renewal link. If you don't renew, your past reports remain accessible but no new scans run. the Penetration Test: each engagement is discrete.

Can I scan / pen-test a target I don't own?

No. the Automated Assessment verifies every target via a DNS TXT record before scanning. the Penetration Test requires a signed scope-of-work and authorization letter at engagement kickoff. Testing systems you don't own is illegal in most jurisdictions and a hard ToS violation.

Can I cancel mid-year?

the Automated Assessment: yes, anytime from the dashboard. We don't pro-rate refunds, but you keep access to all past reports and attestations. the Penetration Test: per the executed Statement of Work; partial-engagement cancellation terms are spelled out there.

Discounts for nonprofits or open source?

Yes — 50% off the Automated Assessment for registered 501(c)(3) nonprofits and actively-developed open-source projects. the Penetration Test discounts are case-by-case.

Do you provide a Statement of Work, NDA, MSA, DPA?

Yes — all four are available as templates on the trust package page. We'll execute your paper too if your procurement team requires it.

→ Ready when you are

Pick the right tool, start in minutes.

the Automated Assessment is one click — $1,999/year, all-in. the Penetration Test is one form and a one-business-day reply with a kickoff date. No sales call required for either.

Start a scan — $1,999/yr Request a pen test — $4,999