7-day free trial on all plans · Company email required · No charge for 7 daysStart trial →
Global Rail
Trial
Penetration testing

Penetration testing, validated by humans.

Scoped one-shot pentest or continuous Range Assessment, across web2 apps, web3 smart contracts, and AI agents. Every finding is reproducible and reviewed by a human before it ships.

Start a pentest See pricing
What it is

Plain definition

A penetration test — a "pentest" — is an authorised, simulated attack on a system you own, run by someone whose job is to find the way in before anyone hostile does.

It is not a scan. A scanner lists possible weaknesses; a pentest proves which ones are real, what they actually unlock, and how to close them. The output is a report you can hand to engineering, to an auditor, or to a board.

Why teams pentest

Four reasons it pays off

Find weaknesses first
Surface flaws in code, configuration, and human process before someone with worse intent does.
Test the controls you already paid for
Prove that the WAF, IdP, EDR, and policies hold up against a real attempt — not just a dashboard.
Satisfy compliance
SOC 2, ISO 27001, PCI DSS, HIPAA, GDPR, NIS2, ISO 42001 all expect periodic, evidenced testing.
Quantify blast radius
Understand what one foothold could actually reach — so remediation is prioritised by impact, not noise.
How a pentest runs

The five phases

The industry-standard phases, plus exactly how we execute each one.

  1. Phase 1
    Planning & reconnaissance

    Scope, rules of engagement, and target intelligence — domains, mail servers, exposed assets, tech fingerprints.

    How we do itScope is DB-locked at submit. Every probe checks the allowlist before sending a packet.
  2. Phase 2
    Scanning

    Active and passive enumeration of how the target behaves under probing — endpoints, params, auth flows, contract methods, agent tools.

    How we do itProbe families across web2, web3 / smart-contract, and AI-agent surfaces, run continuously on the Range Assessment tier.
  3. Phase 3
    Exploitation

    Attempt real attacks — injection, broken auth, IDOR, deserialization, prompt-injection, tool-abuse — to confirm what a vulnerability actually lets an attacker do.

    How we do itFindings are validated by safe PoC execution under an automated safety layer, then reviewed by a human before they ship as a detection.
  4. Phase 4
    Maintaining access

    Demonstrate persistence — would this foothold survive long enough for real data exfiltration or lateral movement?

    How we do itPersistence is simulated, never left behind. All artefacts are removed and listed in the report appendix.
  5. Phase 5
    Analysis & reporting

    A report that names every vulnerability, the reproducible PoC, the data or function reached, and the fix.

    How we do itBusiness-impact-weighted severity (not raw CVSS), step-by-step remediation, and a free re-test after fix.
Test types

Black, white, or gray box

The amount of information the tester starts with changes what the test actually simulates. We default to gray box on Range Assessment; one-shot pentests are configurable.

Black box
Zero prior knowledge
ProMost realistic outside-attacker simulation.
ConSlower; can miss internal flaws hidden behind auth.
White box
Full code, creds, and architecture
ProMaximum coverage and depth in the least time.
ConDoesn't simulate an external attacker's path to entry.
Gray box
Partial knowledge — typical user creds + basic map
ProBest balance: simulates a breached perimeter or insider.
ConNeeds a small amount of setup from your side.
Frameworks we map to

Evidence your auditor accepts

Every validated finding maps to the controls below — and to your own internal framework via Audit Co-Pilot.

SOC 2ISO 27001NIST CSF 2.0PCI DSSHIPAAGDPRNIS2ISO 42001

Plus custom control mappings via Audit Co-Pilot — bring your own framework or internal control set.

What you get

A report you can act on

  • Validated findings with reproducible PoCs
  • Business-impact-weighted severity, not raw CVSS
  • Step-by-step remediation in every finding
  • Human review before any detection ships
  • Free re-test after fix
  • Continuous re-runs on the Range Assessment tier
How we compare

Fully autonomous tools optimise for speed. We add a human gate.

Autonomous offensive agents (XBOW and similar) ship findings as fast as their models confirm them. That's powerful — and produces noisier reports. We pair the same kind of automation with a mandatory human review before anything lands in your inbox, and we never push automated changes into your environment. Slower per finding, lower false-positive rate by design.

Start a pentest See pricing
FAQ

Common questions

Procurement-heavy questions live on the intake page.

Pentest pricing

Audit-grade pentests at a price designed to undercut the market.

One-off engagements priced $1 below the leading autonomous-pentest vendor — or bundled at no extra cost into any Range Assessment / Audit Co-Pilot contract over $2,000/month.

Included with contract

Pentests included on every contract over $2,000/month.

3-month commitment
1 × Single Target pentest included. Range Assessment ($2,500/mo) or Audit Co-Pilot Enterprise (from $3,500/mo).
6-month commitment
2 × Single Target or 1 × Full Surface pentest included + quarterly re-test. Best value.

Annual contracts: pentests scheduled per release. Talk to sales for a custom cadence.

Single Target
$3,999/per test

Comprehensive pentest for a single application.

Best for

Lightweight apps with few interconnected features, a modest set of CRUD resources, simple workflows, low integration complexity.

Depth of test

Equivalent depth of a 2-week manual penetration test.

  • Compliance-ready report: SOC 2, ISO 27001, HIPAA, GDPR, PCI DSS, NIST CSF, NIS2, ISO 42001, TS 50701 + 40 more frameworks
  • Audit-ready report within 5 business days
  • Free re-test with automated verification after fix
  • Frictionless authenticated testing (2FA, magic link, email)
  • Detailed proof-of-concept exploits
  • Actionable remediation guidance
  • Black-box, white-box, or grey-box
  • Every finding human-reviewed before it ships
Start Single Target
Most chosen
Full Surface
$7,999/per test

Deeper coverage for more complex applications.

Best for

Apps or platforms with multiple modules, integrations, multi-step workflows, deeper access-control patterns and data models.

Depth of test

Equivalent depth of a 4-week manual penetration test.

  • Everything in Single Target
  • Authenticated multi-role testing across tenants
  • Web2 + Web3 / smart-contract + AI-agent surface coverage
  • IDOR, SSRF, deserialization, auth-bypass, prompt-injection, tool-abuse probes
  • Realtime streaming of findings into your Console
  • Vulnerability coverage map + reasoning trace per finding
  • Request/response and endpoint-level trace detail
  • Two free re-tests after fixes ship
Start Full Surface
Always-On
Request a quote

Continuous coverage for organisations at scale.

Best for

Mature application portfolios — multi-module SaaS, admin tools, extensive resource relationships, regulated environments.

Depth of test

Continuous security hardening across every release.

  • Everything in Full Surface
  • Continuous offensive coverage — re-runs on every release
  • Early access to new vulnerability coverage as we ship detections
  • Multi-member access, shared assessment knowledge, human-directed operatives
  • Single Sign-On (SSO) + API access for workflow integration
  • Quarterly executive readout + framework-mapped board pack
  • Dedicated detection-engineering channel for your stack
Contact sales

Prices are per application, per test. Re-tests after fix are free. Every finding is human-reviewed before it ships — we never push automated changes to your environment.

Single Target and Full Surface: submit scope, pay securely on the next step, work starts the same day.

Ready when you are.

One form, one target, one validated report — or a continuous subscription that never goes stale.

Start a pentest