What you usually wonder before hiring.

If your question isn't here, write to us directly — we'll add it.

Is it legal? What authorization do I need?+
Yes, as long as it's authorized in writing. Before any test we sign an authorization agreement that defines exactly which systems can be tested and in what time window. Without that authorization, nothing is executed.
Are you going to take down my production environment?+
The goal is not to impact the service. We agree the testing window and intrusion level with you. Tests that could affect availability are done only with your explicit permission or in a staging environment if you prefer.
How do you handle confidentiality?+
We sign an NDA before starting. All information, findings and evidence are treated as confidential, delivered securely and deleted after delivery if you request it.
And if you don't find any vulnerability?+
You still get the report documenting everything that was tested and why your application held up. A clean report backed by a serious methodology also has value: it's auditable proof of your security level.
What's the difference between the free report, the scan and the pentest?+
They're three different things and we tell you with no fine print. The free report is a passive configuration review (certificate, headers, CSP, SRI, libraries): it doesn't look for exploitable vulnerabilities. The vulnerability scan uses a professional scanner to detect common flaws, and we review every finding by hand to remove false positives, but we don't exploit anything. The full pentest is manual exploitation work: business logic, access control and attack chains that no scanner detects. Each level answers a different question: how do they see me?, what obvious flaws do I have?, what could a real attacker do?
Is the free report really free? Where's the catch?+
It's free and there's no hidden catch: it's a passive review we have highly automated, so it costs us little to produce. We do it because it's the best way to show you how we work before you pay us anything. If afterwards you want a vulnerability scan or a pentest, great; if not, you keep the report anyway.

Still haven't found your answer?

Ask directly. We reply within 24h, no commitment.