We find what scanners miss_

Penetration testing for startups and SaaS companies. Thorough, actionable, and priced for teams that ship fast.

Request a free quoteSee what a report looks like

Security testing shouldn’t be this broken.

Enterprise firms charge €15,000+

You get a junior tester following a checklist, an account manager who can’t answer technical questions, and a 200-page PDF six weeks later. Half the findings are informational padding.

Automated scans miss what matters

Nessus and Qualys find missing headers and outdated libraries. They don’t find broken authorization, business logic flaws, or the config file that leaks your database password.

?

Bug bounties are unpredictable

No guaranteed coverage, no compliance-ready report, no timeline. You might get a critical finding in a week or hear nothing for six months. And you still need a pentest report for SOC 2.

AI tools miss your business logic

An LLM can spot a textbook XSS. It can’t chain a broken access control with your multi-tenant data model to prove a customer-data leak, and no auditor will accept "we asked an AI" as a SOC 2 or ISO 27001 pentest report.

There’s a better way. Faultline Security gives you manual, expert-level testing with a clear scope, fixed price, and a report your auditors will accept.

Clear scope. Fixed price. No surprises.

Methodology: PTES + OWASP WSTG · CVSS 3.1 scoring · CWE references

Essentials

Single application or API

From 3,000

  • 1 web application or API (up to 50 endpoints)
  • Gray-box testingWe test with valid user credentials, simulating a real insider or compromised account. Follows OWASP WSTG: a 90+ test case methodology and the industry standard for thorough web security testing.
  • OWASP Top 10 & API Top 10 coverageThe most critical web and API security risks as defined by the Open Web Application Security Project. The global authority on application security.
  • Subdomain & virtual host enumerationWe discover all publicly reachable entry points to your infrastructure: subdomains, hidden portals, and services you may not know are exposed.
  • Authentication & session management testing
  • Security header & configuration reviewWe check HTTP security headers (CSP, HSTS, CORS, X-Frame-Options) and server configuration to prevent clickjacking, data leaks, and protocol downgrade attacks.
  • Business logic testingWe test your application’s workflows for flaws: like skipping payment steps or accessing other users’ data. Growth tier adds a full deep-dive into complex business rules.
  • CVSS-scored findings with proof-of-conceptEvery finding is rated on a 0–10 severity scale (industry standard) and includes a working proof-of-concept: the exact steps to reproduce the issue.
  • Attack narrative with exploitation chainsA step-by-step story showing how individual vulnerabilities can be chained together for real-world impact. This is what separates our reports from scanner output.
  • Remediation guidance per finding
  • PDF report with executive summary
  • Letter of attestationA one-page document confirming a pentest was performed. Shareable with auditors, customers, and partners without an NDA. Commonly needed for SOC 2, ISO 27001, and enterprise sales.
  • Findings walkthrough & Q&A

Timeline: 3–5 business days

Get started
Most popular

Growth

Multi-surface web + API

From 5,000

  • Everything in Essentials, plus:
  • Up to 3 applications or API surfaces
  • Cross-application trust boundary testingWe test how your applications trust each other. Can a user from App A escalate access via App B? Are shared tokens, SSO, or APIs exploitable across surfaces?
  • Business logic deep-diveGoes beyond standard checks. We model your entire user journey and business rules to find flaws like payment bypasses, reward abuse, and multi-tenancy leaks.
  • Inter-service API & authorization testingWe test the APIs your services use to talk to each other. Are internal endpoints authenticated? Can a compromised service access data it shouldn’t?

Timeline: 5–8 business days

Get started

Comprehensive

Full external infrastructure

From 7,000

  • Everything in Growth, plus:
  • External perimeter (up to 20 IPs/hosts)
  • Service-level assessment (SSH, SMB…)We test every network service running on your servers: remote access, file shares, name resolution, and more, for misconfigurations and known vulnerabilities.
  • Cloud config review (AWS, GCP, Azure)
  • Internal service exposure analysisWe identify services meant to be internal-only that are actually reachable from the outside: databases, admin panels, debug endpoints, and monitoring dashboards.
  • Full retest after remediation included

Timeline: 7–10 business days

Get started

Add-ons (available for both service lines)

Retest after remediation+20% of baseFor Essentials and Growth tiers (both pentest and AI lines). After your team fixes findings, we re-run the exact same attacks to verify the fixes work. You get an updated report confirming closure. Already included in both Comprehensive tiers.
Compliance mapping+20% of baseFor pentesting: we map every finding to SOC 2, ISO 27001 Annex A, or GDPR Article 32. For AI red teaming: we map to NIST AI RMF, ISO/IEC 42001, and EU AI Act obligations. The report doubles as audit evidence.
Source code review+30% of baseWe review your source code alongside runtime testing. For web apps: hardcoded secrets, logic flaws, insecure crypto, unsafe dependencies. For AI: prompt template injection surfaces, unsafe tool implementations, and model loading code.
Quarterly testing15% discountFour engagements per year on an annual contract. Mix pentest and AI red team engagements. Ideal for teams shipping frequently. Catch new vulnerabilities before they reach production.

From scoping form to actionable report in under two weeks.

01

$ Scoping form

free · 2 min

Fill out a short form with your application details, tech stack, and what you need the test for. You get a fixed-price proposal within 24 hours. No call required.

02

$ Kickoff & credential handoff

same day as signed SOW

You provide test credentials and access. We confirm scope, set up our testing environment, and define the rules of engagement.

03

$ Testing

3–10 business days

We test manually, following the PTES framework and OWASP WSTG methodology. Every finding gets a real proof-of-concept. Critical findings are reported immediately.

04

$ Report delivery

within 2 days of testing

Executive summary, technical findings with severity ratings and remediation guidance per finding, and a full attack narrative.

05

$ Report walkthrough & Q&A

async

We send a detailed walkthrough of every finding with remediation guidance. Your team asks questions on their schedule. We respond within one business day. Live call available on request.

06

$ Retest

optional · 1–2 days

After remediation, we verify the fixes work. You get an updated report confirming closure. Ready for your auditor.

What makes us different.

We talk during the test, not just after

Critical findings are reported the moment we confirm them. Not buried in a PDF you receive two weeks later. You can start fixing while we’re still testing.

Every finding has a proof-of-concept

We don’t report theoretical vulnerabilities. Every finding includes the exact request, exact response, and step-by-step reproduction instructions.

Built for modern stacks

APIs, containers, serverless, multi-tenant SaaS: we understand the architecture your team actually builds on. We speak developer, not just compliance.

Fixed price, fast turnaround

You know the cost before we start: no hourly billing, no scope creep charges, binding proposal from a 2-minute scoping form. Most engagements complete within one to two weeks.

Reports your auditors will accept

PTES framework, CVSS 3.1 scoring, CWE references, remediation guidance. Satisfies SOC 2 Type II, ISO 27001, and GDPR requirements out of the box.

AI-augmented, human-verified

We use AI for recon, payload generation, and report drafting. That’s how we deliver senior-quality testing at startup-friendly prices. But every finding is validated and signed by a human tester who stands behind the report.

See what you get.

Below is a redacted excerpt from a real engagement report. Every finding follows this structure: severity rating, technical evidence, business impact, and specific remediation steps.

report-excerpt.md

Finding: Broken Object-Level Authorization on Store Resources

SeverityMedium
CVSS 3.15.3
CWECWE-639: Authorization Bypass Through User-Controlled Key
Assethttps://api.██████.██/stores/:id

Description

Any authenticated user can read store metadata for arbitrary stores by substituting numeric IDs in the URL path. The API does not verify that the requesting user owns the target store.

Evidence

GET /stores/36480
Authorization: Bearer <JWT>
→ HTTP 200 -- store belonging to a different tenant

Remediation

  1. Add authorization middleware that verifies tenant ownership before returning data.
  2. Replace sequential numeric IDs with UUIDs.
  3. Add integration tests for cross-tenant access denial.

Every finding in your report follows this exact structure. No vague descriptions. No missing evidence. No “fix your code” without explaining how.

6 findings · executive summary · attack narrative · letter of attestation · appendices

What our clients say.

As a regulated fintech handling tokenized assets, security isn’t optional. Faultline came in with clear scoping, fast turnaround, and a report our engineers could act on immediately.
João Lages

João Lages

Co-Founder & General Manager, Lympid

Faultline gave us a clear, honest read on where we stood from a security perspective. The executive summary was shareable with stakeholders, the technical detail was deep enough for our engineers to act on, and we came out knowing exactly what to prioritise.
André Moniz

André Moniz

Co-Founder & CTO, Buk

Questions we hear a lot.

Will testing break my production environment?
No. We follow strict rules of engagement agreed before testing begins. We do not run denial-of-service tests, brute-force attacks, or destructive operations unless explicitly requested and scoped. Read operations are the default: we prove access, not cause damage.
Do I need to give you access to source code?
Not for a standard engagement. Our default is gray-box testing: you provide application credentials and we test from the outside, like a real attacker with a valid account. Source code review is available as an add-on if you want deeper coverage.
What compliance frameworks does your report satisfy?
Our reports are structured to satisfy evidence requirements for SOC 2 Type II, ISO 27001 (Annex A.12.6 / A.18.2), GDPR Article 32 security assessments, and PCI DSS Requirement 11.3. If your auditor needs a specific format, we’ll accommodate it.
Can’t AI just do a pentest?
AI tools are good at finding known vulnerability patterns in code snippets. They can’t model your specific business logic, chain multi-step attack paths across your running application, or sign an attestation letter your auditor will accept. We use AI internally to accelerate our work. That’s part of how we keep pricing accessible. But the final judgement, the proof-of-concept against your live app, and the signature on the report are human.
How long does it take?
Pentesting: most engagements finish within 5–10 business days from kickoff to final report; Essentials (single app/API) is typically 3–5 business days of active testing. AI red teaming: Essentials 3–5, Growth 5–8, Comprehensive 8–12 business days. The final report follows within 2 business days of testing completion. Mention urgent timelines in the scoping form.
What happens if you find something critical during testing?
We notify you immediately by email or Slack. We do not wait until the final report. This gives your team a head start on remediation while we continue testing the rest of the scope.
Do you offer retesting after we fix the findings?
Yes. For both penetration testing and AI red teaming, a full retest of all findings is included on the Comprehensive tier. On Essentials and Growth, retesting is available as an add-on (20% of the engagement price). We verify your fixes and issue an updated report confirming finding closure.
Can you test our mobile app too?
We currently focus on web applications, APIs, and external infrastructure. Mobile application testing is on our roadmap. In the meantime, we can test the API backend that your mobile app connects to, which is where most mobile security issues actually live.
Why do your prices say “From” instead of a fixed number?
Because every application is different. The starting price covers the most common scope for that tier: a straightforward app with standard authentication. If your app has more endpoints, multiple user roles, or complex business logic, the price adjusts to reflect the extra testing time. Most engagements land within 20–40% of the starting price. The scoping form takes 2 minutes and you get an exact fixed price in your proposal. No surprises after that.
Where are you based?
We are based in the EU (Portugal). All testing is performed from our own infrastructure. We do not offshore or subcontract testing.
Do you test AI / LLM features in our app?
Yes. AI red teaming is a dedicated service line alongside our web application pentesting. We test LLM-backed features for prompt injection (direct and indirect), jailbreak resistance, system prompt leakage, insecure output handling, tool and function-call abuse, cross-tenant context leakage, and excessive agency. Engagements start from EUR 3,000. Use either service switch on our homepage (hero or pricing section) to compare tiers and methodology.
What frameworks do you use for AI red teaming?
We anchor on OWASP Top 10 for LLM Applications (LLM01–LLM10) and MITRE ATLAS on every tier. NIST AI RMF 1.0 mapping per finding starts at the Growth tier. ISO/IEC 42001 control and EU AI Act obligation mapping in the report appendix is included on Comprehensive. Every finding lists the relevant OWASP LLM category and ATLAS technique.

Stay informed

Keep up with Faultline.

New services, security research, and the occasional offer. Delivered when there’s something worth saying.

No noise. Unsubscribe at any time.

Ready to find out what’s exposed?

Fill out a 2-minute scoping form and get a fixed-price proposal within 24 hours. No call required, no commitment, no sales pitch.

Start your assessment

Prefer email? Reach us at hello@faultlinesec.com