CISO buyer guide

The CISO guide to buying a real pentest.

What to scope, what to ask the vendor, what evidence the auditor will want, and how to tell a real research-led firm from a templated one. Written by SL7 researchers, peer-reviewed by CISOs.

REQUEST THE GUIDE

Sample report

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

Airbase
Quiltt
Pacvue
Imagine Learning

Why this matters

Pentest procurement is broken. Most CISOs find out post-audit.

  • Vendor scorecards rank firms by sales-deck quality, not by reproducer-quality. The wrong vendor ships a PDF that fails the SOC 2 review.

  • RFPs that ask for 'methodology' get the same paragraph back from every vendor. The differentiator is research output, not marketing copy.

  • Auditors expect CVE-disclosure track record and CREST. Procurement asks for neither.

Here is what we ship.

Why teams pick us

What's inside, written by researchers.

  • Scope checklist

    What to scope per asset class, with the gotchas templated firms exploit at change-order time.

  • RFP questions that filter

    20 questions that filter research-led firms from tool operators. Verbatim ready for procurement.

  • Evidence-shape glossary

    Reproducer, severity rationale, fix path, re-test status. What auditors actually want.

How it works

How to use the guide in your next pentest cycle.

  1. Drop your email

    We send the PDF. No sales call unless you ask. CISO-to-CISO review available on request.

  2. Walk it into procurement

    RFP questions and scope checklist ready to copy into your vendor evaluation.

  3. Run it against your last report

    Self-audit checklist tells you if the pentest you got is auditor-ready.

Research ledger,

Coordinated disclosures published by SL7 research.

The same researchers run your engagement.

Full advisories index

What founders say

Thank you for being our pentest partners. Our user base is safer because of y'all.
Vinay Hiremath

Vinay Hiremath

Co-founder, Loom

View tweet

Common questions

What buyers ask before they sign.

Who wrote the guide?
SL7 research leads. Peer-reviewed by CISOs from fintech, SaaS, and healthtech buyer-side reviews.
Is this a sales pitch?
No. The RFP questions are vendor-neutral. They filter for research-led firms, not specifically for SL7.
What does it cost?
Free. We send the PDF to your work email.
Will SL7 reach out after?
Only if you check the box. CISO-to-CISO review is opt-in.
Is there a CTO or VP Engineering version?
Same guide. The procurement section is the same regardless of title.

Ready to read what the auditor actually wants?

Drop your work email, the PDF arrives in your inbox. No sales call unless you ask for one.

CREST · CERT-In · SOC 2 · ISO 27001