PCI DSS penetration testing

PCI DSS pentest your QSA signs off on.

CREST-accredited researchers run segmentation, internal, and external pentests per PCI DSS v4 Requirement 11.4. CDE scope tested, segmentation proven, report shaped for your QSA.

GET YOUR SCOPING CALL

Talk to a security expert

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

Airbase
Quiltt
Pacvue
Imagine Learning

Why this matters

Most PCI DSS pentest reports do not survive the QSA review.

  • Templated 'compliance pentests' miss segmentation gaps; the QSA flags the CDE scope is wider than your asserted ROC says.

  • Internal pentest without proof of segmentation equals scope expansion, re-scoping fees, and a missed audit window.

  • Reports listing scanner output, not chained findings, get bounced back with control 11.4 evidence requests.

Here is what we ship.

Why teams pick us

QSA-accepted evidence, not template padding.

  • PCI DSS v4 mapped

    Findings tagged to Requirement 11.4 sub-controls. Internal, external, and segmentation all covered.

  • Segmentation proof

    We prove the segmentation controls hold, not just that they exist. QSA accepts the evidence.

  • Re-test included

    Ship the fix, we verify it inside the same engagement. No new SOW before the audit deadline.

How it works

From CDE scoping to report in two to three weeks.

  1. Scope the CDE

    Tell us the asserted CDE, segmentation boundary, and in-scope systems. Confirmed before kickoff.

  2. Researchers test the controls

    Internal, external, and segmentation tests run as required by 11.4.2, 11.4.3, and 11.4.5.

  3. Report your QSA accepts

    Findings tagged to PCI DSS v4 controls. Auditor evidence file, ready for the ROC.

Research ledger,

Coordinated disclosures published by SL7 research.

The same researchers run your engagement.

Full advisories index

What founders say

Thank you for being our pentest partners. Our user base is safer because of y'all.
Vinay Hiremath

Vinay Hiremath

Co-founder, Loom

View tweet

Common questions

What buyers ask before they sign.

Does this satisfy Requirement 11.4?
Yes. The pentest covers 11.4.2 (internal), 11.4.3 (external), 11.4.4 (segmentation), and 11.4.5 (criticals retest).
How often is a PCI DSS pentest required?
At least annually and after significant CDE change. Many merchants run twice a year ahead of QSA review.
Will you sign the ROC evidence letter?
Yes. One-line letter on letterhead, signed by the lead pentester, attached to your ROC.
Do you cover service providers?
Yes. Level-1 and Level-2 service providers, including the segmentation testing burden under 11.4.5.
Re-test included?
Yes. Criticals re-tested inside the same engagement, no new SOW required.

Ready to ship the PCI DSS ROC without surprises?

20-minute scoping call with the lead PCI DSS pentester. Segmentation, CDE, and the controls your QSA asks about.

CREST · CERT-In · SOC 2 · ISO 27001