Pre-funding due diligence

A pentest report that closes the round.

CREST-accredited researchers run a pre-funding pentest scoped for investor due diligence: web, API, cloud, plus the data-room evidence file investors expect. Two weeks from kickoff to a report your VC's security advisor signs off on.

GET YOUR SCOPING CALL

Talk to a security expert

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

Airbase
Quiltt
Pacvue
Imagine Learning

Why this matters

Investor DD pentests sit on the critical path of the round.

  • Generic pentest firms quote four-week engagements that miss the funding-close window.

  • Templated reports get bounced by the VC's security advisor and force a re-scope under deadline pressure.

  • Pentest results delivered after term sheet but before close land at the worst moment for valuation negotiation.

Here is what we ship.

Why teams pick us

DD-ready, on the round timeline.

  • Two-week engagement

    From kickoff to report in two weeks. Fixed-price, fixed-scope, fits the close window.

  • VC-advisor format

    Findings shaped for VC security advisor review. CREST + reproducer + remediation is the standard DD artefact.

  • Data-room ready

    Report, attestations, and re-test status packaged for the data room. One folder, one upload.

How it works

From term-sheet to data-room in two weeks.

  1. Scope on the call

    20-minute scoping call. Asset list, data-room timeline, and VC security-advisor expectations confirmed.

  2. Researchers test the stack

    Web, API, cloud as a single graph. Business-logic chains included.

  3. Data-room package

    Report, attestations, re-test status, ready for the data room. CREST + reproducer + remediation throughout.

Research ledger,

Coordinated disclosures published by SL7 research.

The same researchers run your engagement.

Full advisories index

What founders say

Thank you for being our pentest partners. Our user base is safer because of y'all.
Vinay Hiremath

Vinay Hiremath

Co-founder, Loom

View tweet

Common questions

What buyers ask before they sign.

Will VC security advisors accept the report?
Yes. CREST + reproducer + remediation is the standard DD security artefact across Series A through D.
How fast can we start?
Kickoff within five business days of the scoping call. Two-week engagement after that.
Multi-asset scope?
Yes. Web, API, cloud in a single fixed-price engagement. Mobile or AD added when in scope.
Re-test included?
Yes. Criticals re-tested inside the same engagement so the report shows fixed findings.
Data-room format?
PDF report, attestations folder, security questionnaire answers. One drop, ready for the room.

Ready to ship a DD-ready pentest before close?

20-minute scoping call with the lead pentester. Two weeks to a report your VC security advisor signs off on.

CREST · CERT-In · SOC 2 · ISO 27001