Procurement-ready pentest

The pentest vendor your procurement team can sign off on.

CREST + CERT-In accredited, SOC 2 + ISO 27001 attested, and audit-log-backed. SLAs, SOWs, attestations, BAAs, and DPAs ready for your procurement file. RFP pack on request.

REQUEST THE RFP PACK

Download

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

Airbase
Quiltt
Pacvue
Imagine Learning

Why this matters

Procurement bounces pentest vendors for the same three reasons every quarter.

  • Missing accreditation evidence: CREST and CERT-In listings procurement can verify against public registers.

  • Missing attestation pack: SOC 2 Type II, ISO 27001, GDPR DPA, HIPAA BAA, ready to drop into the vendor file.

  • Missing SLA and SOW templates: payment terms, indemnity caps, IP clauses, retention rules. Procurement wants them up front.

Here is what we ship.

Why teams pick us

Pack in your inbox, not after three review rounds.

  • Accreditations verifiable

    CREST and CERT-In listings, with the ledger entries procurement can verify against the public registers.

  • Attestation pack

    SOC 2 Type II, ISO 27001, GDPR DPA, HIPAA BAA, plus security questionnaire answers. Ready to drop in.

  • SLA + SOW + DPA templates

    Payment terms, indemnity caps, IP clauses, retention rules, DPA, BAA, all up front.

How it works

From RFP request to engagement without a second review cycle.

  1. Request the pack

    Drop your work email. RFP pack with attestations and SLA templates ships within one business day.

  2. Walk it into procurement

    Vendor onboarding answered in one pass. Security questionnaire answers included.

  3. Engagement kickoff

    Once vendor onboarded, scoping call and kickoff in five business days.

Research ledger,

Coordinated disclosures published by SL7 research.

The same researchers run your engagement.

Full advisories index

What founders say

Thank you for being our pentest partners. Our user base is safer because of y'all.
Vinay Hiremath

Vinay Hiremath

Co-founder, Loom

View tweet

Common questions

What buyers ask before they sign.

What's in the pack?
CREST cert, CERT-In empanelment, SOC 2 Type II report, ISO 27001 cert, GDPR DPA, HIPAA BAA, security questionnaire answers, SLA + SOW templates.
Will procurement verify CREST and CERT-In?
Yes, and they should. CREST registry and CERT-In ledger are public and named in the pack.
Do you sign mutual NDAs?
Yes. Standard MNDA on the second call, before any RFP-stage information exchange.
Customer references for procurement?
Yes. Public references named, private references on signed NDA.
How fast can vendor onboarding close?
Most procurement reviews close within five business days of the pack arriving.

Ready to vendor-onboard a pentest firm in one review cycle?

Drop your work email, RFP pack arrives within one business day. SLAs, attestations, BAAs, DPAs, and security questionnaire answers.

CREST · CERT-In · SOC 2 · ISO 27001