I need a one-time pentest for SOC 2, a customer questionnaire, or a deal blocker

Lite $3,500 (small app, web only), Plus $6,000 (medium app, web + API), or Premium $9,000 (larger app, deeper testing). CREST-accredited report in 3-10 days.

I have a medium app with web + a documented API

Plus $6,000, web + a documented API. Provide a Swagger / OpenAPI spec or Postman collection.

I have a larger platform, many modules, complex auth

Premium $9,000, deeper testing on web + API.

I need Active Directory testing, or recurring testing across multiple apps

Active Directory, a recurring program, or vendor consolidation → Enterprise (custom, book a scoping call). For testing on every deploy, add Continuous below.

I want monthly recurring testing without an Enterprise commitment

Growth $1,500/mo or Scale $4,000/mo, ongoing web + API testing with CI/CD on every deploy.

I want always-on monitoring on more assets than my plan includes

Add Real-time Monitor at $500 / asset / month for each additional monitored asset.

BugDazz Autonomous

See the price before the call.

AI agents attack your web apps and APIs the way a real attacker does, and you get a CREST-accredited report in days. Fixed-scope tiers, no scoping call to see a price. Active Directory and continuous testing live in Enterprise.

See plans

Coverage

Web · API · Active Directory, the surfaces in our plans.

Evidence

Working proof-of-exploit and developer-ready remediation on every finding.

Re-test included

We verify your fixes at no extra cost. One engagement, closed loop.

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

Scope your engagement

Tell us what you’re testing.We’ll point you to the right plan.

Plans

Pick the test
you need.

Pick by your app, not a feature checklist. Each tier is a fixed scope at a fixed price, no scoping call to see it. First findings reach your dashboard within 90 minutes of test start.

Lite

$3,500

per test

A small web app, a few features, simple workflows. For a deal-blocker pentest or a small SOC 2.

We attack the whole web app, logic, auth, injection.
Scope of a short, focused pentest.
Email support.

Plus

$6,000

per test

A web app with a documented API, several modules and integrations. Where most teams start.

Web app and your API, attacked together.
Scope of a standard pentest.
Email support.

Premium

$9,000

per test

A larger platform, many modules, complex auth, multi-step workflows.

Deeper, chained attacks across a larger surface.
Scope of a deep pentest.
A dedicated CSM on qualifying programs.

Enterprise

Custom

Annual or multi-year

A mature application portfolio, broad functionality, a recurring program, Active Directory.

Everything in Premium, plus Active Directory.
A recurring program, not a one-off test.
Named CSM and TAM · 24/7 support.
Active Directory testing begins after a 30-minute scoping call.

Compare all features

	Lite$3,500	Plus$6,000	Premium$9,000	EnterpriseCustom
Web app testing	Whole web app	Web + API	Deeper, chained attacks	Custom scope
API testing	—	Documented API	Documented API + chained	Custom
Scope depth	Short, focused	Standard	Deep	Custom
CREST-accredited report	✓	✓	✓	✓
Working proof-of-exploit	✓	✓	✓	✓
Jira / Slack / ServiceNow	✓	✓	✓	✓
Re-test after fix	Once, 30 days	Twice, 30 days	Unlimited, 90 days	Unlimited, contract term
Real-time Monitor	—	Add-on	1 asset included	Included
CI/CD on every deploy	—	Add-on	Add-on	Included
Active Directory	—	—	Add-on	Included
Support	Email	Email + Slack	Dedicated CSM	Dedicated CSM + TAM

Every plan includes

01CREST-accredited report
02working proof-of-exploit: request, response, attack trace, reproducible PoC
03Jira / Slack / ServiceNow integration
04unlimited retest within 90 days for found vulnerabilities

Add-on - continuous

Ship every week? Make any plan continuous.

Add testing on every deploy plus always-on attack-surface monitoring. Pick the cadence; talk to us to size it.

Growth

$1,500/ mo

Continuous coverage, typically 1-2 apps. 24h testing/mo, Real-time Monitor on 1 asset, CI/CD on 1 pipeline.

Scale

$4,000/ mo

Recurring SOC 2 / DORA, typically 3-5 apps. 64h testing/mo, Monitor on 3 assets, CI/CD up to 5 pipelines.

Real-time Monitor: +$500 / asset / mo beyond plan.

FAQ

Questions,answered.

Show all 17 questions

Pick by need

Scope & method

Findings & report

Active Directory & CI/CD

On record

Get started

Tell us the app. We'll confirm scope and start.

No scoping call for web and API, a pod lead confirms scope, tier, and start date within one business day.

See the price before the call.

AI agents attack your web apps and APIs the way a real attacker does, and you get a CREST-accredited report in days. Fixed-scope tiers, no scoping call to see a price. Active Directory and continuous testing live in Enterprise.

Coverage

Evidence

Re-test included

Tell us what you’re testing.We’ll point you to the right plan.

Pick the testyou need.

Lite

Plus

Premium

Enterprise

I need a one-time pentest for SOC 2, a customer questionnaire, or a deal blocker

I have a small web app and need one CREST pentest

I have a medium app with web + a documented API

I have a larger platform, many modules, complex auth

I need Active Directory testing, or recurring testing across multiple apps

Pick by need

I want monthly recurring testing without an Enterprise commitment

I want always-on monitoring on more assets than my plan includes

Scope & method

Is this really autonomous, or just a scanner?

What does the price reflect?

What does API testing include?

What if my API has no separate documentation?

Findings & report

When will I see my first finding?

Why don't you guarantee criticals within a fixed time?

What's in the report?

Active Directory & CI/CD

When can I test Active Directory?

What does AD testing cover?

Which CI/CD systems integrate (subscription tiers)?

Tell us the app. We'll confirm scope and start.

Pick the test
you need.