Lite —
$3,500
per test
A small web app — a few features, simple workflows. For a deal-blocker pentest or a small SOC 2.
- We attack the whole web app — logic, auth, injection.
- Scope of a short, focused pentest.
- Email support.
BugDazz Autonomous —
See the price before the call.
AI agents attack your web apps and APIs the way a real attacker does, and you get a CREST-accredited report in days. Fixed-scope tiers — no scoping call to see a price. Active Directory and continuous testing live in Enterprise.
Coverage
Web · API · Active Directory — the surfaces in our plans.
Evidence
Working proof-of-exploit and developer-ready remediation on every finding.
Re-test included
We verify your fixes at no extra cost. One engagement, closed loop.
Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure
Scope your engagement —
Tell us what you’re testing.We’ll point you to the right plan.
Plans —
Pick the test
you need.
Pick by your app, not a feature checklist. Each tier is a fixed scope at a fixed price — no scoping call to see it. First findings reach your dashboard within 90 minutes of test start.
Plus —
$6,000
per test
A web app with a documented API — several modules and integrations. Where most teams start.
- Web app and your API, attacked together.
- Scope of a standard pentest.
- Email support.
Premium —
$9,000
per test
A larger platform — many modules, complex auth, multi-step workflows.
- Deeper, chained attacks across a larger surface.
- Scope of a deep pentest.
- A dedicated CSM on qualifying programs.
Enterprise —
Custom
Annual or multi-year
A mature application portfolio — broad functionality, a recurring program, Active Directory.
- Everything in Premium, plus Active Directory.
- A recurring program, not a one-off test.
- Named CSM and TAM · 24/7 support.
- Active Directory testing begins after a 30-minute scoping call.
Compare all features
Lite$3,500 | Plus$6,000 | Premium$9,000 | EnterpriseCustom | |
|---|---|---|---|---|
| Web app testing | Whole web app | Web + API | Deeper, chained attacks | Custom scope |
| API testing | — | Documented API | Documented API + chained | Custom |
| Scope depth | Short, focused | Standard | Deep | Custom |
| CREST-accredited report | ✓ | ✓ | ✓ | ✓ |
| Working proof-of-exploit | ✓ | ✓ | ✓ | ✓ |
| Jira / Slack / ServiceNow | ✓ | ✓ | ✓ | ✓ |
| Re-test after fix | Once, 30 days | Twice, 30 days | Unlimited, 90 days | Unlimited, contract term |
| Real-time Monitor | — | Add-on | 1 asset included | Included |
| CI/CD on every deploy | — | Add-on | Add-on | Included |
| Active Directory | — | — | Add-on | Included |
| Support | Email + Slack | Dedicated CSM | Dedicated CSM + TAM |
Every plan includes —
- 01CREST-accredited report
- 02working proof-of-exploit — request, response, attack trace, reproducible PoC
- 03Jira / Slack / ServiceNow integration
- 04unlimited retest within 90 days for found vulnerabilities
Add-on - continuous
Ship every week? Make any plan continuous.
Add testing on every deploy plus always-on attack-surface monitoring. Pick the cadence; talk to us to size it.
Growth —
$1,500/ mo
Continuous coverage, typically 1-2 apps. 24h testing/mo, Real-time Monitor on 1 asset, CI/CD on 1 pipeline.
Scale —
$4,000/ mo
Recurring SOC 2 / DORA, typically 3-5 apps. 64h testing/mo, Monitor on 3 assets, CI/CD up to 5 pipelines.
Real-time Monitor: +$500 / asset / mo beyond plan.
FAQ —
Questions,answered.
Show all 17 questionsShow less
Pick by need
Scope & method
Findings & report
Active Directory & CI/CD
On record —
Get started —
Tell us the app. We'll confirm scope and start.
No scoping call for web and API — a pod lead confirms scope, tier, and start date within one business day.