How long does an on-demand penetration testing engagement take?

Three-day, seven-day, or fifteen-day shapes, single app, app plus supporting API, or a multi-app stack. Scoped on a 30-minute call. Every engagement includes a free re-test after fixes land.

What is tested in an on-demand pentest?

The same depth as a discipline-specific engagement, sized to the sprint. Web applications (auth flows, RBAC, business logic, payment integrity), REST and GraphQL APIs (BOLA, mass assignment, refresh-token rotation), mobile apps under Frida, network IPs, internal admin portals, and cloud or container surfaces.

Do you include a re-test?

Yes. Every on-demand engagement includes a free re-test of the same scope after fixes land. The proof-of-exploit reverts on patch and we sign written closure for each finding.

Which compliance frameworks does the report map to?

PCI DSS, HIPAA, ISO/IEC 27001, SOC 2 Type II, NIST CSF, and FedRAMP. Severity is CREST-mapped. SecureLayer7 is CERT-In empanelled.

Is the report regulator-ready?

Yes. CREST-mapped severity, a working proof-of-exploit per finding, the patch path written for the dev team, and a regulator-ready PDF accepted across PCI, HIPAA, SOC 2, and FedRAMP review cycles.

On-Demand Penetration TestingPentest at sprint pace, right-sized to your scope.

3-day, 7-day, or 15-day shapes, for a single web app, an app plus supporting API, or a multi-app stack. Same manual depth as a discipline-specific engagement, scoped on a 30-minute call, with reports your US SOC 2 and PCI DSS auditors accept.

Three engagement shapes drawn on a sprint timeline. A short 3-day Sprint bar, a highlighted 7-day Standard bar in orange with a travelling delivery dot, and a long 15-day Deep bar, all aligned to a 0-15-day scale.

Right-sized

3-day Sprint, 7-day Standard, or 15-day Deep, pick the shape that fits the target, not the calendar.

Manual depth

Scanner output filtered to the exploitable. Manual chained-exploits surfaced. Working proof-of-exploit on every finding.

Re-test included

We verify your fixes at no extra cost. One engagement, closed loop.

Why now

Quarterly cadence misses every release that ships between audits, which is most of them.

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

On record

Why on-demand

Engineering ships every sprint. Your pentest doesn't.

An annual pentest is one snapshot of an application that has already changed by the time the report lands. The 51 weeks in between go unreviewed. On-demand closes the gap: each release cycle gets a right-sized engagement, small enough to fit your sprint, deep enough to surface what scanners won't. The same CREST-accredited pentesters, the same manual depth, sized to the work you're shipping this quarter.

Two horizontal year-spines stacked. Top: ANNUAL with a single fat orange marker on a long hairline year line, tagged 1 SCAN. Bottom: ON-DEMAND with the same year line and twelve smaller orange markers distributed across, tagged 12 SPRINTS. Visualises the gap on-demand pentest closes.

THREE ENGAGEMENT SHAPES.

Same depth. Scoped to scale.

Pick the shape that fits the target. Asset volume drives the man-days; the methodology and the accreditation stay the same at every tier.

Sprint

Single web app, single API, or a focused regression. OWASP Top 10 and SANS Top 25 mapped, working proof-of-exploit, fixes in your sprint cycle.

Standard

App plus supporting API plus business-logic edge cases. Auth flows, role-based access, integration surfaces. Longer-tail vulns the scanner misses.

Deep

15D

Multi-app stack: auth, RBAC, payment, third-party integrations, mobile-API surface. Exhaustive depth for an annual security-posture review.

What we test on-demand

One engagement model. Every target you ship.

Web, mobile, API, network, internal, brought under one delivery model. You don’t have to pick a discipline before you scope; we right-size the team and the depth to your target.

Web applications

Single SPA, multi-tenant, e-commerce, internal portal. Auth flows, RBAC, business logic, payment-stage integrity, manually walked, not scanner-rubber-stamped.

REST + GraphQL APIs

OWASP API Top 10 mapped. BOLA, mass assignment, broken object-level authZ, rate-limit bypass, schema introspection abuse, refresh-token rotation gaps.

Mobile apps (iOS · Android)

Native, hybrid, and cross-platform builds. Static + runtime instrumentation under Frida, deeplink hijack, Keychain / Keystore mishandling, addJavascriptInterface RCE.

Network IPs (internal + external)

Service enumeration, exposed admin panels, weak auth chains, default-credential pivots, RCE chains into the application stack, walked by hand, not just nmap output.

Internal apps + admin portals

VPN-gated, SSO-fronted, role-segmented apps. Same auth depth as external surfaces, mapped to your insider threat model and least-privilege contract.

Cloud + container surfaces

AWS, Azure, GCP, Kubernetes, IAM mishandling, managed-identity over-scope, IMDSv1 SSRF, pod-to-host RBAC bypass under your real workload identity model.

ON-DEMAND METHODOLOGY.

Six phases. Closed-loop at every shape.

Compressed for a 3-day Sprint, expanded for a 15-day Deep. The methodology, the manual coverage, and the sign-off contract stay the same.

01
Brief
30-minute scoping call. Your target, timeline, build pipeline, and risk model walked through with the engagement lead. No 2-week SOW process.
02
Scope
Right-sized to a 3-, 7-, or 15-day shape. Asset list, deliverables, success criteria, and re-test contract written in one document.
03
Recon
Dependency graph, attack-surface map, exposed endpoints, and authentication paths inventoried before the manual phase begins.
04
Exploit
Manual chained-exploits surfaced. Scanner output triaged to the exploitable. Each finding paired with a working proof-of-exploit on a real environment.
05
Report
Working PoC, severity scored against business impact, the patch path written for engineering. Executive summary and CVSS evidence for the audit trail.
06
Re-test
Every finding re-tested after your team ships the fix, at no extra cost. Written confirmation each path is closed before the engagement is signed off.

Insights

On-demand testing Resources.

Notes from short-cycle engagements: regression retests, single-feature pentests, and ad-hoc reviews that ship in days, not weeks.

Automated versus manual penetration testing

Where scanners help, where they fail, and how on-demand human testers fill the gap during a fast release cycle.

Choosing a web app pentest partner

Questions buyers should ask before signing the SOW: tester CVs, sample reports, retest policy, and CVE track record.

What to expect in your first pentest

A week-by-week walkthrough of a scoped engagement: kickoff, recon, exploit chain, debrief, and retest.

Meet your engagement lead

One named lead, on demand.

John Dill

vCISO at SecureLayer7

3 · 7 · 15

Engagement shapes (days)

Manual

Methodology at every shape

Included

Re-test on every engagement

John runs on-demand scoping from kick-off to re-test. He translates your target, timeline, build pipeline, and risk model into a 3-, 7-, or 15-day shape, then owns status checkpoints and sign-off so the pod stays heads-down on the engagement.

Right-sizes engagements against your sprint cycle, asset volume, and risk model, not a fixed-tier menu.
Owns kick-off, mid-engagement walkthroughs, and live review of every finding before it lands in the report.
Drives remediation review and re-test until every finding is closed and proven on your environment.

SL7 Lab. Published CVE research.

Ready to scope an on-demand engagement? Book 30 minutes with John to walk through your target, timeline, and which shape fits.

Book a 30-min call

Common procurement questions

What buyers ask about on-demand penetration testing.

Six questions procurement teams send before signing an on-demand pentest SOW. Answered against our methodology and your auditor.

Show all 6 questions

Have a procurement question not listed here?

Tested by industry.

The bug classes named below come from real engagements in each sector. Pick the closest fit.

Startups

Single-sprint engagements that ship before your next SOC 2 audit.

See Startups pentest

Tech SaaS

Release-train-aligned re-tests on the surfaces that changed since last engagement.

See Tech SaaS pentest

FinTech

Pre-launch product pentests for new features hitting regulated environments.

See FinTech pentest

Sample on-demand pentest report, chain · evidence · patch path · re-test

Sample engagement report

See what arrives in your inbox.

A pre-vetted sample report: full vulnerability narrative, working proof-of-exploit, the patch path, and the re-test confirmation. Sent on request after a 5-minute scoping call.