Penetration testing that ends with a report people actually use.
Pentra delivers web, API, cloud, and network assessments with a high-quality PDF report built for engineering remediation, SOC 2, ISO 27001, vendor reviews, and executive risk decisions.
Audit-grade SOC 2 or ISO 27001 PDF report
Download a sample report with executive summary, methodology, evidence, technical findings, remediation guidance, and retest-ready status.
Download sample reportHarbor Cloud penetration test
Example report structure and finding format
Pentests for startups preparing to launch, fundraise, or pass security review.
We test the app, API, cloud, and network paths that could block a launch, slow a deal, or fail a vendor review.
Web application testing
Authentication, authorization, session handling, data exposure, file upload, business logic, and OWASP Top 10 coverage.
API security testing
REST, GraphQL, and gRPC testing for IDOR, broken object authorization, mass assignment, injection, and rate-limit bypass.
Cloud and infrastructure
Cloud IAM, external exposure, storage controls, Kubernetes, perimeter services, and practical privilege escalation paths.
Network penetration testing
External and internal network assessment covering perimeter exposure, Active Directory risk, lateral movement, and segmentation.
A controlled workflow from authorization to retest.
The work is structured so engineering, leadership, and auditors can understand what was tested, what was found, and how to fix it.
Scope
Confirm targets, roles, environments, exclusions, rate limits, test windows, and escalation contacts.
Test
Combine focused automation with manual exploitation, authorization review, and sensitive workflow testing.
Report
Deliver validated findings with evidence, reproduction steps, impact, severity rationale, and fix guidance.
Retest
Re-run the original exploit path after remediation and document the final status for audit use.
Choose the level of access that fits your stage.
Startups usually need black-box external coverage or grey-box testing with real user roles. White-box review is available when a sensitive workflow needs deeper validation.
Black box
External attacker perspective with no internal documentation or credentials beyond agreed scope.
Grey box
Authenticated testing with test users, role coverage, and enough context to go deeper faster.
White box
Source-assisted review with architecture notes, admin access, and targeted validation of sensitive paths.
The deliverable is a serious PDF report.
The final report is written to help engineers reproduce, prioritize, fix, and prove closure. It is also structured for vendor reviews, SOC 2 evidence, and ISO 27001 audit support.
Sample audit-grade PDF report
Example report structure and finding format
Findings & Research
Cross-tenant export exposed tenant records
Authorization checks failed when export jobs were requested through the API.
MFA bypass on invited admin flow
A role transition path allowed privileged access before the second factor was enforced.
Webhook retry leaked internal error detail
Verbose responses exposed service names and queue identifiers useful for chaining.
Pentesting packages for launch, audit, and ongoing security.
Pick the package that matches your stage. Each one includes validated findings, practical remediation guidance, and a PDF report your team can use for fixes and reviews.
Starter Pentest
Flat rate$960
one-time
A focused fixed-price test for a narrow app, API, or critical user flow.
Best for
Early-stage products, narrow app/API scopes, and limited audit evidence needs
Output
Audit-grade PDF report usable for SOC 2, ISO 27001, and vendor reviews
Depth
Focused black-box penetration test
- Black-box testing
- OWASP Top 10 and access-control review
- Validated findings with reproduction steps
- One remediation retest for confirmed fixes
Quarterly Pentest
Flat rate$2,500
full year
Four focused tests across the year, scheduled one per quarter.
Best for
Teams that want recurring security checks and updated audit evidence
Output
Four quarterly PDF reports with fix verification notes and current risk summaries
Depth
One focused black-box or grey-box pentest per quarter for 12 months
- Black-box and grey-box testing
- Priority review of changed features
- One test per quarter for four total tests
- Simple evidence trail for audits and vendors
Launch Readiness
Flat rate$1,500
one-time
A practical go-live review for startups before launch, fundraising, or vendor review.
Best for
Startups about to launch a web app, API, marketplace, or customer portal
Output
Go-live risk report with launch blockers, quick wins, and retest status
Depth
Focused review of auth, payments, admin actions, uploads, and exposed cloud paths
- Pre-launch threat model and scope review
- Manual testing of highest-risk workflows
- Clear launch-blocker prioritization
- Founder-friendly readout and engineer-ready fixes
Enterprise
CustomCustom
pricing
Custom offensive security for larger scopes, complex environments, or ongoing testing.
Best for
Organizations with advanced offensive testing needs
Output
Continuous offensive security that scales with your organization
Depth
Custom testing windows across applications, cloud, network, and internal environments
- Custom number of testers and testing windows
- Support for apps on local networks
- Priority support and response SLA
- Training and onboarding
Frequently asked questions.
Direct answers about pricing, scope, reports, production testing, and what happens after findings are fixed.
Is the $960 starter package a real pentest?
What do we get at the end?
Can the report support SOC 2 or ISO 27001?
What is the Launch Readiness package?
What does the $2,500 yearly package include?
Do you only run scanners?
Can you test production?
How fast can we start?
Start the conversation. We will take it from there.
Send a quick note and we will reply within 24 hours to understand what you need, what stage you are in, and which package makes sense.