FAQs

About the Engagement

What kind of penetration testing do you offer?

Web application testing, external network testing, and internal network testing. Web application engagements use the OWASP Application Security Verification Standard as the structured backbone, which means the assessment goes beyond a list of vulnerabilities to evaluate the application’s security controls systematically. Network engagements cover external exposure and internal lateral movement depending on scope. Most compliance-driven engagements involve one or both.

If you’re not sure what your audit or enterprise customer actually requires, that’s a good question for the scoping call. We’ll help you figure out what makes sense before anything is signed.

Who will I be working with?

The person you talk to during scoping is the person running the test and writing the report. There’s no sales handoff, no account manager relaying messages, no junior tester escalating to someone more senior after the fact. If something serious surfaces during the engagement, you hear about it directly and immediately.

Have you worked with companies like ours?

Most likely yes. Engagements have covered everything from early-stage startups to Fortune 10 enterprises across healthcare, education, AI, SaaS, ecommerce, finance, and government. The security fundamentals are consistent across industries, and the compliance frameworks that drive most engagements, SOC 2, PCI-DSS, HIPAA, HITRUST, ISO 27001, show up repeatedly enough that the patterns are familiar.

If you’re in a specialized environment, healthcare SaaS handling ePHI, a logistics company with distributed infrastructure, a government entity with operational technology networks, bring it up during the scoping call. The more specific the context, the more useful the conversation.

Is testing manual or automated?

Both, but not equally. Scanners provide breadth and surface obvious issues quickly. Manual testing provides depth and finds what scanners can’t: authentication edge cases, broken access control logic across user roles, insecure business logic, chained vulnerabilities that require a human to think them through. Automation supports the process. It doesn’t drive it.

Every finding in the report has been manually validated before it gets there. If something made it past scanner output but couldn’t be confirmed through manual testing, it doesn’t appear as a finding. No false positives, no noise.

How long does testing take?

About two weeks from kickoff to report delivery for most engagements. Scope affects timeline and we’ll tell you exactly what to expect before anything starts. If you have a hard deadline tied to an audit window or an enterprise deal, that’s the first thing we discuss during scoping so the timeline is built around it.

Will testing disrupt our systems or slow down our team?

No. Testing is non-destructive and coordinated around your schedule. Scope, timing, and communication protocols are defined upfront. Your engineering team won’t know it’s happening unless something needs their attention. Finding issues in a controlled engagement is the point. Finding them after an attacker does is the problem we’re preventing.

What happens if you find something critical?

You hear about it immediately, not at report delivery. Critical findings get flagged as soon as they’re confirmed so your team can start assessing the impact while testing continues. The report documents everything with full reproduction steps and remediation guidance, but critical issues don’t wait for the report.

Pricing and Value

How much does it cost?

Web application penetration tests start at $10,000 flat. Network engagements vary by scope. Everything is agreed upfront with no surprises and no hourly billing that expands after the fact. The scoping call produces a clear proposal with price, timeline, and deliverables before anything is signed.

We already have a pentest included through Vanta or our auditor. Why would we pay separately?

The bundled option might be fine depending on what you’re trying to accomplish. If the report will only ever be reviewed by a lenient auditor checking a box, a bundled scan-based pentest may clear that bar.

The problem is that the same report often gets shown to enterprise prospects during vendor security reviews, and procurement teams are increasingly specific about what they want to see: documented methodology, a defined severity rating system, manual testing evidence, and remediation validation. Scanner-based reports frequently fail that review. When they do, the deal stalls while you figure out whether to redo the test or argue with procurement about what counts.

If the pentest report is going to be seen by anyone more scrutinizing than a relaxed auditor, the quality of the work behind it matters. That’s the conversation worth having before you’re two weeks from a deal closing.

Why choose Asteros over a larger firm?

Large firms staff engagements with junior testers and automated tooling while senior names sit on the sales call. By the time the engagement starts, the person who sold you the work isn’t involved. Reports are templated, findings are generic, and turnaround is slower because there’s internal bureaucracy to navigate.

At Asteros, the senior practitioner does the work from scoping to report delivery. Engagements are faster, findings are specific to your environment, and you have direct access to the person who actually understands what was found and why it matters. For meaningfully less money.

Compliance Questions

Do I need a penetration test for SOC 2?

The framework doesn’t mandate it by name, but the controls it does require are hard to satisfy credibly without one. CC4.1 asks whether you’ve conducted proactive risk assessments. CC7.1 asks whether you have processes to identify threats. CC7.2 asks whether you can detect unauthorized access. A well-documented penetration test with validated findings and a retest result answers all of those questions with evidence that’s hard to argue with.

The other factor is that the report your SOC 2 auditor reviews is often the same report your enterprise customers’ procurement teams will ask to see. Auditors and procurement teams have different standards, and a report built to satisfy only the easier of the two tends to fail the harder one at an inconvenient moment.

Do I need a penetration test for PCI-DSS?

Yes. Requirement 11.4 mandates external and internal penetration testing at least annually and after significant changes. If you’re claiming network segmentation to reduce your cardholder data environment scope, segmentation testing is required to prove the isolation is real. Your QSA will ask for methodology documentation, validated findings, and remediation evidence. We build the report to give them exactly that.

What about ISO 27001, HIPAA, or HITRUST?

All three frameworks have specific expectations around penetration testing and documented risk evaluation. ISO 27001 Annex A controls covering vulnerability management and access security benefit directly from independent testing. HIPAA’s Security Rule requires a risk analysis that identifies threats to ePHI, and a penetration test is the most credible technical evidence for that analysis. HITRUST Control 10.m explicitly requires penetration testing. Each of these gets its own page on the site with more detail, but the short answer is yes, we handle all of them, and many clients are working toward more than one framework simultaneously from a single engagement.

Methodology

Do you test for the OWASP Top 10?

Yes, but it’s worth understanding what the Top 10 actually is. It’s an awareness document, not a testing standard. It exists to help developers and organizations understand the most common and impactful vulnerability categories, and it does that job well. What it isn’t is a methodology you run an engagement against. There’s no OWASP Top 10 test in the same way there’s an ASVS assessment.

Any credible web application penetration test will surface Top 10 issues if they exist. The question is what the test does beyond that. Asteros uses the OWASP Application Security Verification Standard as the structured backbone of web application engagements. The ASVS is the actual testing framework, covering authentication, session management, access control, API security, cryptography, and business logic in the depth that compliance auditors and enterprise procurement teams expect to see documented. The Top 10 categories are covered within it, alongside a lot more.

If a vendor is telling you they perform an “OWASP Top 10 test,” ask them what that means in practice. The answer will tell you a lot about how rigorous the engagement actually is.

What testing methodology do you follow?

Web application engagements follow the OWASP Application Security Verification Standard for coverage and the OWASP Risk Rating Methodology for scoring findings. Network engagements follow the Penetration Testing Execution Standard, which guides every phase from scoping and reconnaissance through exploitation and reporting. PTES ensures consistent coverage, real-world attack simulation rather than checkbox scanning, and clear documentation of how the test was approached and what was found.

If you’ve been asked by a prospect or auditor for a test conducted under a specific methodology, we can discuss how the engagement maps to their requirements during the scoping call.

The Report

What does the report actually include?

Three audiences receive the same document and each gets what they need from it.

Engineers get step-by-step findings with validated proof of concept, reproduction steps, and remediation guidance written for your actual stack. Not boilerplate. If your app is running on a specific framework with a specific database, the guidance reflects that.

Auditors get a structured ASVS assessment that maps findings to specific control deficiencies, documents what the application is already doing well, and shows exactly what work was performed. When findings are light, the assessment is what demonstrates the test was real and thorough rather than cursory.

Enterprise prospects’ procurement teams get an executive summary documenting methodology, severity ratings, and remediation status in the format they increasingly require. A sanitized attestation letter is available separately if you want something to share with customers without exposing technical detail.

What if the test finds very few vulnerabilities? Did we just waste money?

No, and this is worth addressing directly. A test with light findings still produces the ASVS assessment, which documents what was evaluated and what the application is doing well. That’s what demonstrates to an auditor that the test was thorough rather than cursory. It also means your engineering team gets a clear picture of where the application stands, not just a list of things that are broken.

Zero findings on an active SaaS application is rare and worth scrutinizing. Real products ship features, expand attack surface, and swap dependencies. If a test comes back completely clean, the right question is whether the methodology was rigorous enough to find anything if it existed. Our report makes that answer clear.

Do you retest after remediation?

Yes, at no additional charge. Once your team addresses findings, we verify the fixes and produce clean evidence of identification, remediation, and validation. That closure documentation maps directly to SOC 2 vulnerability management requirements and gives your auditor something concrete to point to.

Getting Started

How does scoping work?

A short call where you walk us through the environment: the application, user roles, API endpoints, authentication flows, anything that’s changed recently. We define what’s in scope, discuss your timeline and compliance goals, and you receive a flat-fee proposal with clear deliverables. No obligation past that conversation.

We’ve had a bad experience with a previous vendor. What’s different here?

The most common complaints we hear about previous engagements are scanner dumps dressed up as reports, junior testers who couldn’t answer basic questions about the findings, remediation guidance that didn’t apply to the actual stack, and vendors who disappeared after delivery. The direct access model addresses all of those. You work with the senior practitioner throughout, findings are manually validated before they reach the report, remediation guidance is written for your environment, and the free retest means the relationship continues until the findings are actually closed.

Still have questions?