Limited-time offer
Do your security test today — 40% off
Run a full pentest-grade audit of your site now and save 40% at checkout.
Use code at checkout:START40
Run a full pentest-grade audit of your site now and save 40% at checkout.
No marketing fluff. This page lays out exactly what we test, what we don't, what the deliverable looks like, and how we compare to a traditional pentest consultant. If anything's unclear, contact us before paying. Want to see the deliverable first? Download a sample report (PDF).
Every check listed below runs on every pentest. Each finding in your PDF report includes the exact HTTP request that triggered it, the response we received, the CVSS 3.1 vector, the relevant OWASP / CWE references, and concrete remediation steps. Methodology is drawn from OWASP Top 10 2025, OWASP API Top 10, CWE Top 25, and PCI-DSS / NIST controls where applicable.
Configuration mistakes on production servers — outdated software, debug modes accidentally left on, internal files leaked through the web.
Recon data we leak to attackers without realising — server versions, internal comments, framework fingerprints.
HTTPS configuration, certificate validity, redirect behaviour, and protection against downgrade attacks.
Modern browser security primitives (CSP, X-Frame-Options, etc.) that block whole classes of attack when configured correctly.
How cookies are scoped, who can read them, and whether they protect session integrity correctly.
Login forms — discoverable, rate-limited, CSRF-protected, with sensible password policies.
Once a user is logged in, can they see or do things they shouldn't?
The OWASP-classic exploit categories — SQL injection, XSS, command injection, traversal, SSRF, SSTI, XXE.
Surface-level API misconfigurations — permissive CORS, unsafe HTTP methods, GraphQL introspection, JWT pitfalls.
JavaScript bundles shipped to browsers — leaked secrets, unsafe inline handlers, missing integrity checks.
DNS-level email auth (SPF, DKIM, DMARC) that prevents your domain from being spoofed.
Domain-level reconnaissance — subdomain enumeration, zone-transfer attempts.
Network-level checks against the target host — open TCP ports, service versions, administrative ports exposed, sensitive files reachable, security.txt.
Search-engine and crawler signals — robots.txt, sitemaps, titles, descriptions, social-share tags.
Hygiene checks that signal a professionally-maintained site (and prevent simple footgun bugs in production).
Within ~5-10 minutes of payment, you receive an email with a signed download link to your PDF report. If you've opted for password protection, the password is in the same email. The format follows the layout used by professional pentest firms — same sections, same severity scheme, same evidence requirements.
One page suitable for non-technical stakeholders: count by severity, top 3 risks, business impact, recommended next steps.
What we tested, how, what was out-of-scope, what tools we used. Useful for compliance audits.
Every finding with severity (Critical / High / Medium / Low / Info), CVSS 3.1 vector, CWE reference, OWASP category, and status (Passed / Failed / Not Detected / Not Tested / Not Applicable).
For each finding: description, technical impact, exact HTTP request that triggered it, response evidence, proof-of-concept payload, and remediation guidance with code samples.
Cross-reference table mapping each finding to OWASP Top 10 2025 categories, CWE Top 25, and where applicable, NIST and PCI-DSS controls.
Full request/response logs for confirmed findings, TLS report card, scan timing data, and a complete checklist of all 117 distinct security tests performed across up to 200 crawled URLs.
Fix the issues, then re-run the entire scan once at no extra cost — any time within 7 days of delivery. Confirm your remediation worked and get a fresh report, free.
Be honest with yourself: this is automated black-box testing, not a manual pentest by a human. It catches what humans test for first, fast, and at scale — but it can't replace a $5,000+ manual engagement for complex application logic flaws.
We're not pretending to be a $50,000 boutique pentest firm. We're filling a different gap — fast, cheap, automated checks for the things that get exploited most often in the wild.
Every finding includes the exact request and response that triggered it, so you can verify yourself. Each checklist item is marked Failed (an issue was confirmed with concrete evidence — e.g. an XSS canary reflected unescaped, or a SQL-injection payload that changed the query result), Passed (tested, no issue found), Not Detected (actively probed with multiple techniques but nothing confirmed — full assurance on these classes needs a manual test), or Not Tested (requires authenticated access, a second account, or human reasoning, and is out of scope for an automated unauthenticated scan). False-positive rate for Failed findings is under 2% on our internal benchmark.
Don't pay. The checkout form requires you to confirm in writing that you own the domain or have explicit written authorization from the owner. Lying on that form makes you personally liable under Section 43 of the Indian IT Act 2000 (or your local equivalent). We log your IP and timestamp at order placement and will share that with law enforcement if served with a valid request.
Typically 5–10 minutes for a small-to-medium site (under 200 pages). Larger sites or slower servers can take up to 30 minutes. You'll see live progress on the scan-status page during the run, plus get an email when the report is ready.
You get an automatic full refund. Razorpay returns the money to your original payment method within 5–7 working days (or faster via instant refund for cards). You'll receive an apology email when the refund is initiated, and a confirmation email when it's been processed.
Almost never. We rate-limit ourselves to ~10 requests per second per target and back off on 5xx responses. We don't use any actually-destructive payloads (no DROP TABLE, no infinite loops, no recursive directory creation). That said, if your site is hosted on a tiny VPS with no caching, you may notice elevated load during the scan window.
Yes, for 30 days, so you can re-download the report if you lose the PDF. After 30 days, the findings table is purged automatically. The order record (your email, target URL, payment ID) is retained for accounting purposes per Indian tax law.
Yes. Each scan is $19.99 and a fresh order. Many customers run a scan before launch, fix the findings, then run another scan to confirm. There's no discount for repeat orders right now, but we may add one once we have stable volume.
Email support@getcodeaudit.com if you'd like to scan more than 10 targets per month. We'll set you up with bulk pricing and an API key.
Yes. The PDF uses AES-256 encryption. The password is generated per order and shown in the same email as the signed download link, in a styled box. The download link is gated by email verification — whoever clicks must confirm the email address it was sent to before any download starts. You can re-download from the scan-complete page using the same email-verify gate.
No catch. We built the scanning engine once and the marginal cost per scan is just compute + bandwidth, which is pennies. We price it where small businesses and indie devs can actually afford it — that's a market traditional pentest firms can't reach. We make money on volume, not margin per scan.
$19.99 USD. ~5-10 minutes. 40-70 page PDF in your inbox.
Start pentest →See a sample report (PDF) · or read the pentest Terms of Service first.
Find an answer or send us a message.
Most scans complete within a few minutes. You'll get an email with your report as soon as it's ready.
No. Testing is non-destructive and rate-limited; it's designed to observe, not to break anything.
You must own the target or have written permission. Scanning without authorization may be illegal, and you confirm authorization at checkout.
Only what's needed to run the scan and deliver the report. Reports are auto-purged after 30 days, data is encrypted, and we never sell it. See our Privacy Policy for detail.
Pentest orders include one free rescan within 7 days — open your report page and click "Request free rescan".
Yes. The report PDF is encrypted; you verify your email to retrieve it.
Use the "Submit a ticket" tab and our team will get back to you by email.
Prefer email? Reach us directly at
support@getcodeaudit.com
For anything about an existing order, include your order reference so we can find it faster.