No marketing fluff. This page lays out exactly what we test, what we don't, what the deliverable looks like, and how we compare to a traditional pentest consultant. If anything's unclear, contact us before paying.
Every check listed below runs on every pentest. Each finding in your PDF report includes the exact HTTP request that triggered it, the response we received, the CVSS 3.1 vector, the relevant OWASP / CWE references, and concrete remediation steps. Methodology is drawn from OWASP Top 10 2021, OWASP API Top 10, CWE Top 25, and PCI-DSS / NIST controls where applicable.
Configuration mistakes on production servers — outdated software, debug modes accidentally left on, internal files leaked through the web.
Recon data we leak to attackers without realising — server versions, internal comments, framework fingerprints.
HTTPS configuration, certificate validity, redirect behaviour, and protection against downgrade attacks.
Modern browser security primitives (CSP, X-Frame-Options, etc.) that block whole classes of attack when configured correctly.
How cookies are scoped, who can read them, and whether they protect session integrity correctly.
Login forms — discoverable, rate-limited, CSRF-protected, with sensible password policies.
Once a user is logged in, can they see or do things they shouldn't?
The OWASP-classic exploit categories — SQL injection, XSS, command injection, traversal, SSRF, SSTI, XXE.
Surface-level API misconfigurations — permissive CORS, unsafe HTTP methods, GraphQL introspection, JWT pitfalls.
JavaScript bundles shipped to browsers — leaked secrets, unsafe inline handlers, missing integrity checks.
DNS-level email auth (SPF, DKIM, DMARC) that prevents your domain from being spoofed.
Domain-level reconnaissance — subdomain enumeration, zone-transfer attempts.
Network-level checks against the target host — administrative ports exposed, sensitive files reachable, security.txt.
Search-engine and crawler signals — robots.txt, sitemaps, titles, descriptions, social-share tags.
Hygiene checks that signal a professionally-maintained site (and prevent simple footgun bugs in production).
Within ~6 minutes of payment, you receive an encrypted PDF by email. The password is sent in a separate email. The format follows the layout used by professional pentest firms — same sections, same severity scheme, same evidence requirements.
One page suitable for non-technical stakeholders: count by severity, top 3 risks, business impact, recommended next steps.
What we tested, how, what was out-of-scope, what tools we used. Useful for compliance audits.
Every finding with severity (Critical / High / Medium / Low / Info), CVSS 3.1 vector, CWE reference, OWASP category, status (Confirmed / Likely / Informational).
For each finding: description, technical impact, exact HTTP request that triggered it, response evidence, proof-of-concept payload, and remediation guidance with code samples.
Cross-reference table mapping each finding to OWASP Top 10 2021 categories, CWE Top 25, and where applicable, NIST and PCI-DSS controls.
Full request/response logs for confirmed findings, TLS report card, scan timing data, and a checklist of all 200+ tests performed.
Be honest with yourself: this is automated black-box testing, not a manual pentest by a human. It catches what humans test for first, fast, and at scale — but it can't replace a $5,000+ manual engagement for complex application logic flaws.
We're not pretending to be a $50,000 boutique pentest firm. We're filling a different gap — fast, cheap, automated checks for the things that get exploited most often in the wild.
Every finding includes the exact request and response that triggered it, so you can verify yourself. We mark findings as Confirmed (we got concrete evidence — e.g. an XSS canary reflected unescaped), Likely (strong signal but couldn't fully exploit, e.g. time-based SQLi with ambiguous timing), or Informational (best-practice violation, not directly exploitable). False-positive rate for Confirmed findings is under 2% on our internal benchmark.
Don't pay. The checkout form requires you to confirm in writing that you own the domain or have explicit written authorization from the owner. Lying on that form makes you personally liable under Section 43 of the Indian IT Act 2000 (or your local equivalent). We log your IP and timestamp at order placement and will share that with law enforcement if served with a valid request.
Typically 5–10 minutes for a small-to-medium site (under 200 pages). Larger sites or slower servers can take up to 30 minutes. You'll see live progress on the scan-status page during the run, plus get an email when the report is ready.
You get an automatic full refund. Razorpay returns the money to your original payment method within 5–7 working days (or faster via instant refund for cards). You'll receive an apology email when the refund is initiated, and a confirmation email when it's been processed.
Almost never. We rate-limit ourselves to ~10 requests per second per target and back off on 5xx responses. We don't use any actually-destructive payloads (no DROP TABLE, no infinite loops, no recursive directory creation). That said, if your site is hosted on a tiny VPS with no caching, you may notice elevated load during the scan window.
Yes, for 30 days, so you can re-download the report if you lose the PDF. After 30 days, the findings table is purged automatically. The order record (your email, target URL, payment ID) is retained for accounting purposes per Indian tax law.
Yes. Each scan is $5 and a fresh order. Many customers run a scan before launch, fix the findings, then run another scan to confirm. There's no discount for repeat orders right now, but we may add one once we have stable volume.
Email support@getcodeaudit.com if you'd like to scan more than 10 targets per month. We'll set you up with bulk pricing and an API key.
Yes. The PDF uses AES-256 encryption. The password is generated per order and sent in a separate email from the report PDF, so even if your email account is compromised, an attacker needs to compromise both messages to read the findings. You can also re-download from the scan-complete page using the email verification gate.
No catch. We built the scanning engine once and the marginal cost per scan is just compute + bandwidth, which is pennies. We price it where small businesses and indie devs can actually afford it — that's a market traditional pentest firms can't reach. We make money on volume, not margin per scan.
$5 USD. ~6 minutes. 60-page PDF in your inbox.
Start pentest →Or read the pentest Terms of Service first.