Penetration Testing June 24, 2026

12 Questions to Ask an Outsourced Pentest Vendor (2026)

12 questions a SaaS CTO should ask before signing an outsourced pentest vendor. SOC 2, ISO 27001, investor diligence, enterprise onboarding. INR + USD.

ASK&RG

Ashok S Kamat & Rathnakara GN

Cybersecify

25 min read

An outsourced pentest engagement costs INR 75,000 to INR 5 lakh per scope (USD 900 to USD 6,000 approximately at Indian boutique pricing, USD 8,000 to USD 25,000 at US boutique pricing) and 14 to 21 calendar days end to end. The biggest cost is not the budget; it is the downstream consequence if the report fails SOC 2 audit review, Series A investor diligence, or an enterprise customer security questionnaire. Asking 12 specific questions on the scoping call separates vendors who deliver audit-acceptable reports from vendors who deliver scanner-output PDFs reformatted as deliverables. This guide walks the 12 questions a Series A SaaS CTO should ask any outsourced pentest vendor in 2026, the green-flag and red-flag patterns in vendor answers, and the buyer-trigger map (compliance / investor / enterprise customer onboarding / fear) each question maps to. For the deliverable format the right answers produce, see the Cybersecify SOC 2 plus ISO 27001 ready pentest report sample.

Key findings

Outsourced pentest is the right choice for almost every SaaS startup, but vendor selection decides whether the eventual report counts as evidence. Series A and Series B SaaS rarely have the in-house scope volume (12+ engagements per year) that makes hiring an internal pentester economically rational; outsourcing is the structural default.
12 questions on the scoping call surface the variables that decide audit acceptance: scope, retest, sample report, named tester, methodology, production vs staging, NDA and data residency, timeline, engagement cost inclusions, post-deliverable audit support, zero-day disclosure protocol, and pricing transparency.
Four frameworks every credible vendor should name by version: PTES (seven-phase engagement model), OWASP WSTG v5.0 (web app test cases), OWASP API Security Top 10 2023 (API test cases), NIST SP 800-115 (engagement and reporting structure for US auditor recognition).
One annual external pentest report typically serves SOC 2 + ISO 27001 + DPDP + enterprise customer security questionnaires for 12 months if scope, methodology, tester credentials, and retest evidence are documented per the 12-question framework.
Indian boutique pentest pricing is roughly 4 to 8 times lower per scope than US boutique pricing for equivalent methodology depth; geography-driven floors are real but the right question is whether the report quality matches the downstream consumer expectation, not which geography is cheapest.
One free retest within 30 days bundled into the engagement is the industry-acceptable model. Vendors that bill retest separately at 25 to 50 percent of the engagement fee create incentive structures opposite to what the buyer needs.
Pricing transparency is the cheapest possible vendor honesty signal. Vendors publishing per-scope pricing on the website are operating on scope discipline; vendors quoting only after the scoping call are typically price-discriminating or operating without standard scope.

Cybersecify is a founder-led penetration testing firm based in Bengaluru, India, serving AI-first and API-first SaaS startups from Seed to Series B across India, the UK, the US, the EU, Singapore, Australia, and Hong Kong. Both founders work every engagement: Rathnakara GN (OSCP, CompTIA PenTest+, M.Sc Cyber Security) leads testing; Ashok S Kamat handles scoping, compliance mapping, and post-engagement audit and investor diligence support. The pentest pricing is published at /pricing/: Startup Pentest INR 74,999 (approximately USD 900, GBP 700, EUR 830) for one scope in 7 days; Growth Pentest INR 1,79,999 (approximately USD 2,150, GBP 1,700, EUR 2,000) for two scopes in 10 days with SOC 2 plus ISO 27001 evidence mapping. For the deliverable format, see our SOC 2 plus ISO 27001 ready pentest report sample.

Reading this from outside India? The 12 questions are jurisdiction-agnostic; the vendor-evaluation framework applies identically whether you are buying from a UK, US, EU, Singapore, Australian, or Indian pentest vendor. Pricing references are in INR with USD, GBP, and EUR equivalents below. We invoice in INR per Indian regulation; international clients pay via wire transfer at the prevailing FX rate at time of invoice. GST does not apply on export of services from India (zero-rated). Jurisdiction for any contractual dispute is Bengaluru, India, per Indian Contract Act 1872, non-negotiable across geographies; this is consistent with similar boutique pentest vendors globally who anchor jurisdiction to their incorporation location.

International buyers: USD / GBP / EUR / SGD / AUD / HKD equivalents

Our INR pricing converts approximately as follows (rates as of 2026-06-24):

Plan	INR	USD	GBP	EUR	SGD	AUD	HKD
Startup Pentest	74,999	~900	~700	~830	~1,160	~1,330	~6,820
Growth Pentest	1,79,999	~2,150	~1,700	~2,000	~2,800	~3,200	~16,360
Security Retainer (per month)	24,999	~300	~230	~280	~385	~440	~2,275

Approximate conversions calculated 2026-06-24 (1 USD ≈ ₹84, 1 GBP ≈ ₹107, 1 EUR ≈ ₹90, 1 SGD ≈ ₹65, 1 AUD ≈ ₹57, 1 HKD ≈ ₹11). We invoice in INR per Indian regulation; international clients pay via wire transfer at the prevailing FX rate at time of invoice.

Why ask these 12 questions before signing

The buyer of an outsourced pentest engagement is rarely the consumer of the eventual report. The SaaS CTO or founder signs the SOW. The actual consumer is one of four downstream audiences, mapped against the four buyer triggers that drive pentest demand in the first place.

Compliance audit consumer. SOC 2 Type 2 auditor or ISO 27001:2022 certification body reviewer. They read the report for scope coverage against the system description, methodology rigour (named frameworks with versions), tester independence documentation, and retest addendum showing remediation evidence. A report that fails any of those checks triggers an auditor follow-up that delays the audit by 1 to 3 weeks.

Investor diligence consumer. Series A or Series B investor security reviewer (in-house or via a hired diligence firm like Praesidio, Coalfire, Bishop Fox, NCC Group). They read the executive summary for severity counts and trend versus prior reports, then drill into Critical and High findings for exploitability and remediation status. Self-attested or in-house-only reports fail the independence test by construction.

Enterprise customer security review consumer. Enterprise procurement security questionnaire reviewer at a Fortune 500, BFSI buyer, healthcare buyer, or hyperscaler marketplace vendor onboarding team. They want the report itself plus a Letter of Attestation signed by the lead tester confirming testing was completed per scope and methodology. Plan templates and scope documents are increasingly asked for as separate attachments.

Post-breach board response consumer. After a breach in the company stack, a competitor breach in the news cycle, or a board-level security review, the audit committee or post-incident review team needs fresh independent eyes on the system. The report goes to the board; the methodology and scope discipline are what the board’s security advisor reads to assess whether the engagement was thorough.

The 12 questions surface every variable each of the four consumers cares about. A SaaS CTO who walks through all 12 on the scoping call is buying a report that fits all four downstream uses; a CTO who skips half is buying a report that may or may not pass depending on which downstream audience reads it first.

The 12 questions

Question 1: What is actually included in your scope?

The scope statement is the single most-rejected element at downstream audit and investor review. A vendor that cannot answer this question with concrete production assets, user roles, and explicit out-of-scope items is selling scope ambiguity that the buyer will pay for later.

What good answers look like. The vendor enumerates each production URL or API base path tested, each user role exercised (anonymous, regular user, admin, super-admin), each third-party integration boundary clarified (Stripe, Twilio, AWS console, hyperscaler service surfaces), the test environment (production with rate-limited credentials versus staging with production-like data versus dedicated test instance), and the explicit out-of-scope list (DDoS, social engineering, physical access, third-party infrastructure). For a SaaS startup with one web app, one REST API, and a Stripe checkout integration, a good vendor scope statement would say: in scope is https://app.example.com (production web app, all customer-facing routes plus admin console at /admin) and https://api.example.com (production REST API, all v1 endpoints, excluding Stripe webhook endpoints); user roles tested are anonymous, regular user free tier, regular user paid tier, workspace admin, super admin; out of scope is Stripe payment infrastructure, Twilio SMS gateway, AWS console and IAM (separate cloud scope), DDoS or volumetric testing, social engineering, physical access.

Red flags. Vague language like web application security assessment without listing specific production assets, no enumeration of user roles, no explicit out-of-scope list, or scope changes during the engagement without a written change order. If a vendor cannot tell you on the scoping call what they will and will not test, the eventual report will have the same ambiguity, and the auditor or investor reviewer will surface it as a finding against your engagement.

Cybersecify scope discipline. Both Startup Pentest and Growth Pentest engagements include a written scope statement at SOW signature, refined into a per-engagement test plan at kickoff. The Growth Pentest at INR 1,79,999 covers two scopes by default (typically one web app plus one API, or one mobile app plus one API). For the broader scope-design question, see our web application pentest service page, API pentest service page, and cloud pentest service page.

Question 2: How do you handle the retest after fixes?

Retest is the second-most-rejected pentest report element at downstream audit. SOC 2 and ISO 27001 auditors specifically want to see the retest addendum, not just the initial findings list, because the addendum proves remediation worked.

What good answers look like. The vendor includes one retest within a 30-day window from final report delivery, at no additional cost. The retest scope covers all Critical and High findings as the audit-acceptable default, plus Medium and Low findings if the buyer requests and the retest budget allows. The retest depth is full re-exploitation rather than configuration check only; the auditor wants to see that the vulnerability is actually closed, not just that the configuration was changed. The retest deliverable is a separate retest addendum or an appended status table in the original report; both formats are auditor-acceptable, but the vendor should specify which.

Red flags. Retest is billed separately at 25 to 50 percent of the engagement fee, the retest window is shorter than 30 days, retest depth is configuration check only without re-exploitation, or the vendor has no documented retest scope policy and decides per engagement. Vendors that profit from findings staying open across billing cycles have incentive structures opposite to the buyer’s interest.

Cybersecify retest discipline. One free retest within 30 days of final report delivery, bundled into both Startup Pentest at INR 74,999 and Growth Pentest at INR 1,79,999. Retest scope covers all Critical and High findings as default; Medium and Low retest available on request within the same retest cycle. Retest depth is full re-exploitation. Retest deliverable is a separate retest addendum the buyer can hand to the auditor or investor reviewer without further translation. For the broader question of when to schedule a re-pentest beyond the bundled retest cycle, see when to re-pentest your SaaS application.

Question 3: What does your sample report look like?

The sample report is the single most reliable predictor of engagement quality. A vendor that cannot share a redacted sample is hiding the deliverable; a vendor that shares a sample is letting the buyer evaluate quality before paying.

What good answers look like. The vendor shares a full redacted sample report (executive summary, technical findings, evidence appendices, compliance mapping, retest addendum format) either as a downloadable PDF or as a public web page that the buyer can inspect without filling out a lead capture form. The sample report contains the five quality elements documented in the FAQ above: executive summary written for a CTO and a board member, structured per-finding fields, evidence appendices with screenshots and request and response captures, compliance mapping connecting findings to SOC 2 Trust Services Criteria and ISO 27001:2022 Annex A controls, and retest addendum format.

Red flags. The vendor refuses to share a sample, gates the sample behind a lead capture form before any scoping call, shares only an executive summary excerpt without the technical findings, or the sample is a scanner-output PDF with only title and severity fields per finding (no reproduction steps, no business impact, no compliance mapping).

Cybersecify sample report. The full SOC 2 plus ISO 27001 ready sample report is published at /sample-report/ with no lead capture gate. The sample includes redacted technical findings with CVSS v3.1 scoring, reproduction steps, business impact, compliance mapping to SOC 2 TSC and ISO 27001:2022 Annex A, retest addendum format, and the Letter of Attestation template. Buyers can compare this against any other vendor’s sample on equivalent terms. For the broader question of how to read a pentest report once delivered, see how to read a VAPT report.

Question 4: Who is actually doing the testing?

Tester continuity from scoping through testing through reporting through retest is the difference between a credentialed engagement and a sales-handoff engagement. The named lead tester matters because the report is the artifact a downstream consumer reviews; the consumer needs to know who tested, what credentials they hold, and whether they are the same person who signed off on the report.

What good answers look like. The vendor names the lead tester in writing, including their certifications (OSCP, CompTIA PenTest+, CEH, or other recognized pentest certifications relevant to the buyer’s jurisdiction), years of pentest experience, and the engagement role (lead tester scoping plus testing plus reporting plus retest, supported by additional team members on specific test cases). The same lead tester signs the test plan, the final report, and the Letter of Attestation. Founder involvement is documented if the vendor markets founder-led delivery as a differentiator.

Red flags. The vendor will not name the lead tester until kickoff, the salesperson on the scoping call cannot describe the lead tester’s experience, the lead tester changes mid-engagement, or the testing is handed to a junior team member while the senior name appears only on the cover page of the report.

Cybersecify tester continuity. Both founders work every engagement. Rathnakara GN (OSCP, CompTIA PenTest+, M.Sc Cyber Security) leads testing on every Cybersecify engagement and signs the final report and Letter of Attestation. Ashok S Kamat handles scoping, compliance mapping, and post-engagement audit and investor diligence support. The founder-led delivery model is documented at /about/. The lead tester is named in the SOW at signature, not announced at kickoff.

Question 5: What methodology and reporting standard do you follow?

A vendor that cannot name the framework they follow with a version number is either unsure of their own methodology or hiding the fact that they do not have one. Methodology naming is the single cheapest signal of vendor seriousness.

What good answers look like. The vendor names PTES (Penetration Testing Execution Standard) for the seven-phase engagement model, OWASP WSTG v5.0 for web application test cases, OWASP API Security Top 10 2023 edition for API test cases, and NIST SP 800-115 for engagement structure and reporting format. Findings are scored using CVSS v3.1 with the vector string documented per finding so a downstream reviewer can re-derive the score. The reporting standard includes executive summary plus technical findings plus evidence appendices plus compliance mapping plus retest addendum, in that order. See Cybersecify’s methodology page for the full framework reference.

Red flags. Industry best practices without naming a framework, proprietary methodology that the vendor will not document, no CVSS scoring or a non-standard severity rubric (Critical/High/Medium/Low without numeric CVSS attached), or report format that varies per engagement based on what the tester felt like writing.

Cybersecify methodology. PTES seven-phase model plus OWASP WSTG v5.0 plus OWASP API Security Top 10 2023 plus NIST SP 800-115. CVSS v3.1 scoring per finding with vector strings documented. Report format is consistent across engagements. Full methodology reference at /methodology/.

Question 6: How do you handle production versus staging testing?

The production-versus-staging decision affects engagement quality and risk. Production testing finds production-relevant findings but carries data-exposure risk; staging testing carries no production risk but may miss production-specific configuration findings. The right answer is engagement-specific and the vendor should walk through the tradeoffs.

What good answers look like. The vendor asks the buyer about the production data sensitivity, the staging environment fidelity to production, and any regulatory constraints (DPDP Act 2023 reasonable safeguards for India, GDPR Article 32 for EU, UK Data Protection Act 2018 for the UK, Australian Privacy Principles APP 11 for Australia, HIPAA for US healthcare, PCI DSS for payment processors). The vendor then recommends one of three options: production testing with rate-limited credentials and minimal data access for engagements where staging fidelity is low, staging testing with synthetic data for engagements where staging mirrors production faithfully, or a dedicated test instance with no production data exposure for highest-sensitivity scopes. The vendor documents data classes in scope (PII, payment data, healthcare data, business logic data) in the SOW and adapts methodology accordingly.

Red flags. The vendor insists on production testing without discussing data exposure, the vendor insists on staging testing without checking environment fidelity, or the vendor offers no opinion and leaves the decision to the buyer (the buyer is not the methodology expert).

Cybersecify production vs staging discipline. Default for SaaS engagements is production testing with rate-limited credentials, scoped to minimize PII access. Staging testing is the default for engagements where the staging environment mirrors production faithfully (same code version, same configuration, similar data shape) and where production testing carries unacceptable data-exposure risk. Dedicated test instance testing is used for highest-sensitivity scopes (healthcare buyer, BFSI buyer, hyperscaler infrastructure scope). The choice is documented in the SOW and reaffirmed in the test plan at kickoff.

Question 7: What is your NDA and data-residency stance?

International SaaS buyers engaging India-based pentest vendors typically check NDA terms and data-residency claims first. A vendor that has clear documented answers signals operational discipline; a vendor that improvises both signals operational risk.

What good answers look like. The vendor sends a standard mutual NDA at scoping that covers engagement scope, deliverable confidentiality, evidence retention window (typical default is 90 days post final report, longer on request for audit cycles), and sub-contractor disclosure (clearly stating whether any work is sub-contracted and to whom). The NDA names the jurisdiction for any dispute (typical for an Indian boutique is Bengaluru, India, per Indian Contract Act 1872, non-negotiable across geographies; this is consistent with similar vendors globally who anchor jurisdiction to their incorporation location). Data residency claims are verifiable: if the vendor says testing evidence is stored in AWS Mumbai region, the vendor can demonstrate the storage location during the engagement. If the vendor stores evidence on a personal laptop or in a generic cloud bucket without region commitment, that is a risk the buyer should know upfront.

Red flags. The vendor has no standard NDA and asks the buyer to draft one, the vendor signs any NDA the buyer presents without review (signals legal-discipline gaps), the vendor cannot answer where engagement artifacts are stored, the vendor refuses to commit to a retention window, or sub-contracted testers are not disclosed.

Cybersecify NDA discipline. Standard mutual NDA sent at scoping. 90-day retention default post final report; longer retention available on request for audit and investor diligence cycles. Engagement artifacts stored on encrypted vendor-controlled infrastructure with documented region commitment. No sub-contracting; both founders work every engagement. Jurisdiction is Bengaluru, India, per Indian Contract Act 1872, non-negotiable across geographies, per Cybersecify Terms of Service.

Question 8: How fast can you start and finish?

Timeline expectations separate vendors with stable engagement capacity from vendors who over-promise and compress quality under deadline. The realistic timeline for a scope-bounded outsourced pentest engagement is 14 to 21 calendar days end to end.

What good answers look like. The vendor walks the buyer through the realistic phases: 3 to 5 days for scoping and SOW signature, 1 day for kickoff and environment access, 7 to 10 days for active testing (Startup tier 7 days, Growth tier 10 days, additional scopes add 3 to 5 calendar days each), 2 to 3 days for report drafting and internal vendor review, 1 to 2 days for client review and clarification, then retest within 30 days of report delivery. The vendor commits to a kickoff date and a final report delivery date in the SOW, with the test plan refined at kickoff. The vendor does not run rush engagements at a price premium; if the buyer has a hard downstream deadline, the right answer is to start 6 to 8 weeks before the deadline rather than compress the engagement window.

Red flags. The vendor commits to a 3-day or 5-day total engagement window for a multi-scope SaaS application (the deliverable will almost certainly be scanner output), the vendor offers rush pricing at 30 to 50 percent premium for compressed engagements (quality compresses unpredictably), or the vendor cannot commit to a kickoff date until two or three weeks after SOW signature (capacity issue).

Cybersecify timeline discipline. Startup Pentest at INR 74,999: 7 calendar days active testing, 14 days end to end from SOW signature to final report. Growth Pentest at INR 1,79,999: 10 calendar days active testing, 17 to 21 days end to end. Additional scopes add 5 calendar days each (parallel testing available on Growth tier for up to 3 scopes simultaneously, same price). No rush pricing; for buyers with hard downstream deadlines, start 6 to 8 weeks early. Kickoff dates committed in SOW at signature.

Question 9: What does the engagement cost include, and what is extra?

Scope creep on pentest engagements typically manifests as additional charges after the engagement starts: per-vulnerability pricing, per-finding triage fees, retest billed separately, executive presentation as a billable line item, framework-mapping as an upgrade, or post-engagement support charged hourly. A vendor that documents inclusions and exclusions in the SOW saves the buyer the surprise.

What good answers look like. The vendor documents in the SOW everything included in the engagement fee: scope of testing, methodology applied, number of testers, kickoff and status calls, draft and final report, evidence appendices, compliance mapping (if bundled), retest within the 30-day window, and Letter of Attestation (if bundled). The vendor also documents what is explicitly extra: additional scopes beyond the base tier (per-scope pricing), parallel testing to compress timeline (if priced separately), additional retests beyond the bundled one, executive presentation to the buyer’s board (if requested), and post-engagement consulting hours (if not bundled). No surprises in the final invoice.

Red flags. Per-vulnerability pricing (incentivizes report inflation), per-finding triage fees (incentivizes finding inflation), retest billed at 25 to 50 percent of the engagement fee (incentivizes findings staying open), framework-mapping as an upgrade (should be part of the report), or hourly charges for post-engagement clarification.

Cybersecify cost inclusion discipline. Startup Pentest INR 74,999 includes: one scope of testing, PTES plus OWASP WSTG v5.0 plus OWASP API Security Top 10 methodology, kickoff and status calls, draft and final report with executive summary and technical findings, evidence appendices, retest within 30 days, and 6 founder-led consulting hours useable within 6 months from kickoff. Growth Pentest INR 1,79,999 includes: two scopes, same methodology, kickoff and status calls, draft and final report with SOC 2 Trust Services Criteria plus ISO 27001:2022 Annex A mapping per finding, evidence appendices, retest within 30 days, Letter of Attestation, real-world attack simulation, and 12 founder-led consulting hours useable within 12 months from kickoff. Additional scopes priced at INR 74,999 each (+5 calendar days). Additional retests beyond the bundled one priced at INR 25,000 to INR 49,999. Full inclusions documented on the pricing page.

Question 10: Will you support our compliance audit or investor diligence call?

Post-deliverable support is where pentest engagements quietly add value or quietly fail. A vendor whose responsibility ends at report delivery leaves the buyer to defend the report alone in front of the auditor, the investor reviewer, or the enterprise customer security team. A vendor who supports the downstream conversation is materially more useful.

What good answers look like. The vendor commits to one or more of the following: a clarification call with the buyer’s SOC 2 or ISO 27001 auditor to walk through methodology and scope, a clarification call with the investor’s hired security diligence reviewer to walk through findings, a clarification call with the enterprise customer’s security team to respond to questionnaire follow-ups, and consulting hours for the buyer’s engineering team to translate findings into remediation plans. The post-deliverable support is documented in the SOW as included or as available at a documented hourly rate.

Red flags. The vendor’s responsibility ends at report delivery (the buyer is on their own with the auditor), post-deliverable support is billed at a high hourly rate without a documented cap, or the vendor is not available for clarification calls within a reasonable window after delivery.

Cybersecify post-deliverable support. Startup Pentest includes 6 founder-led consulting hours useable within 6 months from kickoff, typically applied to remediation pairing, audit support, or architecture review. Growth Pentest includes 12 founder-led consulting hours useable within 12 months from kickoff, typically applied to SOC 2 or ISO 27001 audit support, investor diligence calls, and enterprise customer security questionnaire response support. For the broader question of SOC 2 audit support specifically, see penetration testing for SOC 2 audit and ISO 27001 vs SOC 2: which first.

Question 11: What happens if you find a critical zero-day mid-engagement?

Zero-day disclosure protocol separates vendors who treat security as a discipline from vendors who treat security as a deliverable. Every credible vendor follows a documented coordinated disclosure flow when a critical zero-day surfaces.

What good answers look like. The vendor walks through the four-step disclosure protocol: (1) immediate pause of further testing on the affected scope and notification to the buyer’s designated security contact through the agreed escalation channel (email plus same-day call), (2) joint assessment of whether the zero-day is first-party (buyer’s code) or third-party (commercial software, open-source library, hyperscaler service), (3) decision on whether the engagement pauses or continues based on whether testing the rest of the scope risks further exploitation of the same vulnerability class, and (4) final report documents the zero-day as a Critical finding with full reproduction steps, with the buyer deciding whether the finding remains in the public-shared version of the report or is redacted (auditor-shared report typically includes the finding; customer-shared report typically redacts technical detail while preserving severity and remediation status). For third-party zero-days, the vendor coordinates with the buyer on disclosure to the upstream vendor, typically following a 90-day coordinated disclosure window.

Red flags. The vendor has no documented disclosure protocol, the vendor would publicly disclose the zero-day without buyer coordination, the vendor would not pause testing on the affected scope, or the vendor has no clear policy on first-party versus third-party finding handling.

Cybersecify disclosure protocol. Documented four-step coordinated disclosure: pause and notify within the same business day, joint first-party versus third-party assessment, pause-or-continue decision, final report with buyer-controlled public versus redacted version. Lead tester (typically Rathnakara GN, OSCP) holds disclosure timeline authority jointly with the buyer’s security owner. No public disclosure without buyer coordination.

Question 12: Do you publish public pricing, or is everything custom?

Pricing transparency is the cheapest possible signal of vendor honesty and operating discipline. A vendor that publishes per-scope pricing on the website with deliverables documented per tier is telling the buyer that scope discipline, deliverable quality, and engagement structure are stable enough to package as a product. A vendor that says all pricing is custom and never quotes until after a scoping call is typically using opaque pricing for one of three reasons.

What good answers look like. The vendor publishes per-scope pricing on the website with deliverables documented per tier. The published pricing includes additional scope pricing, retest inclusion, methodology, and timeline expectations. The scoping call refines the engagement-specific details (production versus staging, test environment access, evidence collection mechanics) but does not change the headline pricing materially. Buyers can compare on equivalent scope across vendors before booking a scoping call.

Red flags. All pricing is custom and never quoted publicly (typically price discrimination based on buyer signals like funding stage or geography, or operating without standard scope discipline), the published pricing does not document deliverables per tier (the buyer cannot compare against another vendor on equivalent terms), or the headline pricing changes materially after the scoping call (anchoring tactic).

Cybersecify pricing transparency. Startup Pentest at INR 74,999 (approximately USD 900, GBP 700, EUR 830) for one scope in 7 calendar days with 6 founder-led consulting hours and one free retest within 30 days. Growth Pentest at INR 1,79,999 (approximately USD 2,150, GBP 1,700, EUR 2,000) for two scopes in 10 calendar days with SOC 2 plus ISO 27001 evidence mapping per finding, Letter of Attestation, 12 founder-led consulting hours, and one free retest within 30 days. Security Retainer at INR 24,999 per month (3-month minimum) for ongoing consulting work with monthly external attack surface scans and Brand Protection scans bundled. Additional scope pricing INR 74,999 each on Growth tier. Full pricing and deliverables documented at /pricing/. For the broader cost question across the Indian pentest market in 2026, see penetration testing cost in India 2026.

What to look for in vendor answers: green flags and red flags

A vendor evaluation table that maps the 12 questions to green-flag and red-flag patterns.

Question	Green flag	Red flag
1. Scope	Enumerated production URLs, user roles, explicit out-of-scope list	Vague “security assessment”, no enumeration, scope changes mid-engagement
2. Retest	Free within 30 days, full re-exploitation, addendum format	Billed at 25 to 50 percent extra, configuration check only, no retest
3. Sample report	Full redacted sample available without lead-capture gate	Refuses to share, gates behind lead form, executive summary only
4. Named tester	Named in SOW, certs documented, signs report and Letter of Attestation	Named at kickoff, salesperson cannot describe, tester changes mid-engagement
5. Methodology	PTES + OWASP WSTG v5.0 + OWASP API Top 10 2023 + NIST SP 800-115 by name	”Industry best practices”, proprietary methodology, no CVSS v3.1
6. Production vs staging	Discusses tradeoffs, documents data classes, recommends per engagement	Insists on one option, no opinion, leaves decision to buyer
7. NDA + data residency	Standard mutual NDA, 90-day retention, no sub-contracting, region committed	No standard NDA, signs anything, no retention policy, undisclosed sub-contractors
8. Timeline	14 to 21 days end to end, kickoff date in SOW, no rush pricing	3 to 5 day total, rush pricing premium, kickoff slips by weeks
9. Engagement cost inclusions	Everything documented in SOW, additional scopes priced upfront	Per-vulnerability pricing, per-finding triage fees, hidden line items
10. Post-deliverable support	Consulting hours bundled, auditor and investor call support	Responsibility ends at delivery, high hourly post-engagement rate
11. Zero-day disclosure	Documented four-step protocol, buyer-controlled disclosure	No documented protocol, would disclose without coordination
12. Pricing transparency	Public per-tier pricing with deliverables documented	All custom, no public quote, price varies materially after scoping

A vendor with 10 to 12 green flags is a credible engagement candidate. A vendor with 6 to 9 green flags is worth a deeper scoping call. A vendor with 5 or fewer green flags is a vendor whose report will likely fail downstream audit, investor diligence, or enterprise customer security review. Walk away.

Cybersecify as a vendor: how we answer the 12 questions

Cybersecify is a founder-led penetration testing firm based in Bengaluru, India. Both founders (Ashok S Kamat and Rathnakara GN) work every engagement. We deliver pentest engagements to SaaS startups in India, the UK, the US, the EU, Singapore, Australia, and Hong Kong. The 12 answers above describe how we operate; the /sample-report/ link shows the deliverable. The /pricing/ page documents per-tier pricing with deliverables. The /methodology/ page documents the four-framework methodology stack.

For Series A and Series B SaaS CTOs evaluating outsourced pentest vendors in 2026, the right path is: read the 12 questions, ask them on the scoping call with every vendor on the shortlist, compare answers against the green-flag and red-flag table above, and select the vendor whose answers best match the downstream consumer (SOC 2 auditor, ISO 27001 auditor, Series A investor diligence reviewer, enterprise customer security team). The Cybersecify scoping call typically takes 30 to 45 minutes and walks all 12 questions; book at /book/ or send the scope statement to /contact/.

Should you outsource penetration testing? (the in-house versus outsource decision before vendor selection)
Penetration test plan example for SaaS startups 2026 (the plan document the selected vendor produces at kickoff)
Penetration testing cost in India 2026 (the broader India pentest market pricing reference)
How to evaluate a pentesting firm (broader vendor evaluation framework)
5 questions to ask a pentest vendor before signing (the shorter conversation script)
Penetration testing for SOC 2 audit (the SOC 2 audit consumer view of the report)
ISO 27001 vs SOC 2: which first (the compliance framework decision)
How to read a VAPT report (the buyer-side reading of the deliverable)

External authoritative references

PTES (Penetration Testing Execution Standard) (the seven-phase engagement model)
OWASP WSTG v5.0 (web app test cases)
OWASP API Security Top 10 2023 (API test cases)
NIST SP 800-115 (engagement and reporting structure)
AICPA Trust Services Criteria (SOC 2 framework)
ISO/IEC 27001:2022 (ISMS framework, Annex A controls)

Frequently Asked Questions

Why ask an outsourced pentest vendor 12 specific questions before signing?

Because every outsourced pentest engagement carries three categories of cost the SaaS founder cannot recover after sign-off: budget (INR 75,000 to INR 5 lakh per scope), calendar time (7 to 21 days end to end), and downstream evidence value (whether the report passes the SOC 2 auditor, the Series A investor diligence reviewer, or the enterprise customer security questionnaire). Of those three, only the budget is refundable and only at the contracting stage. Once testing starts, the time is gone and the evidence value is whatever the vendor delivers. The 12 questions in this guide surface the quality, scope, methodology, and reporting variables that decide whether the eventual report is accepted by your downstream consumer or rejected. Asking them upfront takes 30 to 45 minutes on a scoping call. Reworking a rejected pentest report takes 4 to 6 weeks and a second engagement fee. The cost-benefit math is overwhelming: ask the 12 questions, save yourself the rework cycle.

How do SOC 2 pentest requirements differ from investor diligence pentest requirements?

SOC 2 auditors and Series A investors both want a third-party pentest report, but they read different sections of the same artifact. SOC 2 Type 2 auditors evaluate the report as evidence for Trust Services Criteria CC4.1 (monitoring activities) and CC7.1 (system operations); they care about scope coverage against the system description, methodology rigour (PTES, OWASP WSTG v5.0, NIST SP 800-115 named explicitly), and remediation evidence in the form of a retest addendum. ISO 27001:2022 auditors apply Clause 9.2 (internal audits) plus Annex A.8.29 (security testing in development and acceptance), checking that testing is structured and that tester independence is documented. Series A and B investors and their hired technical reviewers (Praesidio, Coalfire, Bishop Fox, NCC Group) read the executive summary for severity counts and trend versus prior reports, then drill into the Critical and High findings for exploitability and remediation status. Both groups reject self-attested reports. Both accept the same external pentest report when scope, methodology, tester credentials, and retest evidence are all documented. The 12 questions cover the documentation requirements both audiences depend on.

What does scope actually mean in an outsourced pentest engagement?

Scope is the written list of production assets the pentest will exercise, the user roles tested, and what is explicitly out of scope. For a SaaS startup, scope typically lists each production web app URL, each REST or GraphQL API endpoint base path, each mobile app bundle, the admin console, the third-party integration boundaries (Stripe, Twilio, AWS console), and the test environment (production with rate-limited credentials versus staging with production-like data). User roles tested usually include anonymous, regular user, paid user, workspace admin, and super-admin, because each role catches a different class of authorization finding. A scope statement should also enumerate what is out of scope: DDoS or volumetric testing, social engineering of employees, physical access, third-party infrastructure (Stripe payment rails, AWS console, Twilio SMS gateway), and any compliance area the buyer wants excluded. Vague scope statements like web application security assessment without listing specific production URLs and user roles are the most common pentest report rejection trigger at downstream audit or investor review.

Why should the retest be free and time-bound rather than billed separately?

Because charging 25 to 50 percent of the engagement fee for retest creates a vendor incentive structure that is the exact opposite of what the buyer needs. When retest is a separate billable line item, the vendor profits from findings staying open across multiple billing cycles. When retest is bundled into the engagement at zero marginal cost within a 30-day window, the vendor's incentive aligns with the buyer's incentive: close findings cleanly the first time so the bundled retest is a confirmation pass rather than a re-exploitation cycle. SOC 2 and ISO 27001 auditors specifically want to see the retest addendum, not just the initial findings list, because the retest addendum is the artifact that proves remediation actually worked. A vendor that bills retest separately tells you they expect findings to stay open or that they will pad the retest scope to justify another fee. Cybersecify Startup Pentest at INR 74,999 and Growth Pentest at INR 1,79,999 both include one free retest within 30 days of the final report. That is the industry-acceptable model for SaaS engagements.

What does a high-quality pentest sample report contain that a low-quality one omits?

A high-quality redacted sample report contains five elements that a scanner-output PDF cannot fake. First, an executive summary written for a CTO and a board member, naming severity counts, business impact at the application level (not the CVE level), and remediation guidance in plain language. Second, technical findings with structured fields per finding: title, severity, CVSS v3.1 score with vector string, description, business impact, reproduction steps that a developer can replay, and remediation guidance specific to the technology stack. Third, evidence appendices that include screenshots, request and response captures (HAR or curl), and video proof-of-concept for chained Critical and High findings. Fourth, compliance mapping that connects each finding to SOC 2 Trust Services Criteria (CC6.1, CC6.3, CC6.6, CC7.1, CC7.2, CC8.1) and ISO 27001:2022 Annex A controls (A.5.7, A.8.8, A.8.29). Fifth, a retest addendum format that the buyer can hand to the auditor without further translation. A scanner-output PDF reformatted as pentest deliverable typically includes only the title and severity fields with no reproduction steps, business impact, or compliance mapping. Cybersecify publishes a full sample report at /sample-report/ that an evaluating buyer can compare against any other vendor's redacted sample.

How do international SaaS startups handle data residency and NDA terms with India-based pentest vendors?

International SaaS startups engaging India-based pentest vendors typically work through three pre-engagement steps. First, the vendor sends a standard mutual NDA covering engagement scope, deliverable confidentiality, and a fixed retention window for evidence (Cybersecify retention default is 90 days post final report, after which engagement artifacts are deleted; longer retention available on request for audit cycles). Second, the buyer specifies data classes in scope: production PII, payment data (PCI scope considerations), customer business data, and any region-specific data residency constraints (UK Data Protection Act 2018, EU GDPR Article 32 reasonable safeguards, Australian Privacy Principles APP 11). Third, the testing methodology adapts to the data residency constraint: production testing with rate-limited credentials and minimal data access, staging testing with synthetic data, or a dedicated test instance with no production data exposure. For Cybersecify engagements with international SaaS startups in the UK, EU, Australia, Singapore, Hong Kong, and the US, the NDA, retention policy, and data class scope are documented in the Statement of Work before testing starts. Jurisdiction for any contractual dispute is Bengaluru, India, per Indian Contract Act 1872; this is non-negotiable across geographies and is consistent with similar boutique pentest vendors globally who anchor jurisdiction to their incorporation location.

What pentest methodology should an outsourced vendor name in their proposal?

Four frameworks cover what a credible SaaS pentest vendor should reference by name and version in the proposal. PTES (Penetration Testing Execution Standard) defines the seven-phase engagement model: pre-engagement interactions, intelligence gathering, threat modeling, vulnerability analysis, exploitation, post-exploitation, and reporting. OWASP WSTG v5.0 (Web Security Testing Guide) defines per-category test cases for web application scope: configuration, identity management, authentication, authorization, session management, input validation, error handling, cryptography, business logic, client-side, API testing. OWASP API Security Top 10 (2023 edition) defines test cases for API scope: BOLA, broken authentication, broken object property-level authorization, unrestricted resource consumption, BFLA, server-side request forgery, security misconfiguration, lack of protection from automated threats, improper inventory management, unsafe consumption of APIs. NIST SP 800-115 (Technical Guide to Information Security Testing and Assessment) covers engagement structure and reporting format that US auditors recognize. A proposal that says industry best practices without naming frameworks or versions is a vendor quality red flag. A proposal that names all four with the right versions signals the vendor has run engagements that passed downstream audit review.

Are pentest vendor pricing models comparable across India, the UK, the US, and Australia?

Yes, with predictable geography-driven floor differences. Indian boutique pentest pricing in 2026 ranges from INR 75,000 to INR 5 lakh per scope (USD 900 to USD 6,000 approximately) for SaaS scope-bounded engagements (one web app, one API, one cloud environment). UK boutique pentest pricing typically ranges from GBP 4,000 to GBP 12,000 per scope (USD 5,000 to USD 15,000). US boutique pentest pricing typically ranges from USD 8,000 to USD 25,000 per scope. Australian boutique pentest pricing typically ranges from AUD 6,000 to AUD 18,000 per scope. Big 4 cybersecurity practices (Deloitte, PwC, EY, KPMG) typically price from USD 25,000 per engagement upward in any geography. UK and Commonwealth public-sector empanelled vendors typically charge a 30 to 60 percent premium over boutique equivalents. For Indian SaaS startups serving international buyers and for international SaaS startups looking at Indian vendors for cost-effective engagements, the pricing delta is real and structural: Indian boutique pricing is roughly 4 to 8 times lower per scope than US boutique pricing for equivalent methodology depth. The right question is not which geography is cheapest. The right question is whether the report quality matches what the downstream audit, investor, or customer consumer expects. The 12 questions in this guide are how to answer the second question.

Can an outsourced pentest report be used for multiple compliance frameworks at once?

Yes, with structured framework mapping. A single annual external pentest report typically serves SOC 2 Type 2, ISO 27001:2022, India DPDP Act 2023 reasonable safeguards documentation, and most enterprise customer security questionnaires for 12 months. The mapping is straightforward: SOC 2 Trust Services Criteria CC6.1 (logical access security), CC6.6 (system boundaries), CC7.1 (vulnerability detection), and CC7.2 (anomaly monitoring) cover what pentest findings typically expose; ISO 27001:2022 Annex A.8.8 (management of technical vulnerabilities), A.8.29 (security testing in development and acceptance), and Clause 9.2 (internal audits) cover the same scope from the ISO framing. DPDP Act 2023 Section 8(5) reasonable safeguards do not specify pentest explicitly but auditors and DPB officials accept structured pentest evidence as part of the reasonable safeguards documentation. For enterprise customer security questionnaires (CAIQ, SIG, custom procurement questionnaires from Fortune 500 buyers), the report itself plus a Letter of Attestation signed by the lead tester typically satisfies the third-party security testing question. Cybersecify Growth Pentest at INR 1,79,999 bundles SOC 2 plus ISO 27001 audit-prep mapping per finding; Startup Pentest at INR 74,999 produces the report without explicit per-control mapping. Both formats are auditor-acceptable; the mapped format saves the auditor 2 to 4 hours of cross-referencing time.

What happens if the outsourced pentest team finds a critical zero-day during the engagement?

A reputable outsourced pentest vendor follows responsible disclosure protocol when a critical zero-day is discovered mid-engagement. The standard flow is four steps. First, the lead tester immediately pauses further testing on the affected scope and notifies the buyer's designated security contact through the agreed escalation channel (typically email plus a same-day call). Second, the vendor and buyer jointly assess whether the zero-day is in a third-party component (commercial software, open-source library, hyperscaler service) versus the buyer's first-party code. If first-party, remediation timing is the buyer's decision; if third-party, the vendor coordinates with the buyer on disclosure to the upstream vendor (typically following a 90-day coordinated disclosure window). Third, the engagement may pause or continue depending on whether testing the rest of the scope risks further exploitation of the same vulnerability class. Fourth, the final report documents the zero-day as a Critical finding with full reproduction steps, and the buyer decides whether the finding remains in the public-shared version of the report or is redacted (auditor-shared report typically includes the finding; customer-shared report typically redacts technical detail while preserving severity and remediation status). Cybersecify follows this exact protocol on every engagement. Lead tester for the engagement (typically Rathnakara GN, OSCP, CompTIA PenTest+) holds the disclosure timeline authority jointly with the buyer's security owner.

Why does pricing transparency matter when evaluating a pentest vendor?

Because pricing transparency is the cheapest possible signal of vendor honesty and operating discipline. A vendor that publishes per-scope pricing on the website with the deliverables documented per tier is telling the buyer that scope discipline, deliverable quality, and engagement structure are stable enough to package as a product. A vendor that says all pricing is custom and never quotes until after a scoping call is typically using opaque pricing for one of three reasons: (1) they are price-discriminating based on buyer signals like company funding stage or geography, (2) they have no standard scope discipline and price each engagement as a one-off, (3) they are using the scoping call to anchor the buyer to a higher number than the buyer would have started with. None of the three serves the buyer. Cybersecify publishes Startup Pentest at INR 74,999 (approximately USD 900, GBP 700, EUR 830) and Growth Pentest at INR 1,79,999 (approximately USD 2,150, GBP 1,700, EUR 2,000) on the /pricing/ page with deliverables documented per tier. Buyers can compare on equivalent scope before booking a scoping call. The transparency itself is the differentiator; the underlying engagement quality is what the 12 questions are designed to verify on the call.

How fast should an outsourced pentest engagement realistically take from first contact to final report?

A scope-bounded outsourced pentest engagement at a boutique vendor takes 14 to 21 calendar days end to end. The phases are: 3 to 5 days for scoping and SOW signature (vendor sends questions, buyer answers, vendor produces proposal, both sides sign), 1 day for kickoff and environment access, 7 to 10 days for active testing (Startup tier 7 days, Growth tier 10 days, additional scopes add 3 to 5 calendar days each), 2 to 3 days for report drafting and internal vendor review, 1 to 2 days for client review and clarification, then retest within 30 days of report delivery (1 to 3 business days). Total founder time on the buyer side is approximately 4 to 6 hours across the full cycle (kickoff call, mid-engagement status checks, finding triage call, retest sign-off). The fastest reasonable timeline for a single-scope engagement with clean scoping is 14 days from initial outreach to final report. Anything faster typically means scoping was rushed or the deliverable is a scanner output reformatted as a pentest report. Cybersecify does not run rush engagements; quality compresses unpredictably under aggressive deadlines and the eventual report consumer (auditor, investor, customer) cannot tell whether the rush was the cause. For founders with a hard downstream deadline (SOC 2 audit window, investor diligence call, enterprise customer onboarding gate), the right answer is to start the pentest 6 to 8 weeks before the deadline, not to compress the engagement window.

Got a question or counter-take?

Email contact@cybersecify.com, WhatsApp +91 9986 998 333, or DM Ashok S Kamat or Rathnakara GN on LinkedIn.

Share this article

outsource pentestoutsourced penetration testingpentest vendorSaaS pentestSOC 2ISO 27001investor diligencevendor evaluationpentest scope

Penetration Testing