Simple, Transparent Pricing

Founder-led pentest with retest and consulting hours. Fixed plan pricing with transparent per-scope add-on rates. No hidden costs. Looking for ongoing security support? See the monthly Security Retainer below.

6 pentests / month. Rathnakara (OSCP) leads every pentest engagement. Book ahead.

Penetration Testing

AI, Web, API, Android, iOS, Cloud, and IoT. Pick the plan that fits your scope.

1 USD ≈ ₹84, 1 EUR ≈ ₹90 (approximate, at current rates) · International engagements invoiced in your local currency at conversion rate at time of invoice.

Startup Pentest Plan

For early-stage startups

INR 74,999 + taxes

~$900 / ~€830

1 Scope Included i 1 scope = 1 application type. Add a second scope for INR 44,999 (max 2 on this plan, +3 calendar days delivery). Need 2+ scopes with compliance mapping? The Growth Plan is built for that.
Pick one: web app, API, mobile app, cloud, or IoT. One target, tested thoroughly.
Report in 7 Calendar Days i 7 calendar days from kick-off to final report delivery. 5 working days of active testing.
Kick-off to final report in one week, so your investor deadline doesn't slip.
6 Hours of Founder-led Security Consulting i 6 consulting hours included with the Startup Plan, useable for 6 months from pentest kickoff. Use during the engagement (remediation pairing, scope clarification) or anytime in the 6-month window (architecture review, threat modeling, compliance Q&A). Extra hours billed at INR 3,500/hr if needed. Need ongoing monthly external attack surface scans? See the Security Retainer below.
Use anytime within 6 months from pentest kickoff. Architecture questions, remediation pairing, compliance prep, threat modeling. Both founders available.
1 Full Retest within 30 Days i After you fix the vulnerabilities we found, we retest every finding to confirm fixes are effective. Scheduled within 30 calendar days of v1.0 initial report. Completes in 1-3 business days on our side. Report v2.0 is issued at retest close.
Full retest scheduled within 30 calendar days of the initial report. No extra charge. Your report closes "remediated", not "open".
OWASP Top 10 + PTES Methodology, Investor-Ready Report i Industry-standard OWASP Top 10 + PTES (Penetration Testing Execution Standard) methodology. Deliverable is a full technical report with reproduction steps, fix guidance, and risk ratings, plus a 2-page executive summary aligned with what SOC 2 / ISO 27001 auditors expect.
Manual exploitation, business logic, auth coverage. Technical report for engineering + 2-page executive summary for investors and enterprise clients.
+1 Scope at INR 44,999 (~$540 / ~€500) i Adding the second scope adds 3 calendar days: 10 calendar days total for 2 scopes (8 working days + weekend). Both scopes tested in parallel within the window. For 3+ scopes or audit-grade evidence, see the Growth Plan.
Max 2 scopes on this plan. +3 calendar days to total delivery (10 days for 2 scopes). Need 3+ scopes or compliance mapping? The Growth Plan is the better fit.

Best Suited For: An investor or enterprise client asked for a pentest report. You have one or two apps to test and no compliance deadline.

Book Startup Pentest
Most Popular

Growth Pentest Plan

For scaling businesses

INR 1,79,999 + taxes

~$2,150 / ~€2,000

1 Scope + 1 Extra Scope Included i 2 scopes total = 2 application types tested (1 base + 1 extra included in the Growth Plan price). E.g., web app + API, or Android app + iOS app. Each platform counts as a separate scope. Add more scopes for INR 74,999 each (no limit, +5 calendar days each, parallel testing up to 3 scopes available).
Test your web app + API together, or any two targets. Most startups have at least two attack surfaces.
Report in 10 Calendar Days i 10 calendar days from kick-off to final consolidated report (8 working days + weekend). Parallel-or-sequential choice applies to additional scopes only.
Deep enough to catch business logic flaws, fast enough for your deadline.
12 Hours of Founder-led Security Consulting i 12 consulting hours included with the Growth Plan, useable for 12 months from pentest kickoff. 2× the Startup Plan allocation. Use during the pentest, the retest window, or anytime in the 12-month window. Extra hours billed at INR 3,500/hr if needed. Need ongoing monthly external attack surface scans? See the Security Retainer below.
Use anytime within 12 months from pentest kickoff. Architecture review, compliance prep, threat modeling, remediation pairing, incident readiness. Both founders available.
1 Full Retest within 30 Days i After you remediate the findings from v1.0, we retest every finding to verify fixes are effective. Scheduled within 30 calendar days of the initial report. Completes in 1-3 business days on our side. Report v2.0 is issued at retest close.
Full retest scheduled within 30 calendar days of the initial report. No extra charge. Your report closes "remediated", not "open".
OWASP Top 10 + PTES Methodology, Investor-Ready Report i OWASP Top 10 + PTES is the base methodology on both plans. Growth Plan extends this with Real-world Attack Simulation (listed at the bottom of this card). Reports include full SOC 2 / ISO 27001 mapping per finding for auditor use.
Manual exploitation, business logic, auth coverage. Audit-ready technical + executive report with compliance mapping built into every finding.
+1 Scope at INR 74,999 (~$900 / ~€830) i Each additional scope adds 5 calendar days (default sequential). Parallel testing available up to 3 scopes simultaneously to compress the window, same price either way. Each additional scope gets its own findings section and full compliance mapping.
No limit on scopes. +5 calendar days per additional scope. Parallel testing up to 3 scopes for faster delivery, same price.
SOC 2 + ISO 27001 Compliance Mapping i Compliance mapping ties each finding to SOC 2 Trust Services Criteria and ISO 27001 Annex A controls. Audit-acceptable for SOC 2 Type 1, Type 2, and ISO 27001 internal + external audits.
Growth-only. Every finding mapped to SOC 2 Trust Services Criteria + ISO 27001 Annex A controls. Your auditor can use the report as direct evidence.
Letter of Attestation for Compliance Auditors i Letter of Attestation is a standard deliverable on every Growth Pentest engagement. Signed by Rathnakara GN (OSCP) as Lead Penetration Tester. References the methodology used, the engagement window, and the ISO 27001:2022 Annex A controls that penetration testing supports as audit evidence (A.8.8 management of technical vulnerabilities + A.8.29 security testing in development and acceptance). Auditor-acceptable as first-piece-of-evidence for ISO 27001 audits and customer security questionnaires. Does not contain technical findings or vulnerability detail. Not a certification or accreditation of overall security posture.
Growth-only. One-page PDF signed by our Lead Penetration Tester (OSCP). References ISO 27001:2022 Annex A.8.8 + A.8.29 and the engagement window. Send it to auditors, enterprise customers, and procurement without re-cutting the report.
Real-world Attack Simulation i Beyond OWASP Top 10 baseline. Includes chained exploits (one finding amplifying another), privilege escalation, lateral movement, and business logic flaws specific to your application (payment race conditions, IDOR in financial flows, tenant-isolation gaps).
Growth-only. Beyond OWASP/PTES baseline: chained exploits, privilege escalation, lateral movement, and business logic abuse specific to your application.

Best Suited For: You need two attack surfaces tested together (e.g., web app + API), an auditor needs SOC 2 / ISO 27001 evidence, or you want a full year of monthly external + brand scans after the pentest.

Book Growth Pentest

Security Retainer

Fractional security without hiring a full-time CISO. Consulting hours + automated scans, every month.

1 USD ≈ ₹84, 1 EUR ≈ ₹90 (approximate, at current rates) · International engagements invoiced in your local currency at conversion rate at time of invoice.

Recurring Value

Security Retainer

Monthly, 3-month minimum

INR 24,999 / month + taxes

~$300 / ~€280

3-month minimum commitment. Hours, scans, and consulting refresh each month.

10 Hours of Founder-led Security Consulting / Month
Both founders. Architecture review, cloud hardening, SDLC guidance, policy docs, incident response planning, threat modeling. Whatever you need this month.
1 External Attack Surface Scan Report / Month
Know what an external attacker can find about your infrastructure before they use it. Every month: exposed services, weak or expiring certificates, DNS misconfiguration, email spoofing risk, subdomain takeover risk. Founder-reviewed, not raw tool dump.
1 Brand Protection Scan Report / Month
Catch the brand abuse you cannot see from inside your company. Every month: typosquatting domains targeting your customers, fake mobile apps masquerading as you, employee credentials surfacing in breach dumps, phishing infrastructure aimed at your domain. Founder-reviewed.

What we look for →
Extra Hours at INR 2,500 / hour (fixed)
Need more than 10 hours in a given month? Add on-demand at a flat INR 2,500/hour. No surge pricing, no minimums.
3-Month Minimum, Then Month-to-Month
3-month minimum to start. After that, month-to-month with 30 days written notice from either side.
Same Senior Team
Rathnakara (co-founder) holds OSCP and CompTIA PenTest+. Senior team adds CISSP, CEH, and ISO 27001 Lead Auditor. Same team every month. No bait and switch.

Best Suited For: You want a low-commitment way to start working with us before scoping a dedicated pentest or larger consulting engagement. Use the 10 hours / month for whatever matters most: architecture review, threat modeling, compliance prep. Many clients use the 3-month commitment to evaluate fit before specific engagement scoping.

Start 3-Month Retainer

Compliance, CTI & Fractional Security

Scoped per engagement. Talk to us for pricing.

Compliance as a Service

SOC 2 Type 2 & ISO 27001 internal audit prep: gap assessment, control mapping, and policy documentation. Pairs naturally with pentest evidence.

Scoped per engagement

Cyber Threat Intelligence

Dark web monitoring, leaked credential detection, brand impersonation alerts, and industry threat reports. Every pentest includes a CTI snapshot. Need deeper coverage? Start with a one-time assessment or upgrade to continuous monitoring.

One-time or continuous (monthly/quarterly)

Fractional Security Team

Dedicated AppSec, InfraSec, or GRC hours. Vulnerability management, security monitoring, IAM audits, SDLC integration, and incident response planning. 2 to 8 hrs/day, 3-month minimum.

3-month minimum commitment

Pricing FAQ

What is the difference between the Startup and Growth pentest plans?

The Startup plan covers 1 scope in 7 calendar days with a technical + executive report, 6 hours of founder-led consulting, and 1 free retest. The Growth plan covers 2 scopes in 10 calendar days and adds SOC 2 + ISO 27001 compliance mapping, real-world attack simulation beyond OWASP Top 10, and 12 hours of consulting. Both plans include 1 free retest within 30 calendar days. Choose Growth if you have a compliance deadline or an enterprise deal in the pipeline. Need ongoing monthly external + brand scans? The Security Retainer bundles 1 external attack surface scan and 1 Brand Protection scan per month plus 10 consulting hours.

How long does the full engagement take, including retests?

Engagement duration (testing + v1.0 report) is fixed per plan and scope count: 7 calendar days for Startup (1 scope), 10 calendar days for Growth (2 scopes), +3 days per additional scope. After v1.0 ships, the retest is scheduled when your team has finished the fixes. Earliest start: as soon as you are ready. Latest start: 30 calendar days after v1.0 (this is the upper bound on when retest can begin, not a mandatory wait). Retest itself takes 1 to 3 business days, then v2.0 closes the engagement. Faster remediation on your side closes the engagement faster.

What is the difference between parallel and sequential testing?

For Growth Plan engagements with additional scopes (3rd scope onwards), you can choose parallel or sequential testing at no extra cost. Parallel means scopes are tested simultaneously, compressing the total delivery window. Sequential means scopes are tested one at a time, lighter coordination on your team's side. Same fixed price either way. Parallel testing is recommended for engagements up to 3 scopes simultaneously; larger engagements (4+) run hybrid or sequential by default to maintain testing depth. The base 2 scopes on Growth are always tested in parallel within the published delivery window. That is the floor, not a choice.

Can I add more scopes after the engagement starts?

Yes, you can add scopes during scoping or after the engagement starts. Startup Plan caps at 2 scopes total (1 base + 1 additional at INR 44,999, with +3 calendar days = 10 days total for 2 scopes). Growth Plan has no scope limit (each additional scope at INR 74,999, with +5 calendar days). For 3+ scope engagements on Growth, you can choose parallel testing to compress the timeline. Adding scopes during the engagement is possible but extends the calendar days and requires a scope confirmation note in writing before testing begins on the new scope.

What counts as one scope?

One scope is one application surface tested as a complete unit. Examples: a web application is 1 scope, a REST API is 1 scope, an Android app is 1 scope, an iOS app is 1 scope. Web app + API = 2 scopes (separate surfaces, different attack vectors). iOS + Android = 2 scopes (separate platforms, separate code, separate runtime). A microservices backend with 3 distinct services may count as 1 scope or 3 scopes depending on whether they share authentication and architecture. We confirm scope count during scoping before final pricing. If you are unsure, send us your architecture and we will tell you what we would count as a single scope.

What is real-world attack simulation, and why does Growth include it?

Real-world attack simulation tests beyond the OWASP Top 10 baseline by simulating how a determined attacker would actually compromise your application. This includes chained exploits (using one finding to amplify another), privilege escalation (moving from a regular user to admin), and lateral movement (accessing systems outside the initial entry point). We also test business logic flaws specific to your application such as payment race conditions, IDOR in financial flows, and authorization gaps in tenant-isolated data. Growth Plan includes this because compliance buyers and enterprise customers expect their pentest to demonstrate not just OWASP coverage but that the application can withstand a focused attacker. Startup Plan covers OWASP Top 10 + PTES standard methodology, sufficient for buyers without active enterprise or audit pressure.

What does the SOC 2 + ISO 27001 compliance mapping include?

Each finding in the Growth Plan report is mapped to specific control requirements in two frameworks. SOC 2 mapping covers the Trust Services Criteria 2017, typically CC6.1 (logical access security), CC6.3 (role-based access), CC6.6 (system boundaries), CC7.2 (monitoring), and CC8.1 (change management) for a typical web or API engagement. ISO 27001 mapping covers Annex A controls, typically A.9 (access control), A.13 (communications security), A.14 (system acquisition, development, and maintenance), and A.12.4 (event logging). The compliance evidence package is delivered as a separate section of the report and can be handed to your auditor as direct evidence of penetration testing, findings, and remediation. Useful for SOC 2 Type 1, SOC 2 Type 2, and ISO 27001 internal or external audits.

Are monthly external attack surface or Brand Protection scans included with the pentest plans?

No. Pentest plans are pentest + retest + consulting hours only. If you want monthly external attack surface scans (subdomains, exposed services, certs, DNS posture, mail security) and Brand Protection scans (typosquatting, leaked credentials, fake apps, phishing infrastructure), these are bundled with the Security Retainer (INR 24,999/month, 3-month minimum). The Retainer includes 1 external attack surface scan + 1 Brand Protection scan per month, plus 10 hours of founder-led consulting per month.

How many consulting hours are included with each pentest?

Startup Plan: 6 hours of founder-led security consulting. Growth Plan: 12 hours. Use these hours during the engagement (scope clarification, remediation pairing) or anytime in the 6-month or 12-month consulting window (architecture review, compliance prep, threat modeling, incident readiness). Both founders available. Need more? The Security Retainer (INR 24,999/month, 10 hours/month, 3-month minimum) is the next step up.

How much does penetration testing cost in India?

Cybersecify offers penetration testing starting at INR 74,999 for a single scope (web, API, Android, iOS, cloud, or IoT) with delivery in 7 calendar days. The Startup Plan includes 6 consulting hours and 1 free retest. The Growth Plan at INR 1,79,999 includes 2 scopes, 10 calendar days, SOC 2 + ISO 27001 compliance evidence, real-world attack simulation, 12 consulting hours, and 1 free retest. All prices exclude taxes. Monthly external attack surface + Brand Protection scans are bundled with the Security Retainer (INR 24,999/month, 3-month minimum), not with the pentest plans.

Can I see a sample report before buying?

Yes. We publish a full redacted sample showing the exact structure, finding format, compliance mapping, and methodology you receive. You can view it online or download it as a PDF. View sample report →

Still have questions?

Book a 30-min call with Ashok. We'll talk through your scope, your timeline, and which plan actually fits. No sales pressure.