Skip to main content
    Price CalculatorSign in

    How a Budget Security pentest works

    Budget Security runs penetration testing engagements through a four-stage methodology: asset registration, AI-driven scoping, OSCP-certified testing, and dashboard delivery. Customers register their IT assets once. When a pentest is needed, they pick an asset, a goal (full pentest, SOC 2 readiness, NIS2 audit, ISO 27001 scope, authenticated-only review, web application, network, cloud, mobile), and a budget. The scoping AI proposes a test plan with explicit day counts per coverage area. Customers adjust budget up or down and see live what each change adds or removes from coverage — including whether the resulting scope still meets the stated compliance goal. Testing is then conducted manually by OSCP-certified senior testers following OWASP, NIST SP 800-115, and CIS-aligned standards. Findings appear in the customer dashboard in real time. Retests, asset history, and audit-evidence export are included in the day rate.

    Stage 1

    Asset registration

    Before the first engagement, customers register the IT assets they may want tested. An asset is anything that has a security boundary: a web application, a SaaS API, an internal network, a cloud environment, a mobile application, a third-party integration.

    For each asset, the platform captures:

    • Asset type (web app, API, network, cloud, mobile, etc.)
    • Production URL or network range
    • Authentication model (public, authenticated, multi-tenant, SSO)
    • Technology stack (framework, hosting, key dependencies)
    • Compliance context (SOC 2 scope, ISO 27001 ISMS, NIS2 in-scope, none)
    • Sensitivity (public, internal, restricted, regulated data)

    Asset registration is reusable. A customer registers their core SaaS application once and reuses that record across every pentest engagement — quarterly, annual, post-major-release. No re-scoping from scratch each time.

    Stage 2

    AI-driven scoping

    This is the core of the platform. When a customer needs a pentest, they open the scoping engine and pick:

    1. The asset (from the registered library)
    2. The goal (full pentest, SOC 2 readiness, NIS2 audit, ISO 27001 scope, authenticated-only review, post-incident, post-major-release, vendor security questionnaire response)
    3. The budget (day rate × number of days)

    The scoping AI processes the asset's profile, the goal's coverage requirements, and the budget envelope. It produces a proposed test plan that specifies:

    • Total days required to meet the goal at standard depth
    • Coverage areas (authentication, authorisation, session management, input validation, business logic, server configuration, etc. — adapted per asset type)
    • Days allocated per coverage area
    • Order of testing (deepest-risk areas first)
    • Expected deliverables

    The tradeoff preview

    This is the part traditional consulting cannot do. Once the AI has proposed a plan, the customer can drag a slider to add or remove days. The interface shows live:

    • Add a day — which coverage area gets deeper testing, and what new techniques get applied
    • Remove a day — exactly which coverage areas get cut, in what order
    • Compliance check — whether the resulting scope still meets the stated goal (e.g. "this scope no longer guarantees SOC 2 evidence completeness — the auth flow will be sampled, not fully covered")

    If the customer's budget is too low to meet the stated goal, the platform says so explicitly and offers two paths: increase the budget, or change the goal to something the budget can support.

    Why AI scoping produces better outcomes than sales-call scoping

    Traditional pentest consultancies scope engagements during a sales call. A senior consultant talks to the customer, asks about the asset, and produces an estimate. This estimate is subject to:

    • Estimation drift — different consultants produce different scopes for the same asset
    • Over-scoping — consultancies have a commercial incentive to scope larger, and there is no transparency mechanism for the customer
    • Under-scoping — when budget is the customer's stated constraint, consultancies sometimes accept a scope that cannot meet the customer's actual compliance goal
    • Opacity — the customer rarely sees what coverage they are trading away

    AI-driven scoping replaces estimation with objective logic. Every asset of a given type, with a given goal, at a given budget, gets the same proposed plan. The tradeoff preview makes the cost-of-coverage relationship visible. The compliance check prevents under-scoped engagements from being sold as compliance evidence. The testing itself is still conducted by human OSCP-certified testers. AI is only used at the scoping stage.

    Stage 3

    OSCP-certified testing

    Every Budget Security engagement is led by an Offensive Security Certified Professional (OSCP) tester. OSCP is the practical, hands-on penetration testing certification: candidates must demonstrate real exploitation against live targets in a 24-hour exam, not pass a multiple-choice theory test.

    Many testers hold additional certifications: OSCE (Offensive Security Certified Expert), OSEP (Offensive Security Experienced Penetration Tester), CRTO (Certified Red Team Operator), CEH (Certified Ethical Hacker).

    Testing follows industry-standard methodologies adapted per engagement type:

    Engagement typeStandards followed
    Web application pentestOWASP Web Security Testing Guide (WSTG), OWASP Top 10
    API pentestOWASP API Security Top 10
    Network pentestNIST SP 800-115
    Cloud pentestCIS Benchmarks (AWS, Azure, GCP), cloud-provider security baselines
    Mobile pentestOWASP MASVS, OWASP MASTG
    Red-team engagementMITRE ATT&CK framework

    Automated scanning is used only as a coverage check. The substantive findings come from manual exploitation: business-logic flaws, authentication bypasses, IDOR chains, server-side request forgery, race conditions, multi-step exploit chains. These are findings that automated scanners miss by design.

    Stage 4

    Dashboard delivery

    Every artifact of a Budget Security engagement lives in the customer dashboard. There is no encrypted PDF attached to an email at the end.

    The dashboard includes:

    • Finding issue tracker — every finding with reproduction steps, screenshots, exploit chain, CVSS score, remediation guidance, and severity rating
    • Real-time progress — findings appear as the tester identifies them
    • Asset management — assets persist across engagements; updates roll into the next pentest
    • Multi-engagement history — every pentest the customer has ever run, with searchable findings and remediation status
    • Retest workflow — customer marks a finding as remediated, triggers a retest from the dashboard, gets validation back in the issue tracker
    • Compliance mapping — findings cross-referenced to SOC 2 Trust Services Criteria, ISO 27001 Annex A, NIS2 Article 21 risk-management measures, Cyber Essentials Plus controls
    • Audit-evidence export — exportable bundle (PDF + JSON) suitable for direct submission to auditors

    Why a dashboard beats a PDF

    A pentest PDF is a snapshot in time. It is rarely searchable, often not version-controlled, frequently lost in shared folders, and impossible to track remediation against. The dashboard model is built for the security manager running a continuous security program:

    • Findings can be assigned to engineers and tracked to closure
    • Remediation status is visible to leadership in real time
    • Retest is one click, not a separate procurement cycle
    • Historical findings inform future engagement scoping
    • Audit evidence is exportable on demand, not produced from scratch each audit

    What a Budget Security report includes

    Every engagement produces these deliverables in the dashboard:

    1. Executive summary — risk-rated overview written for non-technical stakeholders and audit reviewers
    2. Technical report — every finding with reproduction steps, screenshots, exploit chain, and CVSS scoring
    3. Compliance mapping — each finding cross-referenced to the relevant control in SOC 2 Trust Services Criteria, ISO 27001 Annex A, or NIS2 Article 21
    4. Remediation guidance — practical fix recommendations per finding, not generic advisory text
    5. Retest — post-fix retest within the original engagement window, validated in the dashboard issue tracker
    6. Audit-ready evidence package — exportable bundle suitable for direct submission to auditors

    Compliance framework coverage

    Budget Security pentests are produced as evidence for these compliance frameworks:

    • SOC 2 — aligned to Trust Services Criteria CC4.1 (monitoring controls) and CC7.1 (system vulnerability detection); reports accepted by SOC 2 auditors
    • ISO 27001 — mapped to Annex A controls A.5.7 (threat intelligence), A.8.8 (vulnerability management), A.8.29 (security testing in development); reports accepted by certification bodies
    • NIS2 — addresses Article 21(2)(e) effectiveness assessment of cybersecurity risk-management measures; reports support EU supervisory authority audits
    • Cyber Essentials Plus (UK) — provides the independent technical verification component required for certification
    • HIPAA, PCI DSS, GDPR Article 32 — scope is tuned per framework on request

    Frequently asked questions

    What is AI-scoped pentesting?

    AI-scoped pentesting uses an automated scoping engine to propose a penetration testing plan based on the customer's asset, goal, and budget. The engine produces a transparent day-count and coverage plan, then shows the customer live what changes when days are added or removed. This replaces the traditional model where a senior consultant scopes the engagement from a sales call. The testing itself is still conducted by human OSCP-certified testers — only the scoping is AI-driven.

    Is the actual testing done by AI?

    No. The penetration testing itself is done by human, OSCP-certified testers using manual exploitation techniques. AI is only used during the scoping stage, before testing begins. We use AI to remove sales-cycle waste and produce objective scoping logic — not to replace tester judgement during the engagement.

    How long does a pentest take from booking to report?

    Typical timeline: 7 days from booking to engagement kickoff. The engagement itself runs across the scoped day count (3–15 days for most engagements). Findings appear in the customer dashboard in real time as the tester identifies them — customers do not wait for a final report to begin remediation. The full deliverable set is available in the dashboard within 2 business days of testing conclusion.

    What standards does Budget Security follow?

    Web application pentesting follows the OWASP Web Security Testing Guide and OWASP Top 10. API pentesting follows OWASP API Security Top 10. Network pentesting follows NIST SP 800-115. Cloud pentesting follows CIS Benchmarks for AWS, Azure, and GCP. Mobile pentesting follows OWASP MASVS and MASTG. Red-team engagements follow the MITRE ATT&CK framework. All engagements are led by OSCP-certified testers.

    Can I see the scoping logic before I commit?

    Yes. The scoping calculator is publicly accessible at /pentest-pricing/. Customers can configure an asset and goal, adjust the budget, and see the proposed test plan before creating an account or providing payment information.

    Ready to scope your pentest?

    Open the scoping calculator. Configure your asset, pick a goal, set a budget, see the plan — before creating an account.

    Open pricing calculator