Frequently asked questions.

A fixed-scope web application or API pentest is usually 1–3 weeks. A smart contract audit runs 2–4 weeks depending on complexity. Continuous retainers start at 3 months. We scope every engagement individually so the timeline reflects your actual surface.

$6k–$35k for web / API assessments (API starts at $7k). $12k–$75k for smart contract audits, scaled by logic density and complexity. $9k–$40k for source code review. Fixed against your scope, not a day rate — you see the ceiling before you sign. Continuous retainer from $18k/month. Custom scope is priced after a 30-minute call.

Most top-tier firms (Trail of Bits, Halborn, Doyensec, Cure53, OpenZeppelin) keep pricing behind a “Get a quote” form. We publish ours because a fixed range up front filters for the engagements that actually fit our model — and saves both sides a week of back-and-forth. If the final scope needs a custom number, we quote it after a 30-minute call. Either way, you see the ceiling before you sign.

Yes — every engagement starts with a mutual NDA. We are comfortable signing your paper or providing ours. Rules of engagement are also signed before any testing begins.

Web apps, REST / GraphQL / WebSocket APIs, Solidity (EVM), Move (Sui / Aptos), Rust / Anchor (Solana), and general source review in Node.js, Python, Go, and Rust. If your stack is outside this, tell us — we will say so if it is not a fit.

Yes. One retest is included in every fixed-scope engagement, within 30 days of report delivery. The retest produces an artifact attached to the original report confirming which findings are closed.

Remote by default, which keeps costs down and lets us move fast. On-site kickoff or debrief sessions available on request.

Executive summary for leadership (business impact, severity distribution, overall risk posture) plus technical section per finding: description, root cause, reproducible PoC, CVSS 3.1 score, and concrete remediation. A sample report is available on request.

Yes. We have delivered engagements that became evidence for SOC 2 Type II vulnerability management and ISO 27001 Annex A.12 controls. Happy to structure the report to match your auditor’s requirements.

Yes. Findings go through coordinated disclosure with you first. Public disclosure — if any — only happens after fixes land and with your explicit approval. We never disclose unilaterally.

Credentials provisioned just-in-time, stored in password managers with limited access, and destroyed at engagement close. Reports delivered encrypted (PGP or through your secure channel). Any collected evidence is wiped within 30 days of close unless you request retention.

Lead time is usually 1–3 weeks for a new engagement — depending on current capacity. For true emergencies (active exploitation, pre-funding audit) we try to accommodate; reach out and we will tell you honestly.

Then we write that down and you get defensible evidence for your next audit. We will not pad severity to justify the invoice.

Yes, as part of a continuous retainer. We help you triage incoming submissions, deduplicate, validate PoCs, and write responses.

Yes — a redacted sample is available to qualified prospects under NDA. Request it via the contact form.