Service engagements for scoped VAPT and red team work. Platform tiers for continuous self-serve scanning. Pick what fits — most teams use both.
Scoped engagements delivered by a named senior operator. Indicative pricing — written quote within one business day after a scoping call. GST invoice (India) and W-8BEN-E available for international buyers.
Single asset — one web app, mobile app, or API. Pre-seed and seed-stage SaaS.
Multi-asset programme — web + API + mobile + selected infra. Series A–C SaaS, fintech.
Full kill-chain or rolling VAPT programme. Banks, insurers, government, large enterprise.
All engagements include a free 30-min scoping call, NDA on request, and a written scope before billing.
A rough estimate. Final scope changes price ±30% typically — final price after a free 30-min scoping call.
Indian buyers · GST extra (18%)
Indicative only. Final price after free 30-min scoping call.
Book Scoping Call →Real Nuclei scanner. Full CVE + OWASP Top 10 coverage. No agents, no setup. Cancel anytime.
Billed monthly. Cancel anytime — no contract.
A starting point for solo developers running occasional checks against a single asset.
Suited to founders, security engineers, and consultants who want broader Nuclei coverage and exportable PDF + JSON reports.
Designed for internal AppSec teams that want shared scope, role separation, and evidence packs aligned to SOC 2 / PCI-DSS reviews.
For regulated organisations that need on-prem deployment, SAML SSO, custom templates, and a named customer success contact.
Side-by-side breakdown. Numbers reflect production billing; quotas reset on the first of every calendar month UTC.
| Feature | Free | Pro | Team | Enterprise |
|---|---|---|---|---|
| Scans / month | 1 | 10 (+$49 overage) | 100 | Unlimited |
| Scanner | OWASP Top 10 | Full Nuclei (10k+ templates) | Full Nuclei (10k+ templates) | Full Nuclei + custom templates |
| Exports | — | PDF + JSON | PDF + JSON + CSV | PDF + JSON + CSV + raw evidence |
| History retention | 7 days | 90 days | 1 year | Custom (incl. on-prem retention) |
| Team members | 1 | 1 | 5 | Unlimited |
| API access | — | Yes | Yes | Yes |
| IP whitelisting | — | — | Yes | Yes |
| MFA enforcement | Optional | Optional | Enforced (2FA) | Enforced (2FA + SAML) |
| Compliance reports | — | — | SOC 2 + PCI-DSS | SOC 2 + PCI-DSS + ISO 27001 |
| SAML SSO | — | — | — | Yes |
| Dedicated CSM | — | — | — | Yes |
| Retest included | — | Re-run scan | 1 free retest / finding | Unlimited retests |
Every service engagement starts with a fixed written scope, price, and timeline — sent within one business day of the scoping call. No surprise line items.
Mutual NDA available before any sensitive detail is shared, and we'll sign your standard form too. Typical turnaround is same-day.
Platform subscriptions and engagement deposits are processed by Stripe Checkout. We never see or store card data; tax-compliant invoices are issued on every charge.
Findings ship with CVE ID, CVSS v3.1 vector, CWE, OWASP mapping, and reproducible request/response evidence — not a templated checklist.
Team and Enterprise include a free retest per finding within 30 days. Service engagements include a retest to verify remediation landed.
Self-serve plans are month-to-month with one-click cancellation. Annual plans are refundable within 14 days; monthly subscriptions are pro-rated on cancellation.
Service engagements are scoped after a free 30-minute call. We send a written scope, fixed price, and timeline within one business day. Indian buyers receive a GST-compliant tax invoice (18% GST on services) from AxVeil LLP with GSTIN. International buyers receive a USD invoice; W-8BEN-E available on request.
Yes. NDA on request before any sensitive scoping detail is shared. Mutual NDA template available; we accept your standard form too. Typical turnaround: same day.
Yes — anonymised sample report (with redacted PoCs) on request, after a short NDA. Sample is from one of the case studies you can read at /case-studies.
One scan = one full Nuclei run against one root target (domain or host) at a point in time. Subdomain enumeration and the entire OWASP Top 10 / CVE template set count as a single scan, not one per finding. Re-running against the same target is a new scan.
No. Free is genuinely free — sign up with email and run your first scan within minutes. We only ask for a card when you upgrade to Pro or Team via Stripe Checkout.
Yes. Cancel from billing settings in one click — your plan stays active until the end of the current period, then downgrades to Free. Scan history within your retention window is preserved; older scans are pruned per your previous tier's retention.
Yes. Stripe issues a tax-compliant invoice on every charge with your billing entity, address, and GSTIN (India) or VAT ID (EU/UK) once you add them in billing settings. Invoices are downloadable as PDF from your dashboard.
Pro and above export every finding with CVE ID (where assigned), CVSS v3.1 vector + base score, CWE category, OWASP Top 10 mapping, affected URL, request/response evidence, and a remediation note. Both PDF and JSON formats are available.
On Pro and Team you can define custom scope (allowed domains, excluded paths, auth headers). Enterprise adds private custom Nuclei templates maintained alongside our internal template library, plus on-prem deployment so your scope never leaves your network.
Team and Enterprise include one free retest per finding within 30 days of the original scan to confirm remediation. Pro users can simply re-run a full scan against their target — it counts toward the monthly quota or $49 overage.
Team and Enterprise produce SOC 2 / PCI-DSS / ISO 27001 evidence reports suitable for auditor review; we ourselves are working toward SOC 2 Type II attestation. Refunds: Stripe-processed monthly subscriptions are pro-rated for unused time on cancellation; annual plans are refundable within 14 days of purchase.