Answers, organized.

Most plans are one-time: you pay once, we run the scan, we email the report. The Pro Retainer is the exception — that one buys 4 quarterly scans and regression alerts for the year.

No. At these prices it would not be honest to call it that. The Quick Health Check and Surface Scan are fully automated. The Full Audit adds about an hour of analyst review on top of the scanner output. A real manual pen-test starts at several thousand dollars — we are not pretending otherwise.

For most plans we only need the public URL. If your scope includes authenticated areas (Full Audit and above), each order has a private chat thread where you can drop test credentials or jump-host details — scoped to your order, visible only to our team.

Because the work is mostly automated. We run open-source scanners (OWASP ZAP, Nuclei, openssl) against your URL and turn the output into a clean PDF. The Full Audit adds about an hour of analyst review — not a senior pen-tester sweep, just a human filtering false positives and writing remediation notes.

For larger scopes — multiple environments, recurring scans for many domains, or things outside our standard plans — reach out via the contact page. We can quote a custom engagement.

Visa and Mastercard via Authorize.Net Accept.js. Card data is tokenised on the client; we never store full card numbers.

Quick Health Check: 24 hours. Surface Scan: 48 hours. Full Audit: 5 business days. Compliance Pack: 7 business days. Pro Retainer: first scan in 5 business days, then quarterly.

Quick Health Check ships a 1-page summary PDF. Surface Scan and above ship a multi-page severity-ranked PDF (CVSS-aligned). Full Audit and above add analyst-written remediation notes per finding. Compliance Pack additionally tags findings to your chosen framework's control IDs.

Full Audit and Compliance Pack include 1 free re-scan within 30 days. Pro Retainer includes unlimited re-scans for the year. The two cheapest plans (Quick Health Check, Surface Scan) do not — you would simply re-buy a fresh scan.

We run scanners in their non-destructive default modes — no DoS-class probes, no aggressive fuzzing, no exploit confirmation that would leave artefacts. Most scans add traffic equivalent to a few moderately active visitors. If you want us to run during off-hours, mention it in the order chat.

30-day refund window. If the report did not hold up to your scrutiny, email us within 30 days of delivery and the charge gets reversed to the original payment method. No "audit committee" decides — we just do it.