Question 1

What is PTaaS (Pen Testing as a Service) and how is it different from a traditional pentest?

Accepted Answer

PTaaS (Pen Testing as a Service) combines manual, hacker-led penetration testing with a continuous delivery platform — instead of a once-a-year PDF, you get an always-on dashboard, on-demand retests, real-time finding triage, Jira / Linear / GitHub / Slack sync, and continuous coverage between major engagements. Traditional pentests are point-in-time engagements that go stale within weeks. PTaaS keeps pace with weekly deploys, new features and infra changes — which is what SOC 2, ISO 27001, PCI-DSS and CERT-In auditors increasingly expect.

Question 2

Do you cover VAPT and vulnerability assessment alongside pentesting?

Accepted Answer

Yes. Every StartSecure engagement combines vulnerability assessment (VA — broad, automated coverage to find known issues) with manual penetration testing (PT — deep, exploit-driven discovery of business-logic and chained vulnerabilities). Our methodology aligns with CERT-In, CREST, OWASP WSTG / MASVS / ASVS and PTES, so the deliverable is acceptable for both Indian regulators (RBI, SEBI, CERT-In) and global standards (SOC 2, ISO 27001, PCI-DSS 4.0, HIPAA).

Question 3

Do you offer secure source code review (SAST + manual)?

Accepted Answer

Yes. We do hybrid source code review: manual review by senior application security engineers (looking for logic flaws, auth/authz mistakes, race conditions and supply-chain risk) plus tuned SAST, secret scanning and dependency analysis. Languages covered include Java, .NET (C#), Go, Node.js / TypeScript, Python, Ruby, PHP, Rust, Solidity / Vyper / Rust (Web3) and mobile (Kotlin, Swift, Dart). Findings come with concrete fix snippets, not generic CWE pointers.

Question 4

How quickly can you start a pentest engagement?

Accepted Answer

Most StartSecure engagements kick off within 72 hours of scoping. Critical or urgent scopes — for example a launch-blocking SOC 2 evidence pentest, an acquisition-driven security review or a post-incident assessment — can start within 24 hours. Scoping itself usually takes a single 30-minute call: targets, user roles, environment, compliance driver, timeline.

Question 5

Are you CREST, CERT-In and ISO 27001 aligned?

Accepted Answer

Yes. Our methodology, reporting standard and senior pentester staffing align with CREST, CERT-In and ISO 27001. We deliver auditor-ready evidence packs for SOC 2 Type II, HIPAA / HITRUST, PCI-DSS 4.0, ISO 27001:2022 Annex A, NESA / DESC ISR (UAE), RBI / SEBI (India) and the EU AI Act. CERT-In empanelled coverage is available for Indian government, BFSI and PSU engagements where the empanelment letter is contractually required.

Question 6

Do you offer free retests and a customer-facing attestation?

Accepted Answer

Every StartSecure engagement includes at least one full retest within 30 days of the final report at no extra cost — so you can confirm that Critical and High findings are actually closed before you ship. After a successful retest, we issue a signed attestation letter you can share with enterprise customers, procurement teams and auditors to short-circuit security reviews.

Question 7

Which industries and sectors do you serve?

Accepted Answer

We serve regulated and security-conscious sectors globally: FinTech & banking, healthcare & healthtech, multi-tenant SaaS / B2B cloud, e-commerce & retail, Web3 / DeFi (smart contract audits + dApp pentesting), government & defense (CERT-In empanelled), AI / ML platforms (OWASP LLM Top 10, NIST AI RMF) and mobility / logistics (connected car, EV charging, fleet). Headquartered in Mumbai, India, delivering globally to the US, UK, UAE and APAC.

Question 8

How much does a penetration test from StartSecure cost?

Accepted Answer

Pricing is scope-driven, not seat-driven. A typical web application pentest starts around USD 4,500 for small scopes (single product, single role) and scales with the number of endpoints, user roles, integrations and compliance mapping required. Multi-asset, continuous PTaaS programmes are quoted as annual subscriptions. We share fixed-fee quotes within 24 hours of scoping — no surprise change orders. See our pricing page or book a free consultation.

Question 9

Is StartSecure based in India? Can you work globally?

Accepted Answer

Yes — StartSecure is headquartered in Mumbai, India, and our pentesters work with clients across the United States, United Kingdom, United Arab Emirates, Singapore and APAC. We support on-site delivery for sensitive Indian government, BFSI and defense scopes, and remote / hybrid delivery for global enterprise customers.

Pentestingthat hackerswould respect.

Offensive coverage across the stack

Web Application Pentest

API Pentest

Mobile App Pentest

Cloud Security Review

Network Pentesting

Source Code Review

Blockchain Pentest

Smart Contract Audit

A predictable engagement, every time

Scope & Threat Model

Manual Exploitation

Report & Video PoCs

Re-test & Attest

Engineers, not box-checkers

Built on global accreditations

Real-world findings, anonymized

IDOR → mass tenant data exposure

GraphQL alias-batching DoS

Cross-account privilege escalation

JWT 'none' algorithm bypass

AD CS template ESC1 abuse

Re-entrancy in cross-chain bridge

Trusted across regulated sectors

What security leaders say

Book a meeting with a senior pentester

Frequently asked questions

Ready to find what attackers will?