Penetration testing, manual, fixed price, retest included.
A penetration test that is not a scanner. Conducted manually by an OSCP-certified specialist, with a report that both your board and your development team can use immediately. No surprise invoices, no vague findings, no loose ends.
A controlled attack on your systems, carried out by a human.
A penetration test, or pentest, is an authorised simulation of an attack on your web application, API or infrastructure. The goal is not to tick off a list of known vulnerabilities, but to investigate whether an attacker can actually get in and how far they get before anyone notices.
The difference from an automated vulnerability scan is fundamental. A scanner runs in minutes and finds known vulnerabilities with known signatures. A penetration test takes days to weeks and finds things scanners systematically miss: business logic flaws, authorisation bypasses, IDORs and vulnerabilities that arise from combining multiple small weaknesses. Read more about the difference in the article on what a penetration test actually entails.
Four guarantees, confirmed in writing upfront.
Manual test by a specialist
No scanner with a logo on it. One experienced tester (OSCP, eWPTxv2, MSc Cyber Security) works through your application the way an attacker would.
Fixed price based on scope
You know exactly what you pay before we start. No hourly billing, no surprise extras. Scope changes? We discuss it first, before anything changes in the quote.
Report your board can also use
Executive summary in plain language plus technical findings with reproduction steps. One report, two audiences, both served.
Retest included as standard
After patching I verify whether the findings have actually been resolved. You close the engagement with written proof for regulators, clients or your board.
Fixed price based on scope, no hourly billing.
All quotes at Resync are fixed prices. The price depends on the scope: the number of endpoints or subsystems, the type of test, the duration, and any compliance context (NIS2, ISO 27001, SOC 2). After a short intake you typically receive an initial indication within one business day.
We broadly work with three scope categories. These give guidance for your planning; the exact price follows intake.
| Scope | Typical application | Turnaround | Starting from |
|---|---|---|---|
| Compact | One web application or API with limited roles and endpoints, e.g. an MVP or internal dashboard. | 1–2 weeks | |
| Standard | SaaS product, municipal portal or healthcare application with multiple roles, API connections and authentication flows. | 2–3 weeks | |
| Extended | Complex platform with multiple applications, infrastructure, external chains or multi-tenant architecture. | 3–5 weeks |
Intake, scoping, manual test, technical report, executive summary, prioritisation, and the retest after patching. No separately billed extras, no surprises.
Usable by your board and by your development team.
A pentest report that ends up in a drawer is money wasted. The Resync report is structured in three layers, suitable for both a CISO or board presentation and for a developer who wants to patch the same day.
Executive summary (1–2 pages)
- Risk overview in plain language, without jargon
- CVSS score and business impact per finding
- Strategic recommendations and compliance context (NIS2, GDPR, ISO 27001)
Technical findings
- Exact reproduction steps; a developer can follow every finding themselves
- Screenshots and HTTP request/response logs of the exploit
- Concrete code or configuration recommendation, not a generic OWASP link
- Prioritisation based on exploitability and impact
Retest & final declaration
- After patching: retest of all findings, included in the price
- Demonstrable final declaration towards regulators, clients or board
- Official proof of remediation, usable for SOC 2, ISO 27001 or NIS2 processes
Five steps. No surprises.
-
Free intake call
No-obligation introductory call. Scope, objectives and expectations agreed in writing before anything is scheduled.
Day 1 -
Fixed-price quote
You know in advance what it costs and what you get. No hourly billing, no hidden extras.
Day 2–3 -
Manual pentest
Fully manual. No automated scanner you could have run yourself.
Week 1–2 -
Clear report
Executive summary plus technical details with reproduction steps. Usable for both the CISO and the board.
End of week 2 -
Retest included
After patching I verify whether the findings have actually been resolved. Clean close, no open questions.
After patching
A pentest tailored to your type of application.
Resync works with a consistent pentest methodology, but scope and focus differ by environment type. Below are the specialised service pages, each with context, examples and relevant compliance frameworks.
Answers to your key questions.
What does a penetration test cost?
At Resync every quote is a fixed price based on scope, no hourly billing. The price depends on the number of endpoints, the type of test and the duration. After a short intake you typically receive an initial indication within one business day. See also the pricing model above.
How often should I have a penetration test done?
Annually for stable applications, per release for rapidly changing applications, and always after a significant architectural change. For compliance-driven environments (NIS2, ISO 27001, SOC 2) annually is typically the minimum.
What is the difference between a pentest and a vulnerability scan?
A scanner runs automatically and finds known vulnerabilities with known signatures — useful, but known to everyone including your IT provider. A penetration test is conducted manually by a specialist and finds what scanners systematically miss: logic flaws, authorisation bypasses, IDORs and multi-step exploits. Both have their place, but they are not substitutes for each other. Full explanation in this article.
How long does a penetration test take?
A web application penetration test takes an average of 3 to 5 working days. Total turnaround from intake to completed report is typically 1 to 3 weeks. For extensive or complex environments this extends to 4–5 weeks. After intake you receive an exact schedule.
What do I get from a penetration test?
A report with (1) an executive summary in plain language, (2) technical findings with reproduction steps a developer can follow, (3) prioritisation by impact and exploitability, and (4) a retest after patching to demonstrate findings have been resolved. The retest is included as standard.
How is information kept confidential?
For every project we sign an NDA as standard before any technical detail is shared. All findings, system documentation and communications are subject to strict confidentiality. Data is not shared or stored beyond what is strictly necessary for the test.
Do smaller organisations need a penetration test too?
Yes. Especially smaller organisations are popular targets, because attackers know there is less security capacity there. NIS2 also increasingly requires organisations, including SMEs and public sector, to demonstrably have their security in order.
Ready for a penetration test that actually matters?
One conversation is enough to make scope, schedule and price concrete. Free intake, fixed-price quote, retest included. Response within 1 business day.
Schedule free intake → Back to home