Skip to main content

Pentrova is launching soon. Join the waitlist for early access.Join the waitlist

Pricing

Pay for targets, not for noise.

Here’s how Pentrova will be priced at launch — credits for flexibility, subscription for unlimited pentests, the full pipeline on every tier. Plans aren’t open for purchase yet; join the waitlist and we’ll confirm final pricing with you before you commit.

Join the waitlist Read the Trust Center

Pick the tier that matches your portfolio

Annual is our recommended cadence — Professional carries a better per-target rate when billed yearly. Need month-to-month flexibility? Switch to Monthly. Final pricing is confirmed during early-access onboarding.

  • Pay Per Pentest

    Per creditvolume discounts on larger packs

    Pay-as-you-go credits for unlimited targets. Buy a small pack to evaluate, scale up when you ship more — the per-credit price drops with volume.

    • Unlimited application targets
    • Credit packs in multiple sizes, priced per credit
    • Both pentest modes — Web App + API
    • Every in-pentest capability included
    • AI remediation guidance on every finding
    • Executive summary and per-finding evidence bundle
    • Retest window per credit
    • Credits valid for 365 days
    Get pricing

  • Professional

    Most Popular
    Per targetsubscription · billed annually

    Target-based unlimited pentests for product and AppSec teams shipping continuously.

    • Unlimited pentests per included target
    • Both pentest modes — Web App + API
    • Every in-pentest capability included
    • AI remediation, executive summaries, sensitive-data + cloud insights
    • Authenticated pentests and business-logic testing
    • Thirty-day retest window
    • Slack / Teams / Discord / Email / Webhook notifications
    • CI gating templates: GitHub Actions, GitLab CI, Jenkins, CircleCI, Azure, Bitbucket
    Book a demo

    30-day money-back guarantee

  • Enterprise

    Custom

    Custom pricing for organisations that need volume targets, RBAC pentesting, and a written DPA.

    • Everything in Professional
    • Volume target pricing across business units
    • RBAC and tenant-isolation pentest packages
    • Pentrova DPA, subprocessor list, and SCC posture
    • Custom retention and deletion policy
    • Custom support SLA
    Talk to sales

Feature comparison

Tiers gate scope — application targets, retest window, retention, and Enterprise-only services — not pipeline features. Every Pentrova engagement runs the full pipeline regardless of tier.

Pentrova pricing feature comparison by tier
Feature Pay Per Pentest Professional Recommended Enterprise
Scope and scale
Application targets Pay-per-credit Per target Volume / unlimited
Pentest modes (Web App + API)
Pipeline capabilities
Adaptive test planner
Live-target finding verification
Sandbox PoC validation
Attack chain escalation (curated + dynamic)
DOM XSS canary taint tracking
Authorization Matrix (multi-role replay)
AI remediation guidance
Distribution and operations
Notification destinations (Slack / Teams / Discord / Email / Webhook)
CI gating templates (GitHub Actions, GitLab CI, Jenkins, CircleCI, Azure, Bitbucket)
RBAC and tenant-isolation pentest packages
Retest window per finding 7 days 30 days Custom
Custom retention and deletion policy

Pay Per Pentest

Scope and scale

Application targets
Pay-per-credit
Pentest modes (Web App + API)

Pipeline capabilities

Adaptive test planner
Live-target finding verification
Sandbox PoC validation
Attack chain escalation (curated + dynamic)
DOM XSS canary taint tracking
Authorization Matrix (multi-role replay)
AI remediation guidance

Distribution and operations

Notification destinations (Slack / Teams / Discord / Email / Webhook)
CI gating templates (GitHub Actions, GitLab CI, Jenkins, CircleCI, Azure, Bitbucket)
RBAC and tenant-isolation pentest packages
Retest window per finding
7 days
Custom retention and deletion policy

Professional

Recommended

Scope and scale

Application targets
Per target
Pentest modes (Web App + API)

Pipeline capabilities

Adaptive test planner
Live-target finding verification
Sandbox PoC validation
Attack chain escalation (curated + dynamic)
DOM XSS canary taint tracking
Authorization Matrix (multi-role replay)
AI remediation guidance

Distribution and operations

Notification destinations (Slack / Teams / Discord / Email / Webhook)
CI gating templates (GitHub Actions, GitLab CI, Jenkins, CircleCI, Azure, Bitbucket)
RBAC and tenant-isolation pentest packages
Retest window per finding
30 days
Custom retention and deletion policy

Enterprise

Scope and scale

Application targets
Volume / unlimited
Pentest modes (Web App + API)

Pipeline capabilities

Adaptive test planner
Live-target finding verification
Sandbox PoC validation
Attack chain escalation (curated + dynamic)
DOM XSS canary taint tracking
Authorization Matrix (multi-role replay)
AI remediation guidance

Distribution and operations

Notification destinations (Slack / Teams / Discord / Email / Webhook)
CI gating templates (GitHub Actions, GitLab CI, Jenkins, CircleCI, Azure, Bitbucket)
RBAC and tenant-isolation pentest packages
Retest window per finding
Custom
Custom retention and deletion policy

Total cost of ownership

Pentrova pricing is designed so procurement conversations stay short. Three promises carry every tier.

  • Two pricing shapes

    Pay-per-pentest credits when you want a small commitment to evaluate; per-target subscription when you want unlimited pentests on the same application.

  • Unlimited pentests on Professional

    Continuous pentests, CI gating, scheduled runs, and manual re-runs are all included on Professional. Pricing scales with included targets, never with pentest volume.

  • Retest window per finding

    Each fixed finding can be re-tested without burning a credit: seven days on Pay Per Pentest, thirty days on Professional, custom on Enterprise.

Talk to sales when procurement gets involved

List pricing covers the platform, the notification destinations, the CI templates, and the retest window. For Enterprise contracts — RBAC and tenant-isolation pentest packages, custom retention — we ship a written quote and a redlinable order form alongside the Pentrova DPA.

Request a quote Read the DPA template

Sign up → Run → Evidence.

Pentrova is self-serve. Sign up, configure a target, and run your first pentest — no sales call required.

  1. Sign up

    Create a workspace, invite your team, and configure your first target in under five minutes.

  2. Run your first pentest

    Point Pentrova at a staging URL, pick an auth mode, and click Run. Pentrova handles crawl, testing, exploitation, and verification autonomously.

  3. Review evidence

    Open the chain report. Every confirmed finding ships with a replayable evidence bundle; Critical and High findings include a reproducible command and a response hash.

Sign up free

Frequently asked questions

  • How does Pentrova pricing work?
    Two pricing shapes. Pay Per Pentest is credit-based: buy a credit pack (volume discounts apply as the pack grows), each credit runs one pentest on one target, and credits are valid for 365 days. Professional is a per-target subscription for unlimited pentests on that target, available billed monthly or annually (annual carries the better rate). Enterprise is custom pricing for volume targets, RBAC packages, and a written DPA. Final pricing is confirmed during early-access onboarding before you commit.
  • Are some capabilities only available in higher tiers?
    The pipeline runs the same on every tier. Web App pentesting, API pentesting, Sandbox PoC, the Authorization Matrix, attack-chain escalation, and DOM XSS taint tracking are included regardless of tier. Tiers differ on scope (target count, retest window, retention) and Enterprise-only services (RBAC pentest packages, custom retention).
  • Who is Pentrova built for?
    AppSec, platform, and compliance teams in fintech, healthtech, AI-native SaaS, and other regulated domains. Reference calls are available on request once we have early customers live.
  • Can I try Pentrova without talking to sales?
    Yes. The four free tools at /tools/header-scanner, /tools/cors-checker, /tools/ssl-analyzer, and /tools/api-spec-linter run in-browser with no account. For a platform pentest, the smallest credit pack is the lowest-friction way to evaluate.
  • How do targets work and what counts as one?
    A target is one logical application — usually one base URL plus its API surface. A front-end and its API gateway pentested under shared auth count as one target. Staging and production of the same application count as one target.
  • How does Pentrova handle my data?
    Artifacts are encrypted at rest and in transit, payloads sent against the target are bounded by the sandbox-egress proxy and a hard URL/IP blocklist (RFC1918, link-local, cloud-metadata IPs), and retention is configurable per engagement. Full detail lives in the Trust Center.
  • What happens if I need to downgrade or cancel?
    Pay Per Pentest credits are non-refundable but valid for 365 days from purchase. Professional and Enterprise subscriptions can be cancelled per the governing terms; the workspace stays accessible to export evidence for thirty days after cancellation.
  • We already have a scanner — why add another tool?
    Most scanners score findings probabilistically, which is why AppSec queues grow faster than they shrink. Pentrova only publishes findings our verifier can reproduce, so you are not adding a second queue — you are retiring the unreproducible half of the first one. The product is engineered so backlog should shrink as Pentrova lands, not expand.
  • Aren't you too expensive compared to free open-source tools?
    Free scanners are excellent at what they do and we ship our own four free tools for that reason. Pentrova replaces the human hours teams spend triaging and reproducing probabilistic findings, not the scanners themselves. The pricing is set so a verified PoC bundle costs less than the engineering time a probabilistic queue would consume.
  • We're a ten-person team — isn't Pentrova overkill?
    Small teams are the teams that benefit most from deterministic proof, because they cannot afford to read every probabilistic alert. Starter pricing covers a single application, ships the same Sandbox PoC and chain catalog as Enterprise, and is sized so a founding engineer can adopt it without a procurement review.
  • Our auditor requires a pentest report — can Pentrova satisfy that?
    Pentrova generates a compliance-mapped PDF report plus a per-finding evidence bundle. Every finding is tagged to the relevant ISO 27001:2022, PCI DSS 4.0, HIPAA Security Rule, and GDPR controls so audit teams have the evidence per control.
  • Integrating yet another tool costs us weeks — how painful is Pentrova?
    Notification routing (Slack, Microsoft Teams, Discord, email, custom webhook) is a tenant-admin form, not custom code. CI gating ships as drop-in templates for GitHub Actions, GitLab CI, Jenkins, CircleCI, Azure Pipelines, and Bitbucket.
  • Our stack is unusual — GraphQL, gRPC, WebSockets, Protobuf. Does Pentrova handle it?
    Pentrova parses OpenAPI, Postman, GraphQL, Protobuf, and WSDL natively, and authenticated sessions support bearer, API-key, basic, OAuth 2.0, custom script-driven schemes, and mTLS. Novel protocols drop in through the same schema the first-class integrations use, so an "unusual" stack is usually just a configuration file.
  • We already run manual pentests — why automate?
    Manual pentests produce excellent depth for a single point-in-time scope and we recommend running them alongside Pentrova, not in place of it. Pentrova covers the gap between engagements: continuous chain coverage, authorization replay, and deterministic artifacts that engineering can re-run any day of the quarter, not only on the week the pentester is booked.
  • Will running Pentrova break production?
    Destructive actions are held back in favour of read-only equivalents by default, engagements can be scoped per target, and customer data is redacted before any artifact leaves the scan host. Full-chain runs are designed for staging, with conservative runs in production.
  • Do you sell or train on our data?
    No. Customer scan data is never used to train models, never sold, and never shared with third parties beyond the named subprocessors. Artifacts are encrypted at rest and in transit, redacted by our sandbox before leaving the scan host, and retention is configurable per engagement.
  • What happens to our evidence if Pentrova shuts down?
    Every Pentrova evidence bundle is a self-contained, replayable artifact — it does not depend on the Pentrova control plane to re-run. If service ends, bundles stay accessible for export for thirty days and remain valid evidence in whatever ticketing or audit system they already live in. There is no lock-in on the artifact format.
  • How fast will my team see real value?
    Onboarding takes minutes: sign up, configure one target, and click Run. The first pentest typically surfaces two to four high-impact chains. Every finding ships with a replayable evidence bundle you can hand to engineering immediately.

Next step

Ready to talk to sales?

Share your portfolio and timeline. We come back with a quote, a deployment plan, and a sandbox target for trial.

Talk to sales Start free

Site search

↑↓ navigateEnter openEsc close