Audit-Grade Security Validation
From €539 to €12,000 · 5 clearly-defined tiers
Quick Answer
Optimum delivers independent penetration testing across five clearly-defined tiers — from automated Vulnerability Assessment (€539, 5 business days) to Enterprise SaaS Penetration Test (€8,000–12,000, 4–5 weeks). All engagements produce a formal report with CVSS v3.1 vectors, CWE classification, and a signed Attestation Letter accepted as evidence for ISO 27001 Annex A.8.29, SOC 2 CC4.1/CC7.1, and cyber insurance underwriter requirements. Methodology aligned with OWASP WSTG v4.2, OWASP Top 10:2025, and OWASP API Security Top 10 (2023).
Choose Your Tier
Five tiers designed for different compliance needs and platform complexity — from lightweight vulnerability assessment to enterprise-grade multi-tester engagements.
Web App Vulnerability Assessment
Automated + manual validation. Structured VA report. Suitable for ISO 27001 A.8.8.
Focused Web App Penetration Test
Single web app, manual exploitation. ISO 27001 Annex A.8.29 ready.
Standard Web App + API Pentest
Multi-tenant, REST APIs, cross-tenant isolation. Retest included.
Enterprise SaaS Penetration Test
Full scope, two-tester team, cloud + integrations included.
AI Red Team Pentest
LLM applications, prompt injection, OWASP LLM Top 10:2025 attacks.
Why Penetration Testing is No Longer Optional
Regulatory pressure. ISO/IEC 27001:2022 Annex A.8.29 explicitly requires regular external security testing as evidence. SOC 2 auditors flag missing pen test reports under CC4.1 and CC7.1. GDPR Article 32 names "regular testing, assessing and evaluating the effectiveness of technical and organisational measures" as a required security measure.
Procurement pressure. Enterprise prospects increasingly demand pen test reports during vendor security review before signing contracts. Without recent, independent testing evidence, deals stall in procurement legal review for weeks — or fail entirely.
Insurance pressure. Cyber insurance underwriters now require pen test evidence before quoting favourable rates. Companies without recent pen test reports are declined coverage or rated up by 200–400% premium.
Who Requires This From You
- ISO/IEC 27001:2022 auditors — Annex A.8.29 evidence requirement
- SOC 2 auditors — Trust Services Criteria CC4.1, CC7.1, CC7.2
- Enterprise vendor security reviews — vendor risk assessment standard
- Cyber insurance underwriters — AIG, Hiscox, Beazley, Chubb, Travelers
- GDPR Article 32 — appropriate technical and organisational measures
- NIS2 Directive Article 21 — risk management measures for in-scope EU entities
- PCI DSS 4.0 Requirement 11.4 — for organisations handling cardholder data
Methodology and Standards
Our Process
Frequently Asked Questions
Will this be accepted as evidence by an ISO 27001 auditor?
Yes — our deliverables include the elements ISO 27001 auditors look for under Annex A.8.29 and A.8.8: independent testing, recognised methodology (OWASP, PTES, NIST), structured CVSS-scored findings, documented scope, signed Rules of Engagement, and signed Attestation Letter. We recommend confirming the specific scope with your auditor before engagement.
Are you CREST-accredited?
We are not a CREST-member firm. CREST currently has no local accreditation path in Moldova. We build credibility through OWASP-aligned methodology, named-tester accountability, ISO/IEC 27001-aligned controls (certification in progress, Q4 2026), and audit-grade reporting. If a customer specifically requires CREST membership, we will flag that upfront.
What's the difference between Vulnerability Assessment (€539) and Focused Pentest (€1,800)?
Vulnerability Assessment combines automated scanning with manual validation of high-severity findings only. Focused Pentest is a real manual penetration test — all findings are exploited where safely possible, business logic flaws are tested, authorisation is challenged. VA is sufficient where regulation accepts "regular vulnerability testing"; Pentest is required where regulation specifies "penetration test".
Do you sign DPAs and NDAs?
Yes. Mutual NDA is signed before any technical disclosure. DPA is signed where personal data is in scope. We are GDPR processor-ready under signed DPAs for EU and UK clients (UK GDPR compliant, EU Standard Contractual Clauses available).
What is your typical lead time?
Subject to current engagement load, active testing typically starts 3–4 weeks after Statement of Work signature. For urgent engagements (compliance deadlines, contract negotiations), we can frequently accommodate faster starts.
Where is testing performed?
All testing is performed by named, employed Optimum engineers from our Chișinău office. We do not subcontract. All target-facing traffic originates from a single, pre-disclosed source IP address. Reports and evidence are stored on encrypted Optimum infrastructure.
Request a Scoping Call
30-minute call to confirm scope, timeline, and the right tier for your compliance requirement. No obligation.