CMMC. Built to support your assessment readiness

An external pentest that supports your CMMC readiness.

Audit-grade external penetration testing for DoD and DIB contractors preparing for CMMC. To be clear: a pentest does not make you CMMC compliant, and we are not a C3PAO. NIST SP 800-171 has no standalone penetration testing control. What a real external pentest does is support your security assessment (CA) and risk assessment (RA) practices and your overall readiness — testing what an attacker can reach across your perimeter before an assessor reviews it. Honest published pricing. Buy online in minutes.

Start Your Test Now View Sample Report
Supports CA & RA practices Not a C3PAO — readiness support Full in-scope coverage Honest published pricing
Built to support CMMC Readiness Also aligned to PCI-DSS SOC 2 ISO 27001 NYDFS HIPAA
15+
Years of penetration
testing experience
500+
Clients served across
major industry sectors
12
Active professional
certifications held
F500
Fortune 500 client track record
Why DIB contractors end up here

A prime asked about your CMMC status. You're working toward it — and you want to know your exposure before an assessor does.

You're a defense contractor or a supplier in the Defense Industrial Base, handling CUI and working toward a CMMC posture against NIST SP 800-171. Here's the honest framing: a penetration test will not make you compliant, and we are not a C3PAO — CMMC status is determined by assessment, not by buying a test. NIST SP 800-171 doesn't even contain a standalone "run a pentest" control.

What a real external pentest does is make you ready. The CA (security assessment) and RA (risk assessment) practices expect you to assess controls and identify risk. A defensible external pentest gives you concrete evidence for that work and shows you what an attacker can reach across your perimeter — so you fix it on your timeline, not under assessment pressure. That's what this page is for. Honest pricing. Audit-grade testing. Readiness support, described honestly.

What audit-grade means

Five commitments that separate a real pentest from a quick-find scan.

"Audit-grade" is a category, not a slogan. It means the report holds up as readiness evidence for your team, your prime contractor's review, and your eventual assessor — not because we say so, but because of what we commit to do on every engagement.

Retest from scratch

When you remediate, we retest everything from scratch, not just the listed findings. New issues that surfaced since the original test get reported too. The report is accurate as of the date issued, which keeps your readiness evidence current.

Full in-scope coverage

If you list it, we test it. Every service on every in-scope asset, including non-standard ports. We don't sample, we don't skip, we don't stop early because the scanner finished.

Multi-protocol depth

VPNs, firewalls, DNS, mail, APIs, proprietary protocols. We test what's actually exposed around the boundary that handles CUI, not just what scanners recognize as a web server.

Honest pricing

Published list pricing by the number of assets you want tested. No quote, no negotiation, no sales-rep discount theater. If we're running behind on capacity, we tell you before you pay, not after.

Self-serve, no calls

Answer a few quick questions, purchase, and receive your report. No scoping call required to order — though CMMC scoping can be involved, so email us first if you want help getting the boundary right.

Coverage, not quick wins

Bug-bounty and PtaaS testing chases quick wins.
Readiness isn't about quick wins — it's about knowing your real exposure before an assessor does.

The cheap pentest options inside compliance platform marketplaces optimize for time-to-first-finding. They are excellent at surfacing the obvious. They are not designed to comprehensively test what's exposed across your scope. For a DIB contractor handling CUI, partial testing means partial readiness — and the gaps you didn't test are exactly the ones that surface at the worst time.

Quick-find testing

Bug-bounty and PtaaS researchers race for the first finding. Coverage of the rest of your scope isn't the goal of the system, and it isn't what gets reported.

Scanner-only testing

Automated tools find what they recognize. Anything beyond a web server — VPNs, firewalls, DNS, mail, APIs, proprietary protocols — is mostly missed.

Audit-grade testing

Every service on every in-scope asset, including non-standard ports and non-web protocols. If you list it, we test it. The report is fully accurate as of the date issued — defensible evidence supporting your CA and RA practices.

Honest pricing

Published rates. No quotes. No sales calls.

CMMC scoping varies widely by contractor — the size of your external attack surface depends entirely on how your CUI boundary is drawn. Rather than push you toward a bracket, we'd rather you scope it right. Count your in-scope external assets, or email us to talk it through first. The full table is below.

How pricing works: The first asset covers the essential work every engagement requires — scoping, setup, validation, and reporting. Pricing scales with your environment from there. Count each public-facing host, IP, or cloud endpoint you want tested — they don't have to be contiguous or in the same network. If you have more than 256 assets, contact us. Because CMMC scoping can be involved, email hello@pentestexpress.com if you want help getting the boundary right before you order.
Hosts, IPs, or cloud endpoints to test Price Price per asset
1 $4,995 $4,995
2–4 $7,995 $1,999 – $3,997
5–8 $10,995 $1,374 – $2,199
9–16 $15,995 $1,000 – $1,777
17–32 $25,995 $812 – $1,529
33–64 $36,995 $578 – $1,121
65–128 $52,995 $414 – $815
129–256 $72,995 $285 – $566

Manual validation included on every engagement. No false-positive reports. Fixed pricing designed for fast procurement. The time your team saves not managing a sales process has real value and gets you to a remediated state faster.

Start Your Test Now
See it before you buy

The exact deliverable for your readiness file.

Download a full sample report. No email required, no pressure, no follow-up calls. The format is the format. If it's going to support your CA and RA evidence and stand up to a prime's review, you'll know in five minutes.

Download Sample Report Start Your Test Now
Pentest Express sample report cover
CMMC FAQ

What DIB contractors ask before they buy.

Does a penetration test make my company CMMC compliant?
No. A penetration test does not make any company CMMC compliant, and Pentest Express is not a C3PAO. CMMC status is determined by an assessment against NIST SP 800-171 — conducted by an authorized assessor, or through self-assessment where that applies. NIST SP 800-171 does not contain a standalone penetration testing control. What a real external pentest does is support assessment readiness: it produces concrete evidence that helps with your security assessment and risk assessment practices, and it surfaces internet-facing exposure before an assessor does.
Are you a C3PAO? Can you assess or certify us?
No. Pentest Express is not a C3PAO and does not perform CMMC assessments or certifications. We are a penetration testing provider. Our role is to help you get ready: a defensible external pentest gives you evidence and a clear picture of your internet-facing exposure before you engage a C3PAO or complete a self-assessment. Anyone telling you a single purchase makes you "CMMC certified" is not being straight with you.
How does an external pentest support CMMC assessment readiness?
NIST SP 800-171 includes security assessment (CA) and risk assessment (RA) practices that expect you to assess your controls and identify risk. A penetration test is one of the strongest forms of evidence for that work: it tests your internet-facing systems against real exploitation rather than assumptions, and the report documents scope, findings, and date. It supports those practices and your readiness — it does not replace the assessment itself.
What's "in scope" for a CMMC-readiness external pentest?
Anything you list with a public IPv4 or IPv6 address — web apps, APIs, portals, mail, DNS, and your firewalls, VPNs, and remote-access gateways. Align scope with the boundary around the systems that store, process, or transmit CUI. Because CMMC scoping is specific to your environment, decide carefully what to include — and email hello@pentestexpress.com if you want to talk through it before ordering.
Do I need to schedule a call with sales?
No sales call is required to order the external pentest. CMMC scoping can be involved, though, so if you're unsure what to include relative to your CUI boundary, email hello@pentestexpress.com first and we'll help you get the scope right before you purchase. There's still no sales rep and no quote dance.
Why are you cheaper than a boutique or Big 4 pentest?
Most external network pentests are repeatable, well-defined work. They benefit from a senior tester following a rigorous process. They do not benefit from a sales process, a custom SOW, or a tiered platform. We removed the sales overhead, published the pricing, and pass the savings on. The testing itself is the same quality you'd get from a premium firm — just without the procurement drag and the consulting-rate markup.
What if I need a retest after remediation?
We retest everything from scratch, not just the listed findings. New issues that surfaced since the original engagement get reported too. Free retest within 14 days of report delivery. From day 15 through day 60, retest is 25% of the original test price. After 60 days, a full re-engagement is recommended because the environment has typically drifted enough that a fresh test is the honest answer.
What happens if you find something critical?
We notify your designated emergency contact immediately and pause testing if appropriate. We don't bury critical findings until the final report — you'll know about anything urgent in real time, with enough detail to start remediation while testing continues. When CUI is in the picture, that early warning matters.
Operated by senior practitioners

Pentest Express is built and operated by a senior practitioner team.

Founded by Trey Blalock — 15+ years of penetration testing experience, 12 active certifications, and engagements across Fortune 500 companies and federal agencies including the DIA, FBI, and NSA. Speaker at DefCon and MITRE ATT&CKcon. Two DHS CISA keynotes.

The brand carries the quality reputation, not any individual tester. Every report is held to the same standard, on every engagement, regardless of who performs it.

Read Trey's full background →
Trey Blalock, founder of Pentest Express
Get started

Ready to support your CMMC readiness?

Self-serve checkout. No call required to order. If your CUI boundary makes scoping unclear, email us first and we'll help you get it right.

Start Your Test Now hello@pentestexpress.com