HIPAA Security Rule. Built for the evaluation expectation

The HIPAA pentest that strengthens your risk analysis.

Audit-grade external penetration testing for healthcare organizations and business associates. HIPAA doesn't name penetration testing as a required control — it requires a risk analysis and a periodic evaluation of your safeguards. A real external pentest is one of the strongest ways to satisfy that. We test everything an attacker can reach — patient portals, telehealth apps, APIs, mail, and your remote-access perimeter — using real exploitation, not just scanners. Honest published pricing. Buy online in minutes.

Start Your Test Now View Sample Report
Supports risk analysis & evaluation Dated, defensible evidence Full in-scope coverage Honest published pricing
Built for HIPAA Security Rule Also aligned to PCI-DSS SOC 2 ISO 27001 NYDFS CMMC
15+
Years of penetration
testing experience
500+
Clients served across
major industry sectors
12
Active professional
certifications held
F500
Fortune 500 client track record
Why healthcare teams end up here

A payer or partner asked how you evaluate your security. Your risk analysis needs to be more than a spreadsheet.

You're a covered entity or a business associate. The HIPAA Security Rule requires you to perform a risk analysis and to periodically evaluate your technical and non-technical safeguards. It doesn't hand you a list that says "run a pentest" — but a self-assessed checklist is a weak answer when a payer's security team, a hospital's vendor review, or OCR asks how you actually know your safeguards work.

That's what this page is for. Honest pricing. Audit-grade testing. A dated, defensible report that turns "we think we're secure" into evidence you can put in your risk analysis and evaluation file — without a $30K boutique engagement or a six-week consulting cycle.

What audit-grade means

Five commitments that separate a real pentest from a quick-find scan.

"Audit-grade" is a category, not a slogan. It means the report holds up to a payer's security review, a hospital's vendor assessment, your insurance underwriter, and an OCR inquiry — not because we say so, but because of what we commit to do on every engagement.

Retest from scratch

When you remediate, we retest everything from scratch, not just the listed findings. New issues that surfaced since the original test get reported too. The report is accurate as of the date issued, which matters when your evaluation file needs a current picture.

Full in-scope coverage

If you list it, we test it. Every service on every in-scope asset, including non-standard ports. We don't sample, we don't skip, we don't stop early because the scanner finished.

Multi-protocol depth

VPNs, firewalls, DNS, mail, APIs, proprietary protocols. We test what's actually exposed around the systems that touch ePHI, not just what scanners recognize as a web server.

Honest pricing

Published list pricing by the number of assets you want tested. No quote, no negotiation, no sales-rep discount theater. If we're running behind on capacity, we tell you before you pay, not after.

Self-serve, no calls

Answer a few quick questions, purchase, and receive your report. No scoping call, no sales rep, no procurement-cycle drag.

Coverage, not quick wins

Bug-bounty and PtaaS testing chases quick wins.
A risk analysis isn't credible if it only reflects the obvious findings.

The cheap pentest options inside compliance platform marketplaces optimize for time-to-first-finding. They are excellent at surfacing the obvious. They are not designed to comprehensively test what's exposed across your scope. A HIPAA risk analysis that's built on partial testing is a risk analysis with blind spots — and blind spots around ePHI are exactly what OCR and breach litigation focus on.

Quick-find testing

Bug-bounty and PtaaS researchers race for the first finding. Coverage of the rest of your scope isn't the goal of the system, and it isn't what gets reported.

Scanner-only testing

Automated tools find what they recognize. Anything beyond a web server — VPNs, firewalls, DNS, mail, APIs, proprietary protocols — is mostly missed.

Audit-grade testing

Every service on every in-scope asset, including non-standard ports and non-web protocols. If you list it, we test it. The report is fully accurate as of the date issued — a defensible input to your risk analysis and evaluation.

Honest pricing

Published rates. No quotes. No sales calls.

Many healthcare practices and smaller business associates have a compact external attack surface — a patient portal, a scheduling or telehealth app, and a mail and DNS footprint. The first bracket covers the typical small case. The full table is below.

How pricing works: The first asset covers the essential work every engagement requires — scoping, setup, validation, and reporting. Pricing scales with your environment from there. Count each public-facing host, IP, or cloud endpoint you want tested — they don't have to be contiguous or in the same network. If you have more than 256 assets, contact us.
Hosts, IPs, or cloud endpoints to test Price Price per asset
1 Common for practices & smaller BAs $4,995 $4,995
2–4 $7,995 $1,999 – $3,997
5–8 $10,995 $1,374 – $2,199
9–16 $15,995 $1,000 – $1,777
17–32 $25,995 $812 – $1,529
33–64 $36,995 $578 – $1,121
65–128 $52,995 $414 – $815
129–256 $72,995 $285 – $566

Manual validation included on every engagement. No false-positive reports. Fixed pricing designed for fast procurement. The time your team saves not managing a sales process has real value and gets you to a remediated state faster.

Start Your Test Now
See it before you buy

The exact deliverable for your evaluation file.

Download a full sample report. No email required, no pressure, no follow-up calls. The format is the format. If it's going to support your risk analysis and survive a payer's vendor review, you'll know in five minutes.

Download Sample Report Start Your Test Now
Pentest Express sample report cover
HIPAA FAQ

What healthcare teams ask before they buy.

Does HIPAA require a penetration test?
Not by name. The HIPAA Security Rule requires a risk analysis and a periodic technical and non-technical evaluation of your safeguards. It does not list penetration testing as a named, mandatory control. In practice, a penetration test is one of the strongest ways to satisfy the evaluation expectation and to inform an honest risk analysis — which is why most healthcare organizations and business associates run one. We'd rather be straight with you about that than imply a mandate that isn't in the regulation.
Will this report help with an OCR investigation or audit?
Our reports use an evidence-oriented format that documents scope, the assets tested, findings, and the date of testing, plus a signed Compliance Attestation Letter. If OCR or an auditor asks how you evaluate your technical safeguards, a dated, defensible external pentest report is concrete evidence that you tested rather than assumed. It supports your risk analysis and evaluation file. The sample report above is the exact format you'll receive.
How long does a HIPAA pentest take?
For a covered entity or business associate with a typical external attack surface, the testing window is one to three business days of active testing, plus reporting. Most customers have a final report in hand within two weeks of purchase. If a payer security review or BAA deadline is close, choose the ASAP option in the order form and we'll start almost immediately.
What's "in scope" for a HIPAA external pentest?
Anything you list with a public IPv4 or IPv6 address — patient portals, scheduling and telehealth apps, APIs, mail, DNS, and your firewalls, VPNs, and remote-access gateways. We strongly recommend including your perimeter and remote-access devices: over the past two years we've seen a sharp uptick in attackers reaching into networks through exactly those devices, and they're a frequent path toward systems that touch ePHI.
Why are you cheaper than a boutique pentest firm?
Most external network pentests are repeatable, well-defined work. They benefit from a senior tester following a rigorous process. They do not benefit from a sales process, a custom SOW, or a tiered platform. We removed the sales overhead, published the pricing, and pass the savings on. The testing itself is the same quality you'd get at a boutique — just without the procurement drag.
Do I need to schedule a call with sales?
No. You select your scope from the published pricing table, complete checkout, and we begin. If you have a question that's actually blocking the order, email hello@pentestexpress.com — but most teams move straight from pricing to purchase.
Can our compliance and procurement teams approve this without a custom SOW?
Yes — that's the design. Pricing is fixed and published. The standard authorization and rules-of-engagement are in our Terms of Service. For most healthcare organizations this is short enough that compliance and procurement can clear it in days, not weeks. A Business Associate Agreement can be put in place where the engagement requires one.
What if I need a retest after remediation?
We retest everything from scratch, not just the listed findings. New issues that surfaced since the original engagement get reported too. Free retest within 14 days of report delivery. From day 15 through day 60, retest is 25% of the original test price. After 60 days, a full re-engagement is recommended because the environment has typically drifted enough that a fresh test is the honest answer.
What happens if you find something critical?
We notify your designated emergency contact immediately and pause testing if appropriate. We don't bury critical findings until the final report — you'll know about anything urgent in real time, with enough detail to start remediation while testing continues. When ePHI exposure is on the line, that early warning matters.
Operated by senior practitioners

Pentest Express is built and operated by a senior practitioner team.

Founded by Trey Blalock — 15+ years of penetration testing experience, 12 active certifications, and engagements across Fortune 500 companies and federal agencies including the DIA, FBI, and NSA. Speaker at DefCon and MITRE ATT&CKcon. Two DHS CISA keynotes.

The brand carries the quality reputation, not any individual tester. Every report is held to the same standard, on every engagement, regardless of who performs it.

Read Trey's full background →
Trey Blalock, founder of Pentest Express
Get started

Ready to start your HIPAA pentest?

Self-serve checkout. No call, no quote, no waiting. Most teams go from this page to active testing in a few business days.

Start Your Test Now hello@pentestexpress.com