Now open for engagements

Audit-grade penetration testing you can start in minutes.

Honest pricing. Real external attack surface pentesting. We test everything an attacker can reach: web apps, APIs, cloud endpoints and network services using real exploitation, not just scanners. Aligned to PCI-DSS, SOC 2, NYDFS Cybersecurity, HIPAA, and CMMC. Buy online in minutes. No sales calls, no quotes.

Start Your Test Now View Sample Report
Retest from scratch Full in-scope coverage Multi-protocol depth Honest published pricing
Aligned to PCI-DSS SOC 2 NYDFS HIPAA CMMC Performed by a GPEN · GWAPT · GCPN · GCTI · GPCS · CISSP certified tester
15+
Years of penetration
testing experience
500+
Clients served across
major industry sectors
12
Active professional
certifications held
F500
Fortune 500 client track record
What audit-grade means

Five commitments that separate a real pentest from a quick-find scan.

"Audit-grade" is a category, not a slogan. It means the report holds up to an auditor's scrutiny, an underwriter's review, and your prospect's security team. Not because we say so, but because of what we commit to do on every engagement.

Retest from scratch

When you remediate, we retest everything from scratch, not just the listed findings. New issues that surfaced since the original test get reported too. The report is accurate as of the date issued, not just for the findings of record.

Full in-scope coverage

If you list it, we test it. Every service on every in-scope asset, including proprietary protocols. We don't sample, we don't skip, we don't stop early because we had good findings in an early round of testing.

Multi-protocol depth

VPNs, firewalls, DNS, mail, APIs, proprietary protocols. We test what's actually exposed, not just what scanners recognize as a web server.

Honest pricing

Published list pricing by the number of assets you want tested. No quote, no negotiation, no sales-rep discount theater. If we're running behind on capacity, we tell you before you pay, not after.

Self-serve, no calls

Answer a few quick questions, purchase, and a few days later you receive your report. No scoping call, no sales rep, no procurement-cycle drag. We are happy to go over the report on a video call afterwards, but our goal is to deliver the results you need quickly.

Coverage, not quick wins

Bug-bounty and PtaaS testing chases quick wins.
Audits don't grade you on quick wins, they grade you on coverage.

Crowd-sourced bug-bounty platforms, Pentest-as-a-Service marketplaces, and AI-driven scanners all optimize for time-to-first-finding. They are excellent at surfacing the obvious. They are not designed to comprehensively test what's exposed across your scope. Auditors and insurance underwriters know the difference. So do we.

Quick-find testing

Bug-bounty and PtaaS researchers race for the first finding. Coverage of the rest of your scope isn't the goal of the system, and it isn't what gets reported.

Scanner-only testing

Automated tools find what they recognize. Anything beyond a web server: VPNs, firewalls, DNS, mail, APIs, proprietary protocols is mostly missed or lightly tested at best..

Audit-grade testing

Every service on every in-scope asset, including non-standard ports and non-web protocols. If you list it, we test it. The report is accurate as of the date issued, not just for the findings of record from a previous report.

Honest pricing

Fixed scope. Published rates. No surprises.

Priced by the number of assets you want tested — hosts, IPs, or cloud endpoints — so you only pay for your actual environment. Manual validation is included on every engagement and we don't report false positives.

How pricing works: The first asset covers the essential work every engagement requires such as scoping, setup, validation, and reporting. Pricing scales with your environment from there. You're paying for additional work, not hidden overhead. Count each public-facing host, IP, or cloud endpoint you want tested — they don't have to be contiguous or in the same network. Feel free to contact us if you have questions or if you have more than 256 assets.
Hosts, IPs, or cloud endpoints to test Price Price per asset
1 $4,995 $4,995
2–4 $7,995 $1,999 – $3,997
5–8 $10,995 $1,374 – $2,199
9–16 $15,995 $1,000 – $1,777
17–32 Most Popular $25,995 $812 – $1,529
33–64 $36,995 $578 – $1,121
65–128 $52,995 $414 – $815
129–256 $72,995 $285 – $566

Manual validation included on every engagement. No false-positive reports. Fixed pricing designed for fast procurement. The time your team saves not managing a sales process has real value and will get you to a remediated state faster.

Start Your Test Now
Simple process

From purchase to report in five steps.

Every step is designed to be fast and low-friction. Most customers are in active testing within five business days of purchase.

Choose your scope

Select the IP range that matches your environment from our published pricing tiers. No scope negotiation, no custom quotes. Just pick what fits.

Complete your purchase

Self-serve checkout via Stripe. No PO required for standard tiers. Payment confirms your engagement immediately.

Confirm scope and schedule

We'll reach out within one business day to confirm your target systems, rules of engagement, emergency contacts, and testing window.

Testing occurs

Active testing during the agreed window. Your designated emergency contact remains reachable throughout. We pause immediately if anything unexpected arises.

Receive your report

Professional deliverables: executive summary, technical findings, risk ratings, remediation guidance, and compliance attestation delivered within five business days of test completion. We can also schedule a video call to review the report and answer any questions you have. We are also happy to do seperate technical and board-ready video calls if needed.

What you receive

No surprises. Every engagement includes all of this.

We don't tier our deliverables. Every customer at every scope level receives the same professional reporting package.

Executive Summary

A non-technical narrative written for leadership, boards, and auditors. Summarizes risk posture, key findings, and recommended priorities.

Included

Technical Findings Report

Every identified vulnerability documented with evidence, affected systems, attack path, and technical context. Written for your security and engineering teams.

Included

Risk Ratings

Each finding rated Critical, High, Medium, or Low with CVSS scores where applicable. Clear, consistent risk language your auditors recognize.

Included

Remediation Guidance

Step-by-step remediation recommendations for every finding, prioritized by risk level and tailored to your specific environment.

Included

Compliance Attestation Letter

A signed attestation letter which includes scope and testing coverage. Formatted for submission to auditors reviewing PCI-DSS, SOC 2, NYDFS, HIPAA, or CMMC requirements.

Included

Expert Recommendations

Practitioner-level guidance drawn from direct observation of your environment and prioritized next steps written by the tester who found the issues, not a templated checklist.

Included
Download full sample report to see the format →
Reduce risk before you buy

See the deliverable format before committing.

Download a full sample report. No email required, no pressure, no follow-up calls. We believe you should know exactly what you're buying before you buy it.

Download Sample Report Start Your Test Now
Pentest Express sample report cover
FAQ

Common questions, answered directly.

Do I need a sales call to get started?
No. Everything is self-serve. You select your scope from the published pricing table, complete your purchase, and we start the process. No calls, no quotes, no waiting on a rep.
What compliance frameworks does your testing support?
Our reports and attestation letters are designed to satisfy penetration testing requirements for PCI-DSS, SOC 2, NYDFS, HIPAA, and CMMC. Each deliverable uses the documentation format auditors expect and includes a signed attestation letter confirming scope and testing details.
How long does testing take?
Testing windows vary by scope. A single-IP engagement typically takes one to three business days of active testing. Larger scopes (64+ IPs) may require five to ten business days. We'll confirm your specific timeline before testing begins. Most customers have a report in hand within two weeks of purchase.
Can I see a sample report before I buy?
Yes, and we encourage it. You can download a full sample report directly from this page. No email address required, no strings attached.
What if my environment includes cloud infrastructure (AWS, Azure, GCP)?
Cloud-hosted systems are in scope and very common. Before testing begins, you may want to confirm authorization with your cloud provider. Most major providers allow non-destructive penetration testing without prior notification or have a simple penetration testing approval process.
Who actually performs the testing?
Currently all testing is performed by Trey Blalock: a distinguished penetration tester with fifteen-plus years of experience, thousands of engagements across Fortune 500 companies and federal agencies, and over twelve active professional certifications including CISSP, GPEN, GWAPT, and GCPN. You are not being handed off to a junior team.
How does scheduling work after I purchase?
One of the questions when you sign up determines how soon we start. If you are in a rush choose the ASAP option and we will begin almost immediately. If we are experiencing high volumes that may delay things we will update the sign up form to let you know prior to purchase.
What systems can I include in scope?
Anything with a public IPv4 or IPv6 address. The IPs don't need to be contiguous. It's best to send us the hostnames but IP addresses work well. One thing that is important to include is your firewalls, VPNs and routers, the past two years we've seen a huge uptick in attackers accessing networks through firewalls and we frequently find critical issues on these devices..
What is your refund policy?
No matter what the issue is contact us immediately, some things are easy to resolve but we need to know quickly. If testing has not begun, you may be eligible for a refund minus a 10% administrative fee, at our discretion. Once our team has begun work, including pre-engagement reconnaissance, scoping, or active testing — all sales are final. See our Terms of Service for the full policy.
Do you offer retesting after remediation?
Yes, and we retest everything from scratch, not just the listed findings. New issues that surfaced since the original engagement get reported too. The report stays accurate as of the date issued. Free retest within 14 days of report delivery. From day 15 through day 60, retest is 25% of the original test price. After 60 days, a full re-engagement is recommended because the environment has likely drifted enough that a fresh test is the honest answer.
Who you're working with

Built and operated by a senior practitioner.

Pentest Express is built around a disciplined, practitioner-first mindset: deliver a strong quality baseline, keep scope and pricing clear, and avoid adding complexity customers didn't ask for.

Trey Blalock is a highly respected senior penetration tester who has performed extensive work across almost every major security domain for some of the world's largest corporations and governments. His background combines hands-on technical depth, large-scale security operations, and extensive speaking and training experience across advanced security topics.

Over fifteen years of experience providing penetration testing and assessment services to hundreds of clients in the financial, government, retail, chemical, aviation, oil & gas, medical, educational, legal, telecom, and law enforcement sectors.

He has trained numerous Fortune 100 companies, consulting firms, and federal agencies including the DIA, FBI, and NSA on network security, system security, attack and penetration testing, and cloud security. He has performed thousands of penetration tests for Fortune 500 companies globally across various infrastructure devices, operating systems, protocols, and applications.

Trey speaks frequently about advanced security topics at financial institutions and Fintech conferences in the US, Europe, and Africa. He has spoken at DefCon and MITRE ATT&CKcon, and delivered two keynotes at the Department of Homeland Security's annual CISA conferences. He currently serves on several forensic, red-team, and penetration-testing advisory boards, and is a frequent television and podcast guest.

Read Trey's full background →
Credentials

Professional certifications.

Active certifications held across penetration testing, cloud security, forensics, risk management, and compliance.

GWAPT GIAC Web Application Penetration Tester #3845
GCPN GIAC Certified Cloud Penetration Tester #1349
GPEN GIAC Certified Penetration Tester #2089
GCTI GIAC Cyber Threat Intelligence #1977
GPCS GIAC Public Cloud Security #64
GCFA GIAC Certified Forensic Analyst #355
CISA Certified Information Systems Auditor #0862743
CISM Certified Information Systems Manager #0910809
CRISC Certified in Risk and Information Systems Control #1620233
CDPSE Certified Data Privacy Solution Engineer #2007933
CISSP Certified Information Systems Security Professional #11246
SSCP Systems Security Certified Practitioner #23259
NSA‑IAM NSA Information Assessment Methodology certified 09/13/2002
Get in touch

Ready to get started, or have a question?

Start your test now through our self-serve checkout, or email us directly if you have questions before committing. We respond fast.

Start Your Test Now hello@pentestexpress.com