ISO/IEC 27001. Built for Annex A 8.8 & 8.29 evidence

The ISO 27001 pentest your certification auditor will accept.

Audit-grade external penetration testing built to produce accepted evidence for ISO/IEC 27001 Annex A 8.8 (technical vulnerability management) and 8.29 (security testing). ISO 27001 doesn't print a verbatim "run a pentest" line — but a real pentest is what certification bodies accept as evidence for those controls. We test everything an attacker can reach inside your ISMS boundary — web apps, APIs, cloud endpoints, and your remote-access perimeter — using real exploitation, not just scanners. Honest published pricing. Buy online in minutes.

Start Your Test Now View Sample Report
Evidence for Annex A 8.8 & 8.29 Feeds your risk treatment Full in-scope coverage Honest published pricing
Built for ISO/IEC 27001 Also aligned to PCI-DSS SOC 2 NYDFS HIPAA CMMC
15+
Years of penetration
testing experience
500+
Clients served across
major industry sectors
12
Active professional
certifications held
F500
Fortune 500 client track record
Why ISMS teams end up here

Your Stage 2 audit is scheduled. Your auditor will ask for evidence behind Annex A 8.8 and 8.29. The clock started.

You're driving an ISO 27001 certification — or keeping one alive through surveillance audits. Annex A 8.8 expects you to manage technical vulnerabilities, and 8.29 expects security testing. Your auditor isn't going to accept "we run scans" as the whole answer for an internet-facing ISMS scope. You don't need a security platform, and you don't need a six-week consulting engagement. You need a real external pentest, in a format your certification body recognizes, with a clear date on it.

That's what this page is for. Honest pricing. Audit-grade testing. A report that documents scope, coverage, and findings cleanly enough that it drops straight into your Statement of Applicability evidence and feeds your risk treatment process — because thin, scanner-only output is what turns a smooth audit into a nonconformity.

What audit-grade means

Five commitments that separate a real pentest from a quick-find scan.

"Audit-grade" is a category, not a slogan. It means the report holds up to your certification body's review, your customers' security questionnaires, and your insurance underwriter — not because we say so, but because of what we commit to do on every engagement.

Retest from scratch

When you remediate, we retest everything from scratch, not just the listed findings. New issues that surfaced since the original test get reported too. The report is accurate as of the date issued — which keeps your continual-improvement evidence honest.

Full in-scope coverage

If you list it, we test it. Every service on every in-scope asset, including non-standard ports. We don't sample, we don't skip, we don't stop early because the scanner finished.

Multi-protocol depth

VPNs, firewalls, DNS, mail, APIs, proprietary protocols. We test what's actually exposed across your ISMS boundary, not just what scanners recognize as a web server.

Honest pricing

Published list pricing by the number of assets you want tested. No quote, no negotiation, no sales-rep discount theater. If we're running behind on capacity, we tell you before you pay, not after.

Self-serve, no calls

Answer a few quick questions, purchase, and receive your report. No scoping call, no sales rep, no procurement-cycle drag.

Coverage, not quick wins

Bug-bounty and PtaaS testing chases quick wins.
A certification auditor grades you on whether your ISMS scope was actually tested.

The cheap pentest options inside compliance platform marketplaces optimize for time-to-first-finding. They are excellent at surfacing the obvious. They are not designed to comprehensively test what's exposed across your scope. A certification body auditor looking at Annex A 8.8 and 8.29 wants to see the defined scope tested and the findings flowing into risk treatment — not a sample.

Quick-find testing

Bug-bounty and PtaaS researchers race for the first finding. Coverage of the rest of your scope isn't the goal of the system, and it isn't what gets reported.

Scanner-only testing

Automated tools find what they recognize. Anything beyond a web server — VPNs, firewalls, DNS, mail, APIs, proprietary protocols — is mostly missed.

Audit-grade testing

Every service on every in-scope asset, including non-standard ports and non-web protocols. If you list it, we test it. The report is fully accurate as of the date issued — defensible evidence for your Statement of Applicability.

Honest pricing

Published rates. No quotes. No sales calls.

Many organizations pursuing ISO 27001 have a tightly scoped ISMS boundary — one production app, a handful of cloud endpoints, a mail and DNS footprint. The first bracket covers the typical small case. The full table is below.

How pricing works: The first asset covers the essential work every engagement requires — scoping, setup, validation, and reporting. Pricing scales with your environment from there. Count each public-facing host, IP, or cloud endpoint you want tested — they don't have to be contiguous or in the same network. If you have more than 256 assets, contact us.
Hosts, IPs, or cloud endpoints to test Price Price per asset
1 Common for a tight ISMS scope $4,995 $4,995
2–4 $7,995 $1,999 – $3,997
5–8 $10,995 $1,374 – $2,199
9–16 $15,995 $1,000 – $1,777
17–32 $25,995 $812 – $1,529
33–64 $36,995 $578 – $1,121
65–128 $52,995 $414 – $815
129–256 $72,995 $285 – $566

Manual validation included on every engagement. No false-positive reports. Fixed pricing designed for fast procurement. The time your team saves not managing a sales process has real value and gets you to a remediated state faster.

Start Your Test Now
See it before you buy

The exact deliverable your certification auditor will see.

Download a full sample report. No email required, no pressure, no follow-up calls. The format is the format. If it's going to slot into your ISMS evidence and satisfy your auditor, you'll know in five minutes.

Download Sample Report Start Your Test Now
Pentest Express sample report cover
ISO 27001 FAQ

What ISMS owners ask before they buy.

Does ISO 27001 require a penetration test?
ISO/IEC 27001 does not contain a verbatim line that mandates a penetration test. Annex A controls 8.8 (management of technical vulnerabilities) and 8.29 (security testing in development and acceptance) expect you to identify and address technical vulnerabilities and to test security. A penetration test is widely accepted by certification bodies as evidence for those controls. We're direct about the wording so you can document it correctly in your ISMS rather than claiming a mandate that isn't printed in the standard.
Will this report work as evidence for my ISO 27001 auditor?
Our reports use an evidence-oriented format that documents scope, the assets tested, findings, and the date of testing, plus a signed Compliance Attestation Letter. Certification body auditors want to see that technical vulnerability management and security testing actually happened against a defined scope, and that findings feed your risk treatment process. The deliverable is built to slot directly into your Statement of Applicability and ISMS evidence. The sample report above is the exact format you'll receive.
How long does an ISO 27001 pentest take?
For an organization with a typical external attack surface, the testing window is one to three business days of active testing, plus reporting. Most customers have a final report in hand within two weeks of purchase. If a Stage 2 certification audit or surveillance audit is close, choose the ASAP option in the order form and we'll start almost immediately.
What's "in scope" for an ISO 27001 external pentest?
Anything you list with a public IPv4 or IPv6 address — web apps, APIs, cloud endpoints, mail, DNS, and your firewalls, VPNs, and remote-access gateways. Align the scope with the systems inside your ISMS boundary. We strongly recommend including perimeter and remote-access devices — over the past two years we've seen a sharp uptick in attackers reaching into networks through exactly those devices, and we frequently find critical issues there.
Why are you cheaper than a boutique pentest firm?
Most external network pentests are repeatable, well-defined work. They benefit from a senior tester following a rigorous process. They do not benefit from a sales process, a custom SOW, or a tiered platform. We removed the sales overhead, published the pricing, and pass the savings on. The testing itself is the same quality you'd get at a boutique — just without the procurement drag.
Do I need to schedule a call with sales?
No. You select your scope from the published pricing table, complete checkout, and we begin. If you have a question that's actually blocking the order, email hello@pentestexpress.com — but most teams move straight from pricing to purchase.
Can our procurement team approve this without a custom SOW?
Yes — that's the design. Pricing is fixed and published. The standard authorization and rules-of-engagement are in our Terms of Service. For most organizations this is short enough that procurement clears it in days, not weeks.
What if I need a retest after remediation?
We retest everything from scratch, not just the listed findings. New issues that surfaced since the original engagement get reported too. Free retest within 14 days of report delivery. From day 15 through day 60, retest is 25% of the original test price. After 60 days, a full re-engagement is recommended because the environment has typically drifted enough that a fresh test is the honest answer.
What happens if you find something critical?
We notify your designated emergency contact immediately and pause testing if appropriate. We don't bury critical findings until the final report — you'll know about anything urgent in real time, with enough detail to start remediation while testing continues.
Operated by senior practitioners

Pentest Express is built and operated by a senior practitioner team.

Founded by Trey Blalock — 15+ years of penetration testing experience, 12 active certifications, and engagements across Fortune 500 companies and federal agencies including the DIA, FBI, and NSA. Speaker at DefCon and MITRE ATT&CKcon. Two DHS CISA keynotes.

The brand carries the quality reputation, not any individual tester. Every report is held to the same standard, on every engagement, regardless of who performs it.

Read Trey's full background →
Trey Blalock, founder of Pentest Express
Get started

Ready to start your ISO 27001 pentest?

Self-serve checkout. No call, no quote, no waiting. Most teams go from this page to active testing in a few business days.

Start Your Test Now hello@pentestexpress.com