NYDFS Part 500. Built for the annual certification

The NYDFS 500.05 pentest your examiner will accept.

Audit-grade external penetration testing built for covered entities under 23 NYCRR Part 500. Section 500.05 expects penetration testing at least annually, scoped to your risk assessment. We test everything an attacker can reach — web apps, APIs, portals, mail, and your remote-access perimeter — using real exploitation, not just scanners. Honest published pricing. Buy online in minutes. No sales calls or quotes required.

Start Your Test Now View Sample Report
Examiner-ready format Dated testing evidence Full in-scope coverage Honest published pricing
Built for NYDFS Part 500 Also aligned to PCI-DSS SOC 2 ISO 27001 HIPAA CMMC
15+
Years of penetration
testing experience
500+
Clients served across
major industry sectors
12
Active professional
certifications held
F500
Fortune 500 client track record
Why covered entities end up here

The annual certification is coming due. Your risk assessment says you need a pentest. The clock started.

You're a covered entity — a bank, insurer, lender, or licensed financial services firm under New York DFS supervision. Section 500.05 expects penetration testing at least annually, scoped to your risk assessment, and your CISO has to be able to stand behind the annual certification of compliance. You don't need a security platform. You don't need a six-week scoping engagement with a consultancy. You need a real external pentest, in a format an examiner accepts, with a clear date on it.

That's what this page is for. Honest pricing. Audit-grade testing. A report that documents scope, coverage, and findings cleanly enough that it holds up when an examiner asks to see your testing evidence — because vague, scanner-only output is exactly what turns a routine exam into a finding.

What audit-grade means

Five commitments that separate a real pentest from a quick-find scan.

"Audit-grade" is a category, not a slogan. It means the report holds up to your examiner's review, your board's risk reporting, and your insurance underwriter — not because we say so, but because of what we commit to do on every engagement.

Retest from scratch

When you remediate, we retest everything from scratch, not just the listed findings. New issues that surfaced since the original test get reported too. The report is accurate as of the date issued — which matters when that date has to line up with your annual certification.

Full in-scope coverage

If you list it, we test it. Every service on every in-scope asset, including non-standard ports. We don't sample, we don't skip, we don't stop early because the scanner finished.

Multi-protocol depth

VPNs, firewalls, DNS, mail, APIs, proprietary protocols. We test what's actually exposed across the financial-services perimeter, not just what scanners recognize as a web server.

Honest pricing

Published list pricing by the number of assets you want tested. No quote, no negotiation, no sales-rep discount theater. If we're running behind on capacity, we tell you before you pay, not after.

Self-serve, no calls

Answer a few quick questions, purchase, and receive your report. No scoping call, no sales rep, no procurement-cycle drag.

Coverage, not quick wins

Bug-bounty and PtaaS testing chases quick wins.
An examiner doesn't grade you on quick wins — they grade you on whether your scope was actually tested.

The cheap pentest options inside compliance platform marketplaces optimize for time-to-first-finding. They are excellent at surfacing the obvious. They are not designed to comprehensively test what's exposed across your scope. A NYDFS examiner — and your own CISO signing the annual certification — needs to know the defined scope was tested, not sampled.

Quick-find testing

Bug-bounty and PtaaS researchers race for the first finding. Coverage of the rest of your scope isn't the goal of the system, and it isn't what gets reported.

Scanner-only testing

Automated tools find what they recognize. Anything beyond a web server — VPNs, firewalls, DNS, mail, APIs, proprietary protocols — is mostly missed.

Audit-grade testing

Every service on every in-scope asset, including non-standard ports and non-web protocols. If you list it, we test it. The report is fully accurate as of the date issued, with the scope and date documented for your exam file.

Honest pricing

Published rates. No quotes. No sales calls.

Many smaller covered entities have a compact external attack surface — one or two portals, a mail and DNS footprint, and a remote-access perimeter. The first bracket covers the typical small case. The full table is below.

How pricing works: The first asset covers the essential work every engagement requires — scoping, setup, validation, and reporting. Pricing scales with your environment from there. Count each public-facing host, IP, or cloud endpoint you want tested — they don't have to be contiguous or in the same network. If you have more than 256 assets, contact us.
Hosts, IPs, or cloud endpoints to test Price Price per asset
1 Common for smaller covered entities $4,995 $4,995
2–4 $7,995 $1,999 – $3,997
5–8 $10,995 $1,374 – $2,199
9–16 $15,995 $1,000 – $1,777
17–32 $25,995 $812 – $1,529
33–64 $36,995 $578 – $1,121
65–128 $52,995 $414 – $815
129–256 $72,995 $285 – $566

Manual validation included on every engagement. No false-positive reports. Fixed pricing designed for fast procurement. The time your team saves not managing a sales process has real value and gets you to a remediated state faster.

Start Your Test Now
See it before you buy

The exact deliverable your examiner will see.

Download a full sample report. No email required, no pressure, no follow-up calls. The format is the format. If it's going to hold up in your next exam, you'll know in five minutes.

Download Sample Report Start Your Test Now
Pentest Express sample report cover
NYDFS FAQ

What covered entities ask before they buy.

Does NYDFS Part 500 require a penetration test?
Section 500.05 requires covered entities to conduct penetration testing of their information systems at least annually, based on the risk assessment, unless they qualify for and document a continuous monitoring alternative. The scope of that testing is driven by your own risk assessment — Part 500 doesn't hand you a checklist of what to test. An external attack surface pentest covers the internet-facing portion of that obligation and gives you dated evidence to put in front of your examiner.
Will this report satisfy a NYDFS examiner?
Our reports use an evidence-oriented format that documents scope, the assets tested, findings, and the date of testing, plus a signed Compliance Attestation Letter confirming the engagement. Examiners — and your CISO, who has to stand behind the annual certification — are looking for proof that testing actually happened against a defined scope and that findings were tracked to remediation. That's exactly what the deliverable is built to show. The sample report above is the exact format you'll receive.
How long does a NYDFS pentest take?
For a covered entity with a typical external attack surface, the testing window is one to three business days of active testing, plus reporting. Most customers have a final report in hand within two weeks of purchase. If your annual certification deadline is close, choose the ASAP option in the order form and we'll start almost immediately.
What's "in scope" for a NYDFS external pentest?
Anything you list with a public IPv4 or IPv6 address — web apps, customer and partner portals, APIs, mail, DNS, and especially your firewalls, VPNs, and remote-access gateways. Because Part 500 scope is risk-assessment-driven, you decide what goes in. We strongly recommend including perimeter and remote-access devices — over the past two years we've seen a sharp uptick in attackers reaching into financial-services networks through exactly those devices, and we frequently find critical issues there.
Why are you cheaper than a boutique or Big 4 pentest?
Most external network pentests are repeatable, well-defined work. They benefit from a senior tester following a rigorous process. They do not benefit from a sales process, a custom SOW, or a tiered platform. We removed the sales overhead, published the pricing, and pass the savings on. The testing itself is the same quality you'd get from a premium firm — just without the procurement drag and the consulting-rate markup.
Do I need to schedule a call with sales?
No. You select your scope from the published pricing table, complete checkout, and we begin. If you have a question that's actually blocking the order, email hello@pentestexpress.com — but most teams move straight from pricing to purchase.
Can our procurement and vendor-management teams approve this without a custom SOW?
Yes — that's the design. Pricing is fixed and published. The standard authorization and rules-of-engagement are in our Terms of Service. For most covered entities this is short enough that vendor management and procurement can clear it without a multi-week negotiation cycle.
What if I need a retest after remediation?
We retest everything from scratch, not just the listed findings. New issues that surfaced since the original engagement get reported too. Free retest within 14 days of report delivery. From day 15 through day 60, retest is 25% of the original test price. After 60 days, a full re-engagement is recommended because the environment has typically drifted enough that a fresh test is the honest answer.
What happens if you find something critical?
We notify your designated emergency contact immediately and pause testing if appropriate. We don't bury critical findings until the final report — you'll know about anything urgent in real time, with enough detail to start remediation while testing continues. For a regulated financial institution, that early warning matters.
Operated by senior practitioners

Pentest Express is built and operated by a senior practitioner team.

Founded by Trey Blalock — 15+ years of penetration testing experience, 12 active certifications, and engagements across Fortune 500 companies and federal agencies including the DIA, FBI, and NSA. Speaker at DefCon and MITRE ATT&CKcon. Two DHS CISA keynotes.

The brand carries the quality reputation, not any individual tester. Every report is held to the same standard, on every engagement, regardless of who performs it.

Read Trey's full background →
Trey Blalock, founder of Pentest Express
Get started

Ready to start your NYDFS pentest?

Self-serve checkout. No call, no quote, no waiting. Most teams go from this page to active testing in a few business days.

Start Your Test Now hello@pentestexpress.com