PCI-DSS Requirement 11.4. The external half, started today

Get the external half of PCI 11.4 moving — now.

PCI-DSS Requirement 11.4 calls for both external and internal penetration testing of the cardholder data environment. The external pentest is the part you can start today — self-serve, no scoping call, no quote. We test everything an attacker can reach across your CDE perimeter — payment pages, APIs, web apps, and remote-access gateways — using real exploitation, not just scanners. Buy online in minutes. Need the internal portion too? We can help — it just needs a few scoping questions first.

Start Your External Test View Sample Report
External 11.4 testing, self-serve QSA-ready format Full in-scope coverage Honest published pricing
Built for PCI-DSS 11.4 (External) Also aligned to SOC 2 ISO 27001 NYDFS HIPAA CMMC
15+
Years of penetration
testing experience
500+
Clients served across
major industry sectors
12
Active professional
certifications held
F500
Fortune 500 client track record
Why PCI teams end up here

Your assessment window is open. Requirement 11.4 needs external and internal pentests. The external one shouldn't be what holds you up.

You're a merchant or service provider working an annual PCI-DSS assessment. Requirement 11.4 expects penetration testing of the cardholder data environment — external and internal. The internal test takes coordination: segmentation details, internal access, scoping questions that genuinely need a conversation. The external test doesn't. It's well-defined, repeatable work, and there's no good reason for it to sit in a procurement queue for six weeks while the assessment clock runs.

That's the point of this page. Start the external pentest today, self-serve, at honest published pricing — and take that piece of 11.4 off your critical path. We don't cover all of 11.4 out of the box, and we won't pretend to. When you're ready for the internal portion, contact us and we'll work through the scoping with you.

What audit-grade means

Five commitments that separate a real pentest from a quick-find scan.

"Audit-grade" is a category, not a slogan. It means the report holds up to your QSA's review, your acquirer's scrutiny, and your insurance underwriter — not because we say so, but because of what we commit to do on every engagement.

Retest from scratch

When you remediate, we retest everything from scratch, not just the listed findings. New issues that surfaced since the original test get reported too. The report is accurate as of the date issued, not just for the findings of record.

Full in-scope coverage

If you list it, we test it. Every service on every in-scope asset across the external CDE perimeter, including non-standard ports. We don't sample, we don't skip, we don't stop early because the scanner finished.

Multi-protocol depth

VPNs, firewalls, DNS, mail, APIs, proprietary protocols. We test what's actually exposed across the CDE perimeter, not just what scanners recognize as a web server.

Honest pricing

Published list pricing by the number of assets you want tested. No quote, no negotiation, no sales-rep discount theater. If we're running behind on capacity, we tell you before you pay, not after.

Self-serve external test

Answer a few quick questions, purchase, and receive your external report. No scoping call for the external pentest. The internal portion of 11.4 needs a short conversation first — that's the one exception.

Coverage, not quick wins

Bug-bounty and PtaaS testing chases quick wins.
A QSA grades the external portion of 11.4 on whether your CDE perimeter was actually tested.

The cheap pentest options inside compliance platform marketplaces optimize for time-to-first-finding. They are excellent at surfacing the obvious. They are not designed to comprehensively test what's exposed across your scope. For PCI, a QSA reviewing your external testing wants to see the defined CDE perimeter tested in full — not a sample, and not scanner output relabeled as a pentest.

Quick-find testing

Bug-bounty and PtaaS researchers race for the first finding. Coverage of the rest of your scope isn't the goal of the system, and it isn't what gets reported.

Scanner-only testing

Automated tools find what they recognize. Anything beyond a web server — VPNs, firewalls, DNS, mail, APIs, proprietary protocols — is mostly missed. A vulnerability scan is not a penetration test, and your QSA knows it.

Audit-grade testing

Every service on every in-scope asset across the external CDE perimeter, including non-standard ports and non-web protocols. If you list it, we test it. The report is fully accurate as of the date issued.

Honest pricing

Published rates. No quotes. No sales calls.

PCI cardholder data environments tend to be larger than a typical startup footprint — multiple payment endpoints, APIs, a segmented perimeter, and supporting infrastructure. The mid-range brackets are common here. The full table is below.

How pricing works: The first asset covers the essential work every engagement requires — scoping, setup, validation, and reporting. Pricing scales with your environment from there. Count each public-facing host, IP, or cloud endpoint in or connected to your CDE that you want tested — they don't have to be contiguous or in the same network. If you have more than 256 assets, contact us. This pricing covers the external pentest; the internal portion of Requirement 11.4 is scoped separately.
Hosts, IPs, or cloud endpoints to test Price Price per asset
1 $4,995 $4,995
2–4 $7,995 $1,999 – $3,997
5–8 $10,995 $1,374 – $2,199
9–16 Common for PCI environments $15,995 $1,000 – $1,777
17–32 $25,995 $812 – $1,529
33–64 $36,995 $578 – $1,121
65–128 $52,995 $414 – $815
129–256 $72,995 $285 – $566

Manual validation included on every engagement. No false-positive reports. Fixed pricing designed for fast procurement. The time your team saves not managing a sales process has real value and gets you to a remediated state faster.

Start Your External Test
See it before you buy

The exact deliverable your QSA will see.

Download a full sample report. No email required, no pressure, no follow-up calls. The format is the format. If it's going to hold up against your QSA's review of the external testing portion of 11.4, you'll know in five minutes.

Download Sample Report Start Your External Test
Pentest Express sample report cover
PCI-DSS FAQ

What PCI teams ask before they buy.

Does Pentest Express cover all of PCI-DSS Requirement 11.4?
No, and we won't pretend otherwise. PCI-DSS Requirement 11.4 calls for both external and internal penetration testing of the cardholder data environment. Pentest Express performs the external attack surface pentest — that's the half you can start today, self-serve, with no scoping call. For the internal portion, contact us: we can help, but internal testing of a CDE needs more scoping questions answered first, so it isn't a self-serve purchase. Buying the external test here moves a real piece of 11.4 forward; it does not, on its own, satisfy all of 11.4.
Will my QSA accept this report?
Our reports use an evidence-oriented format that documents scope, the assets tested, findings, and the date of testing, plus a signed Compliance Attestation Letter. QSAs reviewing the external testing portion of Requirement 11.4 want to see that the in-scope external attack surface was actually tested against a defined scope and that findings were tracked. That's what the deliverable is built to show. The sample report above is the exact format you'll receive.
How long does a PCI external pentest take?
For a typical external cardholder data environment, the testing window is one to three business days of active testing, plus reporting. Most customers have a final report in hand within two weeks of purchase. PCI environments are often larger than a typical startup footprint, so timelines scale with the number of in-scope assets. If your assessment deadline is close, choose the ASAP option in the order form and we'll start almost immediately.
What's "in scope" for a PCI external pentest?
Anything you list with a public IPv4 or IPv6 address that is part of, or connected to, the cardholder data environment — payment pages, APIs, web apps, mail, DNS, and especially your firewalls, VPNs, and remote-access gateways. The segmentation boundary and the systems exposed across it matter for PCI, so include the perimeter devices. If you list it, we test it.
Can you help with the internal pentest portion of 11.4?
Yes — but not as a self-serve purchase. Internal penetration testing of a cardholder data environment depends on segmentation details, internal access arrangements, and scoping questions that genuinely need a conversation before anyone quotes or schedules it. Email hello@pentestexpress.com and we'll work through the internal scoping with you. Start the external test here in the meantime so it isn't sitting on your critical path.
Do I need to schedule a call with sales?
Not for the external pentest. You select your scope from the published pricing table, complete checkout, and we begin. The internal portion of Requirement 11.4 does require a conversation first — email hello@pentestexpress.com for that. There's still no sales rep and no quote dance; just the scoping questions internal CDE testing actually requires.
Can our procurement team approve this without a custom SOW?
Yes — that's the design for the external pentest. Pricing is fixed and published. The standard authorization and rules-of-engagement are in our Terms of Service. For most merchants and service providers this is short enough that procurement clears it in days, not weeks.
What if I need a retest after remediation?
We retest everything from scratch, not just the listed findings. New issues that surfaced since the original engagement get reported too. Free retest within 14 days of report delivery. From day 15 through day 60, retest is 25% of the original test price. After 60 days, a full re-engagement is recommended because the environment has typically drifted enough that a fresh test is the honest answer.
What happens if you find something critical?
We notify your designated emergency contact immediately and pause testing if appropriate. We don't bury critical findings until the final report — you'll know about anything urgent in real time, with enough detail to start remediation while testing continues. When cardholder data is in the picture, that early warning matters.
Operated by senior practitioners

Pentest Express is built and operated by a senior practitioner team.

Founded by Trey Blalock — 15+ years of penetration testing experience, 12 active certifications, and engagements across Fortune 500 companies and federal agencies including the DIA, FBI, and NSA. Speaker at DefCon and MITRE ATT&CKcon. Two DHS CISA keynotes.

The brand carries the quality reputation, not any individual tester. Every report is held to the same standard, on every engagement, regardless of who performs it.

Read Trey's full background →
Trey Blalock, founder of Pentest Express
Get started

Ready to start your PCI external pentest?

Self-serve checkout for the external test. No call, no quote, no waiting. Need the internal portion of 11.4 too? Email us and we'll scope it with you.

Start Your External Test hello@pentestexpress.com