Penetration testing engagements for regulated industries.

Every engagement is led by a senior Watch Owl Labs operator and accelerated by Hoot, our self-hosted AI security agent. Every finding is reviewed and validated by the operator before it reaches you — and every report is audit-ready. Transparent pricing below.

[ PRINCIPLE ]

The agent finds. The operator decides.

Audit pentests, mapped to your framework.

When a compliance framework requires a penetration test, the report has to map to the controls your auditor checks. These engagements are built around that.

ENG.PCI · v.2026.04
5–10 days

PCI DSS Annual Pentest

Satisfy PCI DSS v4.0.1 Requirement 11.4.

  • External + internal penetration testing of the CDE
  • Segmentation testing to validate scope boundaries
  • Findings mapped to PCI DSS v4.0.1 Requirement 11.4
  • Executive summary + technical report your QSA will accept
  • Retests included for HIGH and CRITICAL findings

Best for / Fintech, payment processors, and e-commerce undergoing a PCI DSS assessment or post-significant-change testing.

Frameworks / PCI DSS v4.0.1 · Requirement 11.4

From$15,000Details
ENG.SOC2 · v.2026.04
5–10 days

SOC 2 Pentest Evidence

Penetration test evidence for your SOC 2 Type II.

  • Application, API, and cloud penetration testing
  • Findings mapped to TSC CC4.1, CC6.1, CC7.1, CC7.2
  • Evidence package formatted for your SOC 2 auditor
  • Executive summary for non-technical reviewers
  • Retests included for HIGH and CRITICAL findings

Best for / B2B SaaS, fintech, and healthtech selling into enterprise and working through a SOC 2 Type II audit.

Frameworks / SOC 2 · TSC CC4.1, CC6.1, CC7.1

From$15,000Details
ENG.HIPAA · v.2026.04
5–10 days

HIPAA Security Assessment

Pentest aligned to the HIPAA Security Rule.

  • Application, API, and infrastructure penetration testing
  • PHI exfiltration and access-control testing
  • Findings referenced to HIPAA Security Rule 164.312
  • BAA signed before any engagement involving PHI
  • Retests included for HIGH and CRITICAL findings

Best for / Covered entities, business associates, and healthtech preparing for a HIPAA assessment or customer security review.

Frameworks / HIPAA Security Rule · 164.312

From$15,000Details
ENG.AI · v.2026.04
5–7 days

AI Red Teaming

Adversarial testing for LLM and agent products.

  • Prompt injection (direct + indirect) and jailbreak testing
  • RAG poisoning and data-exfiltration testing
  • Agent abuse: tool confused-deputy, sandbox escape
  • Model API authorization, billing, and rate-limit testing
  • Findings mapped to OWASP LLM Top 10 + NIST AI RMF

Best for / LLM-powered SaaS, RAG products, and autonomous agents — pre-launch or after a major model or prompt change.

Frameworks / OWASP LLM Top 10 · NIST AI RMF

From$15,000Details

Pentests for the moment that forced the search.

Sometimes the driver isn't a framework — it's an investor, an enterprise prospect, or a launch deadline. These engagements are scoped and priced for that.

ENG.FUND · v.2026.04
5 days

Pre-Fundraise Pentest

Pentest evidence for investor due diligence.

  • Application + API penetration testing
  • Attack chain analysis with working HTTP proof
  • Investor-ready executive summary
  • Prioritized remediation roadmap
  • One retest round after remediation

Best for / Startups raising a round where investors are asking about security posture and want recent pentest evidence.

Frameworks / OWASP Top 10 · PTES

From$10,000Book call
ENG.DEAL · v.2026.04
5 days

Pre-Enterprise Deal Pentest

Clear the security questionnaire blocking your deal.

  • Application + API penetration testing
  • Evidence formatted to attach to security questionnaires
  • Attestation letter for your prospect's security team
  • Prioritized remediation guidance
  • One retest round after remediation

Best for / Teams whose enterprise prospect just asked for a recent third-party pentest before signing.

Frameworks / OWASP Top 10 · SOC 2 TSC

From$10,000Book call
ENG.SCORE · v.2026.04
1 week

Compliance Scorecard

Pre-audit gap analysis before you commit to a full test.

  • Targeted assessment against your chosen framework
  • Gap analysis mapped to specific controls
  • Prioritized remediation list
  • Readiness verdict before you book the full engagement

Best for / Teams who want to know what a full audit pentest would surface — before they schedule it.

Frameworks / PCI DSS · SOC 2 · HIPAA · OWASP

From$8,000Book call
ENG.FULL · v.2026.04
10 days

Full Engagement

Comprehensive multi-vector penetration test.

  • Web, API, mobile, cloud, and AI/LLM testing
  • Full attack chain analysis with HTTP proof
  • Compliance mapping across all relevant frameworks
  • Executive + technical reporting
  • Retests included for HIGH and CRITICAL findings

Best for / Teams facing multiple compliance frameworks at once, or with a broad attack surface to cover in a single engagement.

Frameworks / PCI DSS · SOC 2 · HIPAA · OWASP LLM Top 10

From$25,000Book call

Beyond a single engagement.

For teams with ongoing release pressure and recurring compliance needs — an embedded partner, or our self-hosted AI agent running in your own infrastructure.

ENG.RETAIN · v.2026.04
Ongoing

Monthly Retainer

Continuous security partner, embedded with your team.

  • Dedicated senior operator as embedded partner
  • Quarterly assessments + on-demand testing
  • Slack-based access to senior operators
  • Audit support and evidence prep
  • Unlimited retests within contract scope

Best for / Series A+ fintech, healthtech, or AI teams with ongoing release pressure and recurring compliance needs.

Frameworks / All frameworks · continuous

From$6,500/moBook call
HOOT.LIC · v.2026.04
Annual

Hoot — Annual License

Run our AI security agent yourself.

Self-hosted continuous pentesting on your own infrastructure. The same platform our operators run on every engagement — operator-paced, your data never leaves your network.

Custom pricingSee Hoot

Transparent starting prices.

Final scope is set on a 30-minute call. These are starting points so you can budget before you talk to us.

Engagement TypeStartingDurationBest For
Compliance Scorecard$8,0001 weekPre-audit gap analysis
Pre-Fundraise Pentest$10,0005 daysInvestor due diligence
PCI DSS Annual Pentest$15,0005–10 daysPCI Requirement 11.4
SOC 2 Pentest Evidence$15,0005–10 daysSOC 2 Type II audit support
HIPAA Security Assessment$15,0005–10 daysHIPAA Security Rule alignment
AI Red Teaming$15,0005–7 daysLLM, RAG, agent product security
Full Engagement$25,00010 daysComprehensive multi-vector test
Monthly Retainer$6,500/moOngoingContinuous coverage

All engagements include audit-ready reports with working HTTP proof for every finding, compliance control mapping, and retests for HIGH and CRITICAL findings.

[ YC FOUNDERS ]Y Combinator company? Take 10% off any engagement.
See the founder program

Questions before you book.

The things teams ask us most often before a scoping call.

01How is this different from Cobalt or Bishop Fox?+

Same caliber of findings, delivered faster and priced for earlier-stage teams. Every engagement is led by a senior operator and accelerated by Hoot, our self-hosted AI agent — so one operator covers the ground of a larger team. You get audit-ready reports in days, not the multi-week queue and enterprise pricing of legacy firms.

02Do you sign BAAs for healthcare engagements?+

Yes. For any engagement that touches PHI, we sign a Business Associate Agreement before testing begins. Our HIPAA Security Assessment is built around BAA-ready scoping.

03Can I see a sample report before booking?+

Yes. Our sample report is a real, anonymized engagement — five critical findings and a full anonymous-to-superadmin attack chain. Read it at /sample-report. It shows exactly what your auditor would receive.

04What if my audit deadline is in 2 weeks?+

Tell us on the scoping call. Most fixed-scope engagements run 5–10 business days end-to-end, and we keep limited capacity open for deadline-driven work. If we can't hit your date, we'll say so up front.

05Do you work with YC and early-stage startups?+

Yes. Our Pre-Fundraise and Pre-Deal engagements are priced for startups that need real pentest evidence for investors or enterprise buyers without an enterprise budget.

06How does AI red teaming differ from standard pentesting?+

Standard pentesting targets your application and infrastructure. AI red teaming targets the model layer — prompt injection, RAG poisoning, agent tool abuse, and model API authorization — mapped to the OWASP LLM Top 10 and NIST AI RMF. If you ship an LLM, RAG, or agent product, you need both.

07What stays self-hosted vs. on your infrastructure?+

Hoot, our AI agent, can run entirely inside your network — your data never leaves your infrastructure. For a delivered engagement, we agree on scope and access on the scoping call and document the boundary in the report.

08Do you offer retests after remediation?+

Yes. Every fixed-scope engagement includes retests for HIGH and CRITICAL findings. Retainer clients get unlimited retests within contract scope.

09What's included in your audit-ready reports?+

Executive summary for non-technical reviewers, detailed findings with working HTTP proof, attack chain analysis, root cause, prioritized remediation, compliance control mapping, methodology disclosure (PTES, OWASP, NIST SP 800-115), and retest documentation.

10How do you handle scope changes mid-engagement?+

We flag scope changes as soon as we hit them and agree on the adjustment with you before proceeding. No surprise findings outside the agreed boundary, no surprise invoices.

[ ENGAGE ]

Not sure which engagement fits?

Book a 30-minute scoping call. Tell us what triggered the search — an audit, a deal, a raise, a launch — and we'll tell you exactly what you need and what it costs.

Book a 30-min scoping call