# How to pass Series A security due diligence (before it catches you off guard)

> Source: <https://faultlinesec.com>
> Published: 2026-06-15 10:23:47+00:00

# We find what scanners miss_

Penetration testing for startups and SaaS companies. Thorough, actionable, and priced for teams that ship fast.

## Security testing shouldn’t be this broken.

### Enterprise firms charge €15,000+

You get a junior tester following a checklist, an account manager who can’t answer technical questions, and a 200-page PDF six weeks later. Half the findings are informational padding.

### Automated scans miss what matters

Nessus and Qualys find missing headers and outdated libraries. They don’t find broken authorization, business logic flaws, or the config file that leaks your database password.

### Bug bounties are unpredictable

No guaranteed coverage, no compliance-ready report, no timeline. You might get a critical finding in a week or hear nothing for six months. And you still need a pentest report for SOC 2.

### AI tools miss your business logic

An LLM can spot a textbook XSS. It can’t chain a broken access control with your multi-tenant data model to prove a customer-data leak, and no auditor will accept "we asked an AI" as a SOC 2 or ISO 27001 pentest report.

There’s a better way. Faultline Security gives you manual, expert-level testing with a clear scope, fixed price, and a report your auditors will accept.

## Clear scope. Fixed price. No surprises.

Methodology: PTES + OWASP WSTG · CVSS 3.1 scoring · CWE references

### Essentials

Single application or API

From €3,000

- ›1 web application or API (up to 50 endpoints)
- ›Gray-box testingWe test with valid user credentials, simulating a real insider or compromised account. Follows OWASP WSTG: a 90+ test case methodology and the industry standard for thorough web security testing.
- ›OWASP Top 10 & API Top 10 coverageThe most critical web and API security risks as defined by the Open Web Application Security Project. The global authority on application security.
- ›Subdomain & virtual host enumerationWe discover all publicly reachable entry points to your infrastructure: subdomains, hidden portals, and services you may not know are exposed.
- ›Authentication & session management testing
- ›Security header & configuration reviewWe check HTTP security headers (CSP, HSTS, CORS, X-Frame-Options) and server configuration to prevent clickjacking, data leaks, and protocol downgrade attacks.
- ›Business logic testingWe test your application’s workflows for flaws: like skipping payment steps or accessing other users’ data. Growth tier adds a full deep-dive into complex business rules.
- ›CVSS-scored findings with proof-of-conceptEvery finding is rated on a 0–10 severity scale (industry standard) and includes a working proof-of-concept: the exact steps to reproduce the issue.
- ›Attack narrative with exploitation chainsA step-by-step story showing how individual vulnerabilities can be chained together for real-world impact. This is what separates our reports from scanner output.
- ›Remediation guidance per finding
- ›PDF report with executive summary
- ›Letter of attestationA one-page document confirming a pentest was performed. Shareable with auditors, customers, and partners without an NDA. Commonly needed for SOC 2, ISO 27001, and enterprise sales.
- ›Findings walkthrough & Q&A

Timeline: 3–5 business days

[Get started](/scope)

### Growth

Multi-surface web + API

From €5,000

- ›Everything in Essentials, plus:
- ›Up to 3 applications or API surfaces
- ›Cross-application trust boundary testingWe test how your applications trust each other. Can a user from App A escalate access via App B? Are shared tokens, SSO, or APIs exploitable across surfaces?
- ›Business logic deep-diveGoes beyond standard checks. We model your entire user journey and business rules to find flaws like payment bypasses, reward abuse, and multi-tenancy leaks.
- ›Inter-service API & authorization testingWe test the APIs your services use to talk to each other. Are internal endpoints authenticated? Can a compromised service access data it shouldn’t?

Timeline: 5–8 business days

[Get started](/scope)

### Comprehensive

Full external infrastructure

From €7,000

- ›Everything in Growth, plus:
- ›External perimeter (up to 20 IPs/hosts)
- ›Service-level assessment (SSH, SMB…)We test every network service running on your servers: remote access, file shares, name resolution, and more, for misconfigurations and known vulnerabilities.
- ›Cloud config review (AWS, GCP, Azure)
- ›Internal service exposure analysisWe identify services meant to be internal-only that are actually reachable from the outside: databases, admin panels, debug endpoints, and monitoring dashboards.
- ›Full retest after remediation included

Timeline: 7–10 business days

[Get started](/scope)

### Add-ons (available for both service lines)

## From scoping form to actionable report in under two weeks.

### $ Scoping form

free · 2 minFill out a short form with your application details, tech stack, and what you need the test for. You get a fixed-price proposal within 24 hours. No call required.

### $ Kickoff & credential handoff

same day as signed SOWYou provide test credentials and access. We confirm scope, set up our testing environment, and define the rules of engagement.

### $ Testing

3–10 business daysWe test manually, following the PTES framework and OWASP WSTG methodology. Every finding gets a real proof-of-concept. Critical findings are reported immediately.

### $ Report delivery

within 2 days of testingExecutive summary, technical findings with severity ratings and remediation guidance per finding, and a full attack narrative.

### $ Report walkthrough & Q&A

asyncWe send a detailed walkthrough of every finding with remediation guidance. Your team asks questions on their schedule. We respond within one business day. Live call available on request.

### $ Retest

optional · 1–2 daysAfter remediation, we verify the fixes work. You get an updated report confirming closure. Ready for your auditor.

## What makes us different.

### We talk during the test, not just after

Critical findings are reported the moment we confirm them. Not buried in a PDF you receive two weeks later. You can start fixing while we’re still testing.

### Every finding has a proof-of-concept

We don’t report theoretical vulnerabilities. Every finding includes the exact request, exact response, and step-by-step reproduction instructions.

### Built for modern stacks

APIs, containers, serverless, multi-tenant SaaS: we understand the architecture your team actually builds on. We speak developer, not just compliance.

### Fixed price, fast turnaround

You know the cost before we start: no hourly billing, no scope creep charges, binding proposal from a 2-minute scoping form. Most engagements complete within one to two weeks.

### Reports your auditors will accept

PTES framework, CVSS 3.1 scoring, CWE references, remediation guidance. Satisfies SOC 2 Type II, ISO 27001, and GDPR requirements out of the box.

### AI-augmented, human-verified

We use AI for recon, payload generation, and report drafting. That’s how we deliver senior-quality testing at startup-friendly prices. But every finding is validated and signed by a human tester who stands behind the report.

## See what you get.

Below is a redacted excerpt from a real engagement report. Every finding follows this structure: severity rating, technical evidence, business impact, and specific remediation steps.

Finding: Broken Object-Level Authorization on Store Resources

| Severity | Medium |
| CVSS 3.1 | 5.3 |
| CWE | CWE-639: Authorization Bypass Through User-Controlled Key |
| Asset | https://api.██████.██/stores/:id |

Description

Any authenticated user can read store metadata for arbitrary stores by substituting numeric IDs in the URL path. The API does not verify that the requesting user owns the target store.

Evidence

```
GET /stores/36480
Authorization: Bearer <JWT>
→ HTTP 200 -- store belonging to a different tenant
```

Remediation

- Add authorization middleware that verifies tenant ownership before returning data.
- Replace sequential numeric IDs with UUIDs.
- Add integration tests for cross-tenant access denial.

Every finding in your report follows this exact structure. No vague descriptions. No missing evidence. No “fix your code” without explaining how.

## What our clients say.

## Questions we hear a lot.

## Will testing break my production environment?

## Do I need to give you access to source code?

## What compliance frameworks does your report satisfy?

## Can’t AI just do a pentest?

## How long does it take?

## What happens if you find something critical during testing?

## Do you offer retesting after we fix the findings?

## Can you test our mobile app too?

## Why do your prices say “From” instead of a fixed number?

## Where are you based?

## Do you test AI / LLM features in our app?

## What frameworks do you use for AI red teaming?

Stay informed

## Keep up with Faultline.

New services, security research, and the occasional offer. Delivered when there’s something worth saying.

## Ready to find out what’s exposed?

Fill out a 2-minute scoping form and get a fixed-price proposal within 24 hours. No call required, no commitment, no sales pitch.

[Start your assessment](/scope)

Prefer email? Reach us at [hello@faultlinesec.com](mailto:hello@faultlinesec.com)