Four attack surfaces — web, API, mobile APK, source repository — driven by AI agents that reason about authorisation, exploit with proof, and ship remediation code. Every scan is gated by Domain Control Verification and a signed Rules of Engagement document. Flat per-scan pricing through Polar.sh as Merchant of Record.
Eleven free lookups, no card, no sign-up. DNS, security headers, TLS, email auth, DNSSEC, propagation, WHOIS, cookies, HSTS, tech stack.
Buy one tier; spend it on whichever engine fits the engagement. Web, API, mobile, and source code are live today. Network and Cloud Misconfig follow over the next sprints. Each engine runs a sequenced AI pipeline that reasons about authorisation, attempts real exploitation, and produces a reproducible proof-of-concept with remediation code in your stack's language.
13-agent OWASP-aligned flow: recon → parallel vuln analysis → conditional exploitation with PoC → post-exploitation → branded report. Average $99 / 35 min on Cloudflare-protected SaaS.
6-agent pipeline. apktool + jadx decompile, permission audit, certificate pinning bypass, deep-link / intent surface, OWASP MASVS mapping. Reservation $50 per APK.
7-agent whole-repo audit. Hardcoded secrets, dependency CVEs, IaC drift, auth/authz patterns, branch-protection gaps, action-runner abuse. Reservation $30 per repo.
7-agent OpenAPI 3.x + GraphQL specialised flow. BOLA / IDOR fuzzing, mass-assignment, JWT confusion, rate-limit holes, NoSQL operator injection. OWASP API Top 10 (2023) mapping. Reservation $49 per API.
Authorised IPv4 scanning for hosts you operate. Service fingerprinting, CVE matching, SSH banner audit, TLS hardness check, SMB enumeration, anonymous-access checks. Same DCV + RoE gates as the other engines.
AWS / Azure / GCP read-only audit through a customer-controlled IAM role. Public buckets, over-permissive IAM, function env leaks, KMS rotation gaps, security-group misconfiguration. CIS Benchmarks evidence pack.
CLAUDE.md red-line: an AI pentest tool that doesn't gate execution is a legal hazard. AssurePort enforces two hard gates and a credit pre-authorisation before a single byte hits the target.
Three methods: _assureport.<domain> TXT record, <meta name="assureport-verification"> tag, or /.well-known/assureport-challenge.txt. Any one passes. Run from anywhere in the EU edge.
Upload a signed PDF. An AI validator extracts the signing party, in-scope targets, validity window, and out-of-scope clause. Below the confidence threshold the dispatch is blocked with the missing-elements report.
Every scan reserves the tier price up-front in an append-only ledger. No reservation, no scan. Failed scans release the full reservation automatically — you are charged only on successful completion.
Each web pentest is a fixed price — no token guessing, no per-character surcharges. Pro and Business tiers give you a monthly bucket at a steep discount versus the one-time Starter rate. Failed scans refund automatically; the credit ledger is append-only and exportable.
1 web pentest — try the product, no recurring billing.
6 web pentests / month — weekly cadence, ~50% off Starter rate.
15 web pentests / month — agencies + MSSPs.
Reserve $99 per web scan, billed only on successful completion. Failed scans refund automatically. All plans through Polar.sh — VAT collected and remitted in 47 countries (no extra charge for you).
Still unsure? Email hello@assureport.com — we read every message.
Real pentests. Each web scan runs a sequenced pipeline of AI agents that reason about authorisation logic, attempt real exploitation with controlled proof-of-concept payloads, and produce reproducible evidence. Output includes CVSS 3.1 scores, OWASP Top 10 mapping, CWE identifiers, and remediation code samples in the target stack's language. Findings without a working proof of concept are downgraded to unconfirmed rather than published as High severity.
All data stays in the European Union. Compute, storage, vector indexes, and AI inference all route through EU regions. There is no US data leg in the architecture. We meet GDPR Article 32 technical and organisational measures by default and sign a DPA at sign-up — see /docs.html#gdpr.
Pricing is flat per scan. Web pentest: $99 (Starter), $49.83 effective in Pro ($299/month ÷ 6 scans), or $53.27 effective in Business ($799/month ÷ 15 scans). GitHub SAST: $30 per repo. Mobile APK: $50 per app. Reservations are charged on success only — failed scans refund automatically. Overage scans at $69 (Pro) / $59 (Business) per scan.
No scan starts without proof you control the target (Domain Control Verification — DNS TXT, HTTP file, or meta tag) and a signed RoE PDF that an AI validator approves. This protects you from accidental scope creep and protects the platform from the legal exposure of unauthorised testing. Both gates return HTTP 412 Precondition Failed if missing.
Yes. Business tier includes a white-label subdomain (your-name.assureport.com), branded PDF report template, sub-tenant management for end-client accounts, an auditor read-only portal, and custom DPA / SLA terms. Write to hello@assureport.com for enterprise terms above the Business tier.
Polar.sh is our Merchant of Record: they own the checkout, collect and remit VAT in 47 jurisdictions, issue compliant invoices, and handle disputes. Your card and billing data never touch our infrastructure — that is a hard PCI-DSS scope reduction. GDPR DPA is signed at sign-up by default.
Every scan produces a print-ready PDF + Markdown auto-emailed to the operator. Both are also stored in your tenant's R2 bucket and downloadable from the console. Findings include reproducible PoC commands and remediation code in the language of the target stack.
Eleven lookups you can run from /tools.html with no login: DNS, reverse DNS, security headers (A+→F), TLS certificate transparency, tech stack, email auth posture (SPF / DMARC / DKIM), DNSSEC, DNS propagation across 5 resolvers, WHOIS via RDAP, cookie security audit, and HSTS preload status. Rate-limited at 30 calls per hour per IP. Free forever.
Yes. EU data residency, append-only audit log, encrypted secrets at rest, magic-link + TOTP auth, immutable reservation ledger, signed DPA. We meet GDPR Article 32 technical and organisational measures by default, maintain DORA ICT third-party register entries, and follow NIS2 vulnerability-handling timelines. Write to legal@assureport.com for the current DPA template.
See the full FAQ, the wiki, or send us anything via the feedback form — we read every message.
No credit card to sign up. We create your tenant on the first magic-link click. Try the free intel toolkit instantly, or purchase a $99 Starter scan whenever you are ready.