Frequently asked questions

AssurePort runs sequenced AI agents that reason about authorisation logic, not just payload shape. Each finding is gated by a real exploitation attempt — if we cannot produce reproducible evidence, the finding is downgraded.

Regex scanners catch the XSS and SQL injection classes — and they earn their keep. AssurePort additionally catches BOLA, paywall bypass, mass assignment, multi-step authentication flaws, and similar logic bugs that dominate breach disclosures in 2026.

Everything customer-bound lives in the European Union. Account records, scan artefacts, report PDFs, billing transactions, vector indexes, and AI inference all route through EU regions. There is no US data leg in the architecture and no cross-border transfer path for customer data.

Starter is $99 one-time and includes one web pentest. Pro is $299/month for six pentests, rollover up to twelve, with five team seats. Business is $799/month for fifteen pentests with white-label and twenty-five team seats.

Overage is $69 per scan on Pro, $59 per scan on Business. Pricing is flat per scan — no per-credit math, no surprise multipliers.

No. Sign-up is magic-link email only. Your tenant is created on first click. You only enter card details if and when you buy a scan or subscribe.

No — only assets you can prove you control. Every target must pass Domain Control Verification (DNS TXT, HTTP file, or meta tag) and you must upload a signed Rules of Engagement document. Both gates are hard-coded — no tier or override lifts them. This protects you from accidental scope creep and protects the platform from unauthorised-access liability.

Yes. EU data residency is enforced at the platform level. We sign a DPA with every customer, the audit log is append-only, two-factor authentication is available to every account, and our breach notification SLA is 72 hours. The current DPA template is bilateral — email legal@assureport.com with your legal entity name and we countersign within one business day.

Web Pentest scans typically complete in 30–45 minutes. API, Mobile APK, and GitHub SAST scans finish in 10–25 minutes. Progress streams to the console live and the PDF report is auto-emailed when the pipeline finishes.

A markdown findings list and a branded PDF report. Every High and Critical finding includes a CVSS v3.1 score, an OWASP Top 10 mapping (or OWASP API Top 10 2023 / OWASP MASVS for mobile), a reproduction command, and remediation code in the target stack's language.

Yes. The Business tier ($799/month) unlocks white-label subdomains, branded PDF report templates, sub-tenant management for end-client accounts, an auditor read-only portal, and custom DPA and SLA terms.

The reservation is released automatically — you are not charged. Failed scans appear in the audit log with the failure reason. You can re-dispatch the scan once the underlying issue is resolved (DCV expired, target unreachable, etc.).

JSON and markdown export is available today through the public API. Native Jira, Linear, and GitHub Issue exporters are on the v1.3 roadmap.

Passwords are the leading cause of account takeover in 2026 — reused credentials, phishing, password-spray. Magic links remove that attack surface entirely: every session starts with a proof-of-email-control click, and a TOTP code can be required as a second factor.

No. Scan artefacts and customer data are never used to train or fine-tune AI models. Inference calls go to Anthropic with the standard non-training data clause. We will sign a separate confirmation of this in your DPA on request.

Report to abuse@assureport.com or via /.well-known/security.txt. We triage within 24 hours, communicate remediation timelines, and publish accepted findings — including from our own self-pentest — in the public changelog.

A small founding team focused on EU-edge security tooling. We operate AssurePort as a self-funded product — no venture capital, no exit-driven pressure to over-promise. Contact us at hello@assureport.com.