Frequently asked questions

Yes, when it is built correctly. AssurePort's agents operate inside a deterministic test harness that enforces scope, prevents destructive actions and verifies every finding with a reproducible proof-of-concept. If we cannot reproduce it deterministically, we don't classify it as critical.

No. All inputs — source code, scan results, screenshots, URLs — are processed in tenant-isolated containers and are never used to train AssurePort's models or any third-party model. This is contractually guaranteed in our Data Processing Addendum (DPA).

Scanners tell you what might be vulnerable. AssurePort proves what is exploitable on your specific configuration and ships a reproducible proof-of-concept with every critical finding. AssurePort covers six attack surfaces in one platform (web, API, mobile, GitHub, network, cloud) instead of one surface per tool.

No. AssurePort handles the volume — the 95% of findings any competent pentester would identify given enough hours. Human pentesters focus on the 5% that requires creative attack chains. Most customers run AssurePort continuously and a human-led red team annually.

Reports map directly to control evidence for ISO 27001 (Annex A.12.6.1), NIS2 (Article 21), DORA (Article 24), GDPR (Article 32) and the EU AI Act (Article 10 data governance). SOC 2 Type II and PCI-DSS mappings are on the roadmap for 2026.

AssurePort runs sequenced AI agents that reason about authorisation logic, not just payload shape. Each finding is gated by a real exploitation attempt — if we cannot produce reproducible evidence, the finding is downgraded.

Regex scanners catch the XSS and SQL injection classes — and they earn their keep. AssurePort additionally catches BOLA, paywall bypass, mass assignment, multi-step authentication flaws, and similar logic bugs that dominate breach disclosures in 2026.

Exclusively in the European Union. We use Cloudflare Workers (EU edge regions), Fly.io (Frankfurt), Cloudflare R2 (EU jurisdiction) for storage, and Resend (EU) for email. Anthropic AI inference is routed to the EU endpoint. No data crosses the EU border.

Pricing starts at $99 one-time for a single web scan (Starter tier), or $299/month for Pro (6 scans with rollover). Most teams land between $299 and $799 monthly depending on scope and frequency.

Starter is $99 one-time — one full Web Pentest scan, no subscription. Pro is $299/month — 6 scans with rollover cap of 12. Business is $799/month — 15 scans with rollover cap of 30. Top-up packs (Small/Medium/Large) refill your wallet anytime, no subscription required.

Failed scans release the reservation in full. No overage fees, no surprise multipliers. See full pricing at assureport.com/pricing.

No. Sign-up is magic-link email only. Your tenant is created on first click. You only enter card details if and when you buy a scan or subscribe.

No — only assets you can prove you control. Every target must pass Domain Control Verification (DNS TXT, HTTP file, or meta tag) and you must upload a signed Rules of Engagement document. Both gates are hard-coded — no tier or override lifts them. This protects you from accidental scope creep and protects the platform from unauthorised-access liability.

Yes. EU data residency is enforced at the platform level. We sign a DPA with every customer, the audit log is append-only, two-factor authentication is available to every account, and our breach notification SLA is 72 hours. The current DPA template is bilateral — email legal@assureport.com with your legal entity name and we countersign within one business day.

Web Pentest scans typically complete in 30–45 minutes. API, Mobile APK, and GitHub SAST scans finish in 10–25 minutes. Progress streams to the console live and the PDF report is auto-emailed when the pipeline finishes.

A markdown findings list and a branded PDF report. Every High and Critical finding includes a CVSS v3.1 score, an OWASP Top 10 mapping (or OWASP API Top 10 2023 / OWASP MASVS for mobile), a reproduction command, and remediation code in the target stack's language.

Not currently. AssurePort is direct-to-customer only — self-service signup, self-service billing, no reseller program. We deliberately keep the operational surface tight to protect tenant isolation and reduce attack surface. If you are an MSSP and want to use AssurePort internally for your own engagements, you can sign up like any other team.

The reservation is released automatically — you are not charged. Failed scans appear in the audit log with the failure reason. You can re-dispatch the scan once the underlying issue is resolved (DCV expired, target unreachable, etc.).

JSON and markdown export is available today through the public API. Native Jira, Linear, and GitHub Issue exporters are on the v1.3 roadmap.

Passwords are the leading cause of account takeover in 2026 — reused credentials, phishing, password-spray. Magic links remove that attack surface entirely: every session starts with a proof-of-email-control click, and a TOTP code can be required as a second factor.

No. All inputs — source code, scan results, screenshots, URLs — are processed in tenant-isolated containers and are never used to train AssurePort's models or any third-party model. This is contractually guaranteed in our Data Processing Addendum (DPA). Inference calls go to Anthropic under their standard non-training clause.

Report to abuse@assureport.com or via /.well-known/security.txt. We triage within 24 hours, communicate remediation timelines, and publish accepted findings — including from our own self-pentest — after fixes ship.

A small founding team focused on EU-edge security tooling. We operate AssurePort as a self-funded product — no venture capital, no exit-driven pressure to over-promise. Contact us at hello@assureport.com.