Positioning · honest by design
Is AssurePort the right fit for your team?
We will not put up a side-by-side spreadsheet against named competitors — that is dishonest marketing dressed as comparison, and your procurement team can do real benchmarks faster than we can. Instead, here is what we are great at today, where we are still investing, and the questions every security team should ask before picking any AI-driven pentest platform.
What AssurePort does best, today
We optimised for three things on purpose. If those three match your priorities, the rest of the platform follows.
- EU data residency, top to bottom. Compute, storage, vector indexes, and AI inference all route through EU regions. No US data leg, no cross-border transfer path for customer data. Signed GDPR DPA at sign-up.
- Real AI agents, not regex scanners. Each engine is a sequenced pipeline of reasoning agents — reconnaissance, vulnerability analysis, exploitation with proof-of-concept evidence, and a remediation-aware report written in your stack's language.
- Self-serve from minute one. Magic-link sign-up, automatic tenant creation, on-page DCV (TXT, HTTP file, meta tag), and a $99 first scan that bills only when the scan succeeds. No "book a demo" gate, no sales-assisted onboarding required.
Who we are a good fit for — and who we are not
Likely a fit
- Founders or security leads at startups (5–200 engineers) who need continuous coverage but cannot keep a pentest agency on retainer.
- EU-headquartered teams that need provable data residency for GDPR / DORA / NIS2 / sector-specific audits.
- MSSPs and consultancies who want a white-label engine to multiply their delivery capacity (Business tier).
- Engineering teams that want pentest output directly tied to remediation code, not just CVE numbers.
Probably not yet
- Manual red-team engagements with deeply human-driven attack chains (we cover automatable surface, not full adversary emulation).
- Internal-network or air-gapped infrastructure scanning (Network engine arrives Q2).
- Cloud-posture audits across AWS / Azure / GCP IAM (Cloud Misconfig engine arrives Q3).
- Teams that need a US data centre by contract — we are EU-only by design and will stay that way.
Questions you should ask any AI pentest vendor
If you take nothing else from this page, take this checklist. The same questions break our future competitors and us — that is the point of an honest spec sheet.
- Where does scan data physically live, and where does the LLM call land?Different jurisdictions can mean different compliance burdens. Ask for region-level proof of both your data store and your model inference path.
- What proof do you require before I can scan a target?Drive-by scanning is illegal in every meaningful jurisdiction — CFAA in the United States, the Computer Misuse Act in the United Kingdom, GDPR Article 32 in the European Union, and equivalent statutes elsewhere. A defensible platform gates every scan behind real Domain Control Verification, signed Rules of Engagement, and an immutable audit trail.
- Is the platform multi-tenant by design, or single-tenant marketed as SaaS?Ask for the cross-tenant guard test results. If they cannot show you a passing RLS / authorization fuzzing test, the platform is one bug away from a data-sharing incident.
- How are AI hallucinations gated before they reach my report?An AI pentester that invents findings is worse than no pentester. Look for proof-of-concept requirements, "unconfirmed" status flags, and a second-pass validator on every finding.
- Does the report include reproducible PoC commands and remediation code?A finding without reproduction is a guess. A finding without remediation is a ticket. Both should be in the same artefact.
- What is your incident response SLA and disclosure timeline?Vendors who run AI agents on your behalf become part of your supply chain. Their breach is your breach. Ask for the policy in writing.
- Can I export every finding into my issue tracker?If results stay locked inside the vendor portal, they will not get fixed. Look for Jira / Linear / GitHub Issue exports and a stable CSV / JSON API.
- Is pricing usage-aligned and predictable?Per-scan flat pricing is auditable. Per-credit pricing with mysterious "actual cost" multipliers is not. Ask for a sample invoice for a successful scan and a failed scan.
What we publish about ourselves (the part most vendors hide)
- Our own self-pentest results — every release, with severity, status, and accepted-risk reasoning — on /changelog.html.
- Live production status with five real probes, refreshed every 30 seconds — /status.html.
- RFC 9116
/.well-known/security.txtfor coordinated vulnerability disclosure. - Open documentation at /docs.html and a deep wiki at /wiki.html — no auth wall.
- Free intel toolkit at /tools.html — five public lookups, no sign-up required.
Decide on your own evidence
Run our free tools, read the wiki, request a magic link, scan a domain you control. We would rather you walk in informed than have us tell you who we beat.