Free vs Paid Security Audits: When You Need What
Free audits surface obvious risk. Paid audits find the bugs an attacker would actually use. A practical guide to choosing the right one for your stage.
Free vs Paid Security Audits: When You Need What
We offer both. We get asked the difference often enough that it deserves a written answer.
A free audit and a paid audit are not the same product at different price points. They're answering different questions. Picking the wrong one wastes money or — worse — gives you false confidence.
What a free audit gets you
A free audit is a fast outside read on the obvious risk. We take the URL of your app, run a couple of hours of analysis, and give you back a 1-page report with the three highest-risk findings ranked by severity.
What's in scope:
- Public surface area only (no logged-in flows, no internal endpoints)
- Automated tooling output, manually triaged so you don't get noise
- Headers, TLS config, exposed endpoints, leaked secrets in JS bundles, dependency CVEs, obvious misconfigurations
- A quick read on auth flow if it's reachable from the marketing site
What's out of scope:
- Anything behind a login
- Custom business logic vulnerabilities
- Source code review
- Anything we'd need to write a custom exploit for
The free audit is a *tripwire*. It catches the kind of finding you should fix before doing anything else. It is not, and is not pretending to be, a substitute for a real engagement.
Get a free one when: you're pre-Series A, you've never had any security review, you're about to launch, or you just want a sanity check before a customer asks for your security posture.
What a paid audit gets you
A paid engagement (we run them in 2-week or 6-week shapes) is qualitatively different. We get a credentialed account, optionally read-only source access, and we look for the bugs an attacker would actually use.
What's in scope:
- Authenticated user flows, including admin
- Custom business logic — payments, multi-tenancy isolation, RBAC, file uploads
- Source-assisted code review of the highest-risk surface area
- Threat modeling for the flows you care about
- Reproducer scripts for every finding so your team can verify the fix
- A re-test pass after you fix things
A paid audit usually surfaces 12-20 findings, ranked by severity, with remediation guidance for each. About 80% of our paid engagements find at least one Critical-severity finding that wasn't visible from the outside.
Get a paid one when: you have customers paying you real money, you're going through a security review for a deal, you're about to handle PII or payments, you're approaching SOC 2, or you just had a near-miss and want certainty.
The math
A free audit costs you nothing and 15 minutes of your time. The expected value is positive even if we find nothing — you get a clean second opinion.
A paid audit costs $8k-$40k depending on scope. The expected value depends on what you'd lose to a breach. A typical SaaS breach (data exfil, public disclosure, customer churn) runs into the hundreds of thousands when you count incident response, legal, and the deals that fall through. The math works out for almost any company past product-market fit.
What doesn't work: skipping straight from the free audit to "we're fine." If a free audit finds nothing, that doesn't mean nothing exists. It means nothing was visible from the outside in two hours. The interesting bugs are usually behind the login.
A quick rubric
| Situation | What to do |
|---|---|
| Pre-launch, no security review ever | Free audit, then ship |
| First paying customers, B2C | Free audit now, paid engagement at $1M ARR |
| First paying customers, B2B with PII | Paid engagement, scope it tight (2 weeks) |
| Pursuing SOC 2 / ISO 27001 | Paid engagement, full scope (6 weeks) |
| Just had a security incident | Paid engagement immediately, then a retainer |
| Re-checking after a previous audit | Paid re-test pass (cheap, 1 week) |
The honest version
We offer the free audit because it's how we meet companies. About one in four free audits we deliver leads to a paid engagement. That's a sustainable funnel for us, and you get a useful artifact regardless.
If the free audit is enough for your stage, take it and don't hire us. We'd rather you come back when you actually need the paid version than oversell you something today.
To request a free one: /free-audit. Three fields, no credit card.
Want this read on your own app?
Free audit. Three findings, ranked. No credit card.