Service 03
Automated Pentesting
& Vulnerability Scanning
Continuous authorized testing — external attack surface, authenticated app scans, and cloud misconfig checks with hash-chained authorization records.
Continuous authorized testing combines external attack surface discovery, application testing, and cloud misconfiguration validation inside NorthSec AI. Every run references signed rules of engagement with hash-chained audit history — production-impacting techniques require explicit addenda. Engineering receives reproduction steps and retest validation on your cadence, not a annual PDF alone.
<24h
Criticals triaged
12+
Scans / month
100%
Auth vault
[ WHO IT IS FOR ]
Security and engineering leaders at SaaS, fintech, and infrastructure companies who ship weekly and cannot wait quarters for retest closure.
[ OPERATING CADENCE ]
RoE and scope locked before first scan, monthly scan cycles with on-demand runs for releases, retest within 48–72 hours of fix merge for criticals.
Problems this
service line solves.
Why teams add this line to the retainer instead of stretching a generic MSSP or point tool.
- ◆Findings without owners or CWE context engineering trusts
- ◆Scans that run out of scope during fast infrastructure change
- ◆Pentest and CSPM priorities that contradict each other
- ◆Auditors asking for proof of authorization before crediting testing
What's included
in the retainer.
Concrete outputs — not vague 'assessment' language.
Attack surface mapping
Domains, APIs, and cloud assets in scope.
Scheduled scans
Black-box and grey-box cycles with change detection.
Signed authorizations
E-sign RoE before any offensive action.
Remediation tickets
Findings pushed to Jira with CWE/CVSS context.
Retest validation
Automatic closure when fixes verify clean.
Executive summary
Risk-ranked narrative for leadership, not raw CSV dumps.
How it works
in five steps.
Discovery through operate — same cadence across all nine service lines.
01
Authorize
Legal RoE + technical scope locked in vault.
02
Discover
Enumerate assets and entry points.
03
Exploit-safe test
Validate impact without destructive payloads.
04
Report
Reproduce steps, evidence, and fix guidance.
05
Retest
Continuous validation on deploy pipelines.
[ 03.3 // PLATFORM ]
NorthSec AI
advantage.
Every scan references authorization IDs — auditors see who approved what, when, and from which IP range.
Platform overviewControl mapping
built in.
Sample mappings — full library expands per tenant frameworks.
CC4.1 Monitoring
SOC 2
A.8 Asset management
ISO 27001
PCI 11.3
PCI DSS
[ 03.5 // TIERS ]
Included by tier
| Tier | This service |
|---|---|
| foundation · $3,500/mo | ▲ |
| growth · $5,000/mo | ☑ |
| scale · $8,000/mo | ☑ |
| enterprise · $12,000/mo | ☑ |
☑ included · ▲ add-on · ☒ not in tier
Customer outcome
89% faster retest
B2B SaaS replaced quarterly PDF pentests with continuous NNSEC cycles.
SaaS · anonymized
FAQ
No — we default to safe validation; destructive tests require explicit addendum.