Industries we test

Pentest scope tuned to the conversation your industry is already having.

A SaaS team is answering a security questionnaire. A fintech is answering PCI. A healthcare team is answering HIPAA. The technical work overlaps — the scope, the threats we model first, and the report framing are different. We tune to your industry on the scoping call.

Book a security review See industries
Six industries

Where we have the deepest pattern recognition.

SaaS & B2B software

Customer security questionnaires, multi-tenant isolation, SOC 2.

  • SOC 2 / ISO 27001
  • Customer security reviews
  • SSO and tenant isolation
Read more

Fintech & financial services

PCI DSS, regulator pressure, transaction integrity, business-logic abuse.

  • PCI DSS v4.0
  • NYDFS / FFIEC
  • Transaction logic
Read more

Healthcare & HealthTech

HIPAA, ePHI flows, BAA-aligned scope, technical safeguards.

  • HIPAA / HITECH
  • BAA security expectations
  • ePHI segmentation
Read more

AI / Machine learning

Prompt injection, RAG leakage, tool-use safety, AI Act readiness.

  • Customer red-team requests
  • NIST AI RMF / EU AI Act
  • Tool-use risk
Read more

E-commerce & retail

Account takeover, promo abuse, payment-flow integrity.

  • PCI DSS
  • Account takeover
  • Promo and cart logic
Read more

Government & public sector

FedRAMP, StateRAMP, FISMA, NIST 800-53 control coverage.

  • FedRAMP / StateRAMP
  • FISMA / 800-53
  • ATO blockers
Read more
Why industry context matters

Three things that change with your industry.

  • Surface depth

    Where we focus the most testing time. A SaaS multi-tenant boundary, a fintech transaction flow, a healthcare ePHI path — each gets disproportionate attention.

  • Threat modeling

    Which adversaries and abuse cases we model first. Account takeover for retail, regulator-grade evidence for healthcare.

  • Report framing

    Which controls we map to and which language the report uses. SOC 2 Common Criteria, PCI DSS requirements, HIPAA safeguards, NIST 800-53 controls.

FAQ

Industries — common questions

Do you only work with these industries?

No. These are where we have the deepest pattern recognition, but we work across industries. The shape of an engagement is the same — a senior tester, a report your team will read, and a retest of reported findings after fixes.

Why does industry context matter for a pentest?

Because the pressures are different. A SaaS team is testing for a customer questionnaire. A fintech is testing for PCI and transaction integrity. A healthcare team is testing for HIPAA and ePHI flows. The technical work overlaps, but the scope, the report framing, and the controls we map to are tuned to what your business has to answer.

How does industry scope change the engagement?

Three things change: which surfaces get the most depth, which threats we model first, and how the report is framed for auditors and customers. Pricing and timeline depend more on scope size than on industry.

We are in an industry you don't list — can you still help?

Yes. The scoping call is the same. We will ask what regulators, customers, or boards are pressuring you, and tune the engagement to that. You will know within thirty minutes whether we are a good fit.

Not sure which scope your industry calls for?

Tell us what regulator or customer is pressuring you. The scoping call ends with a recommendation tuned to that.

Book a security review See what we test