SERVICE ON DEMAND · PENTEST

Pentest on Demand

A formal and targeted penetration test against your external surface — for when there is a specific date and reason: an audit, a certification, due diligence, or a launch. With a difference that defines the outcome: the scope is built on what is actually exposed.

WHAT IS

When a one-time test is the right tool

Not every testing need is continuous. There are times when what is needed is a formal evaluation with a defined beginning, middle, and end: an audit that requires independent evidence, an ISO 27001 or PCI DSS certification, due diligence for M&A, a client or regulator requirement, or the day before launching a new environment.

The One-Time Pentest delivers exactly this—a proactive, non-destructive offensive test conducted within an agreed-upon scope with a formal report at the end. The difference lies in how the scope is defined. A one-time pentest only validates what its scope covers: testing the same known list leaves out precisely what was not registered. CSURFACE first maps the real external surface—shadow IT, subsidiaries, and digital supply chain—and directs the test where the actual exposure is. The attacker follows the path of least resistance; the test must reflect this reality.

BENEFITS

A proper one-time pentest

Scope of actual exposure

The test is directed at the real external surface — including shadow IT, subsidiaries, and supply chain — not just a static list.

Real exploitability

Active tests confirm what is actually exploitable. The report describes real risk, not CVSS theory.

Formal report

Executive summary and technical detail with evidence — ready for audit, certification, or board review.

Retesting of corrections

A round of retesting after remediation confirms the closure of addressed findings.

Non-destructive

Tests designed to confirm risk without causing downtime. Sensitive actions only with explicit authorization.

Compliance evidence

Package of evidence ready for ISO 27001, PCI DSS, BACEN, and LGPD — in the format that regulators expect.

WHAT YOU GET

Deliverables

  • External surface sizing — before the test, to ensure the scope covers what is actually exposed.
  • Punctual offensive test — active and non-destructive, conducted over the agreed-upon scope.
  • Formal report — executive summary and technical findings, each with proof of exploitability.
  • Risk classification and remediation plan — prioritized recommendations based on real risk.
  • A round of post-correction re-test — confirmation of closure of addressed findings.
  • Evidence package — ready-to-use material for audit, certification, or due diligence.

FOR WHO

The On-demand Pentest makes sense if you…

Need an independent test for an audit, a certification (ISO 27001, PCI DSS) or a regulatory requirement with a deadline.

Are going through M&A due diligence and need a point-in-time and formal security assessment.

Are launching a product, a brand or a new environment and want an invasion test before going live.

EXPOSURE IS A PROCESS

A one-time test photographs a day

The following week, a deployment publishes a new route and a dependency gains a CVE. If your need is to ensure that the surface remains tested over time — not just on a single day —, then Continuous Pentest is the way forward.

Learn about Continuous Pentest →

WITHOUT OBLIGATION

Receive your free quote + sizing

Provide your initial domains. CSURFACE performs a free attack surface sizing without cost and sends along a quote for the Pentest on Demand within up to 72 business hours.

One domain per line. Use the domains you already know as a starting point.

If you leave this unchecked (recommended), the CSURFACE platform uses the provided domains as a starting point and automatically discovers other assets and external domains of your company, including related brands and subsidiaries, incorporating them into the sizing. Check this option if you want to limit the analysis strictly to the list informed.