The Pentest Findings Commitment
We find a high-severity vulnerability — or you don't pay.
Your first pentest with CAASLABS, internet-reachable web and API only. If we surface a CVSS v3.1 ≥ 7.0 finding, you pay the engagement fee. If we don't, we waive the fee entirely and deliver a written Hardening Report at no cost. Once your first engagement is done — with us or anyone else — this commitment doesn't come back.
How it works
Two outcomes. Both documented.
We find something.
At least one finding scoring CVSS v3.1 ≥ 7.0 — with full reproduction steps, exploitation evidence, and remediation guidance. A 60-day verification retest is included to confirm the fix is actually closed.
We don't. You get a Hardening Report.
No invoice, no partial charge. We deliver a written Attack Surface Hardening Report mapped to OWASP and MITRE ATT&CK — what we tried, why each attack path failed, and residual risks worth monitoring. Board-ready, auditor-ready, at no cost.
Every engagement is run by:
- OSCP+
- CKS
- AZ-500
- AWS Security Specialty
— senior practitioners. No junior delegation, ever.
Scope boundaries, scoring mechanics, retest timelines, and every other procedural detail are defined in the Statement of Work we sign together before the engagement begins. We walk through it on the diagnostic call — no surprises on either side.
Pentest Findings Commitment — version 1.0, effective 9 April 2026.
Ready to put us to the test?
Every engagement is senior-led, which means limited slots per quarter. Book a 30-minute diagnostic call and we'll confirm your scope qualifies, walk through the SOW, and lock in your commitment slot.