Two ways to check — one that matters most.
The Automated audit shows what a stranger on the internet can reach. The Fully Managed audit shows what a logged-in user can reach — an employee, a customer, a competitor who signed up — which is where the serious leaks happen.
Fully Managed Security Audit
A cybersecurity expert tests your entire system by hand — including the private, logged-in access where the worst leaks hide — then walks your technical team through every finding and exactly how to fix it.
- Everything in the Automated audit, plus the full end-to-end test — including private, logged-in access
- The deep “who can see what” testing that catches one logged-in user reaching another’s private records
- Fully manual, expert-overseen testing of the cybersecurity issues
- Step-by-step remediation guidance so your developers know exactly how to close each gap
- A debrief with your technical team to walk through every finding together
- Full compliance mapping and an executive summary for your board or carrier
Typically two to four weeks. Backed by our money-back guarantee below, and your Automated fee (if you ran one) credits toward this.
Automated Security Audit
A fast, expert-reviewed check of everything a stranger can reach before anyone logs in — your public pages, sign-up flows, and public APIs — with a one-hour session with a cybersecurity expert to walk you through what we found.
- Testing of everything a stranger can reach without logging in — public pages, sign-up and registration flows, public APIs, and pre-login backend endpoints
- A check of what outsiders can already see about your systems, and whether scammers could impersonate your company’s email
- Every issue rated by how serious it is, in plain English
- A one-hour consult with a cybersecurity expert to walk you through the findings
- A dated summary of exactly what was — and was not — tested
- Results in about a week
- Testing of what a logged-in user can reach — that’s where the 70,000-record leaks live, and it’s only in the Fully Managed audit
- Step-by-step remediation guidance to hand your developers
- A debrief with your technical team
Results in about a week. This audit stops at your login screen — it can’t tell you whether a logged-in user can reach data they shouldn’t. Your fee counts toward the Fully Managed audit if you upgrade within 12 months.
A security firm you can actually vet.
For a job this sensitive, who does the work matters as much as what they find. Here’s exactly who you’re handing the keys to.
You get the founders — not a junior
Both founders do the testing themselves, from your first call to your final report. Your account is never handed to a junior or a subcontractor.
Authorized and insured
Every engagement is authorized in writing, and we carry professional liability insurance — so bringing us in protects you, it doesn’t expose you.
We sign a BAA
Giving a security firm access to systems full of health and personal data is a real decision. We’re glad to sign a Business Associate Agreement before any testing begins.
Your data stays in the US
All test-login access and any client data stays in the United States, under strict controls — and we prove problems without ever pulling a real client’s record.
What each package includes.
The difference isn’t how hard we work — it’s how far in we test. Only the Fully Managed audit goes past the login screen, where the serious leaks live.
| Automated — $19,950 | Fully Managed — $59,950 | |
|---|---|---|
| Tests what a logged-in user can reach (the “who can see what” testing) | ||
| Tests what a stranger can reach (public pages, sign-up flows, public APIs) | ||
| One-hour consult with a cybersecurity expert | ||
| Fully manual, expert-overseen testing of the cybersecurity issues | ||
| Step-by-step remediation guidance | ||
| Debrief with your technical team | ||
| Compliance mapping (HIPAA, SOC 2, and more) | Public-surface snapshot | Full mapping + exec summary |
| Typical turnaround | ~1 week | 2–4 weeks |
| 80% money-back guarantee | ||
| Fee credits toward the full audit on upgrade | Credit applied |
Put the price in perspective.
Enter how many people’s records your software holds. Using industry-average breach costs, here’s a rough sense of what’s at stake — right next to the audit that helps prevent it.
Estimated exposure if breached
$3.8M – $5.0M
Roughly 63× the cost of the full audit that helps prevent it.
A rough, conservative estimate anchored to IBM’s 2025 Cost of a Data Breach figure of about $160 per record (all-in: response, notification, and lost business). Per-record costs fall for very large breaches, so this is most accurate up to ~100,000 records. For comparison, real legal settlements alone for breaches this size have run six to seven figures — a ~39,000-record health breach recently settled for $1.1M.
You only pay in full if we find something.
We put our own fee on the line that your logged-in access has gaps. Run the Fully Managed audit and if we find nothing worth fixing, you get 80% of your money back — the other 20% covers the expert time it took to prove it. In this industry, a clean result is the exception.
Applies to the Fully Managed audit only. “Something worth fixing” means any confirmed way for someone to reach private information they shouldn’t, or any confirmed issue rated Medium or higher — agreed in writing before we begin.
A short, safe kickoff.
Most audits take two to four weeks from start to final report, depending on the size of your system.
- A couple of test logins we can use — so we never touch real client information
- A quick okay in writing that we’re allowed to test your system
- Optional: a look at how your software is built, which lets us dig even deeper
Frequently asked.
What’s the difference between the Automated and Fully Managed audit?
The Automated audit checks what a stranger on the internet can reach before anyone logs in — your public pages, sign-up flows, and public APIs — with an expert to walk you through the results. The Fully Managed audit adds a cybersecurity expert testing your whole system by hand, including the private, logged-in access where the worst leaks hide, plus step-by-step fixes and a debrief with your team.
How does the money-back guarantee work?
It applies to the Fully Managed audit: if we test the full system and find nothing worth fixing, you get 80% of your fee back — the other 20% covers the expert time it took to prove it. If we do find issues, you pay in full and get the roadmap to close them. What counts as an “issue” is agreed in writing before we start.
Which package should I choose?
If you handle regulated client data — Social Security numbers, health details, bank info — choose the Fully Managed audit; it’s the only one that tests what a logged-in user can reach, which is where the serious breaches happen. The Automated audit is a smart, affordable first look, and its fee counts toward the full audit if you upgrade.
Will your testing put our clients’ data at risk?
No. We prove a problem exists without ever opening a real person’s record, and we never change or delete anything in your live system. Protecting your clients’ information is the whole point — we won’t put it at risk to test it.
Why do we need this if we’ve never had a problem?
Most of these weaknesses are invisible until someone finds them — and by the time a client or regulator notices, the damage is already done. An audit finds them while they’re still quiet, private, and inexpensive to fix.
Our software is from a vendor — is it even our responsibility?
Yes — and it catches a lot of teams off guard. If a breach happens in software you license, it’s still your clients’ data, your reportable breach, and your standing with the carriers on the line; the vendor rarely carries that for you. We test what your agreement allows — usually your own accounts and settings — and help you get authorization to check the rest. Where a vendor’s core system is off-limits, we tell you plainly what we could and couldn’t test.
How long does it take?
The Automated audit takes about a week. The Fully Managed audit typically takes two to four weeks from start to final report, depending on the size of your system.
Do you need to understand how our software was built?
Not up front. We start from the outside with no inside knowledge — the same position an intruder would be in — and figure it out as we go. If you can share how it’s built, we can dig even deeper.
Is this the same as being HIPAA or SOC 2 certified?
No. Our audit shows how well your security lines up with those rules and gives you a big head start, but it isn’t the official certification itself — it works alongside it.
Will you sign an NDA?
Yes. We’re glad to work under your confidentiality agreement and agree on the ground rules before any testing begins.
Not sure which one you need?
Book a short call and we’ll help you scope the right audit for your business — in plain English.