Fixed-price engagements. No hourly billing.
Every Valtik engagement is quoted flat-rate after a short scoping call. You know the cost before signing, the scope before kickoff, and the deliverables before the first finding lands. Fixed-price protects both sides; it stops scope creep from one direction and padded hours from the other.
Free Security Check
Passive external scan of a single public domain. Zero commitment.
- HTTPS and TLS configuration review
- Security header analysis
- Exposed admin and debug endpoint detection
- Public surface enumeration
- Plain-English findings report emailed in 48 hours
Basic Audit
Single-platform or single-site deep dive with active exploitation.
- One platform or one site in scope
- BaaS and cloud misconfigurations (Supabase, Firebase, Convex, Clerk, Auth0)
- Authentication, session, and identity review
- OWASP Top 10 and OWASP API Top 10 coverage
- Exploit-validated written report
- 60-minute debrief call
Platform Audit
Extended engagement across a full working stack.
- Web application plus API surface
- Cloud identity review (IAM, OIDC, service accounts, secrets)
- CI/CD pipeline audit (GitHub Actions, GitLab CI, deploy keys)
- Exploit chains documented end-to-end
- Full report with remediation guidance
- 90-minute debrief and 30-day retest included
Full Stack Audit
Comprehensive multi-phase audit across the entire environment.
- Web, API, cloud, Kubernetes, identity, CI/CD, secrets management
- Multi-phase testing with weekly written status updates
- Compliance-framework mapping (SOC 2, HIPAA, PCI DSS, CMMC, NIST CSF)
- Full report plus executive summary
- Mid-engagement and close-out debriefs
- 90-day retest window included
Prices above are fixed-rate and include reporting, a debrief call, and the retest window shown. Travel for on-site work is quoted separately when requested.
Framework-specific work is scoped individually
Compliance engagements depend on the environment: control count, system boundary, data types in scope, evidence maturity, and auditor requirements. Ranges below are observed ranges for recent Valtik engagements.
PCI DSS 4.0 Penetration Testing
Annual internal and external testing to satisfy PCI DSS 4.0 Requirement 11.4. Scope depends on CDE size and segmentation boundaries. Typical range $12K to $40K.
SOC 2 Readiness
Pre-audit readiness across Trust Services Criteria. The technical security work Vanta, Drata, and Secureframe cannot automate. Typical range $15K to $50K.
HIPAA Security Assessment
HIPAA Security Rule risk analysis, penetration test, and readiness package for Covered Entities and Business Associates. Typical range $8K to $35K.
CMMC 2.0 Level 2 Readiness
110 NIST SP 800-171 controls assessed for CMMC 2.0 Level 2 readiness. C3PAO pre-audit preparation for DoD contractors. Typical range $30K to $150K.
AI Security Audit
OWASP LLM Top 10 testing for chatbots, RAG products, and agentic AI. Prompt injection, tool-chain abuse, vector store security. Typical range $8.5K to $60K.
vCISO Retainer
Monthly virtual CISO retainer. Security program oversight, roadmap, vendor and audit liaison. Typical range $3K to $12K per month depending on program maturity.
What is included in every engagement
Regardless of tier, every Valtik engagement ships with the same core deliverables. The difference between tiers is scope depth, not report quality.
Exploit-validated findings
Every finding in the report has been exploited in a controlled environment. No theoretical bugs, no scanner screenshots passed off as manual testing.
Remediation guidance
Each finding includes specific remediation steps, code-level examples where applicable, and references to authoritative guidance.
Retest window
Remediated findings are retested at no additional cost. Retest windows vary by tier (30 or 90 days) and are written into the statement of work.
Debrief call
A live walkthrough of the report with time for technical questions. Senior-led, no junior handoff, no project manager translating.
Compliance mapping
Findings are mapped to the relevant compliance requirement where applicable. PCI DSS 4.0, HIPAA Security Rule, SOC 2 Trust Services Criteria, CMMC practices, and NIST CSF.
Written communication
Critical findings are reported continuously during the engagement, not saved for the final report. You can start remediation before testing closes.
Common questions
Why fixed-price?+
Hourly billing rewards slow reporting, padded hours, and scope creep. Fixed-price means the cost is locked before kickoff, and the engagement ends when the scope is complete. If something takes longer than estimated, that is a Valtik problem, not a client invoice surprise.
What's NOT included?+
Valtik is a security testing and advisory firm. It is not an MSSP, so no 24x7 SOC, EDR management, or SIEM triage. It is not a C3PAO, so it performs CMMC readiness and hands off to a C3PAO for certification. It is not an ASV, so PCI DSS 4.0 Requirement 11.3.2 external ASV scanning is contracted with a PCI-approved scanning vendor. Valtik also does not write full ISMS policy libraries from scratch.
Can we retest after remediation?+
Yes. Platform Audit includes a 30-day retest window. Full Stack Audit includes 90 days. Compliance and custom engagements have a retest clause written into the statement of work. Retested findings receive a status update in the final report, which is useful for auditors reviewing remediation evidence.
Do you offer payment plans?+
Standard terms are 50 percent at kickoff, 50 percent on final report delivery. Multi-month compliance engagements can be split into milestone billing. Retainers are billed monthly. Longer payment plans are available for startups and non-profits on request.
What if we need something custom?+
Request a quote. Custom engagements are common. Examples include mobile application testing, IoT and firmware review, incident response tabletop exercises, merger and acquisition technical due diligence, and post-breach forensic support. Scoping is free and usually takes one 30-minute call.
Start with a free check
Request a free external security check. Passive scan of a single public domain, plain-English findings report in your inbox within 48 hours. No obligation, no sales pitch, no upsell.