Questions, answered straight

The stuff people ask us before they sign anything — scope, reports, PCI, what happens if a test breaks production.

The stuff people ask us before they sign anything.

FAQ

Most-asked questions, answered straight.

If your question isn’t here, drop us a note — usually a same-day reply.

Are you a QSA or an ASV?

No, and we’ll be the first to say it. We do the testing and the readiness work; for the signed PCI report or anything legal, you’ll need a QSA and a lawyer. We’re happy to recommend a couple we trust.

Do you only work with payment companies?

It’s where we spend most of our time, but the testing itself works for any SaaS or fintech or ecommerce stack. If you’re unsure, ask — we’ll tell you if we’re a fit.

What do you need from us to put together a quote?

URLs and API docs if you have them, the rough size of the app (number of roles, endpoints, etc.), any deadline that’s driving this, and someone on your side we can call with questions. That’s usually enough.

Will the testing knock production over?

Very rare, and usually only if you ask us to push hard on something specific. We agree on a test window upfront, keep an escalation contact on speed dial, and ease off the moment something looks weird.

What’s actually in the report?

A summary your exec can read, then the technical writeup: every finding with reproduction steps, screenshots, the request that triggered it, severity, and a suggested fix. If we retest, the retest results get appended.

Want us to take a look?

A short call is usually enough to figure out the right shape of work.

Get in touch