Opsio - Cloud and AI Solutions
Penetration Testing Services

Free Penetration Testing Services

Qualified US companies get a full cloud + web-app penetration test at no cost — a real engagement, not a scanner dump. 30-minute scoping call, 5 business days to report, delivered by senior engineers with OSCP, CEH, and AWS Security certifications.

Apply for your free pentest

Who qualifies

Established US companies with 50+ employees running production workloads on AWS, Azure, or GCP. We prioritise SaaS, fintech, and healthcare organisations with an upcoming SOC 2, HIPAA, or PCI DSS audit. We run one free engagement per company per calendar year.

Day 1-3

1. Apply & scoping call

Submit the application. We review within 2 business days and schedule a 30-minute scoping call where we confirm eligibility, discuss scope, and sign a mutual NDA plus Letter of Authorisation (LoA).

Day 4-7

2. Penetration test

Our team runs the agreed scope against your cloud environment: IAM review, S3/Blob exposure scan, public-service enumeration, OWASP Top 10 on one public web app, and external perimeter test. All testing is authorised in writing.

Day 8-10

3. Report & debrief

You receive a PDF report mapped to OWASP, CIS Benchmarks, and your compliance framework (SOC 2 / HIPAA / PCI). 45-minute debrief call with a senior engineer. Remediation is paid and optional — the pentest itself is genuinely free.

What's included

  • AWS or Azure cloud configuration review (IAM, S3/Blob, KMS, security groups)
  • External perimeter scan of public-facing services
  • OWASP Top 10 scan of one web application (up to 20 pages)
  • Exposed-secrets check (GitHub, public endpoints)
  • CIS Benchmark gap analysis
  • PDF report mapped to SOC 2 / HIPAA / PCI DSS controls
  • 45-min debrief with a senior engineer (OSCP / CEH / AWS Security)

What's not included

  • Social engineering or physical security testing
  • On-premise infrastructure (cloud workloads only)
  • Mobile app binary analysis
  • Full-scope red-team engagement
  • Remediation (offered separately on a paid basis after the free pentest)
  • Compliance certification (we provide evidence artefacts, not the audit itself)

Report aligned to your compliance framework

SOC 2 Type II

CC6.1, CC6.6, CC7.2 controls — pentest evidence accepted by all major US auditors.

HIPAA Security Rule

Aligned with §164.308(a)(8) Evaluation standard; covers ePHI-touching workloads.

PCI DSS 4.0

Requirement 11.4.1-3 internal and external penetration testing.

ISO/IEC 27001:2022

A.8.29 Security testing during development and acceptance.

FedRAMP Moderate

CA-8 Penetration Testing (supplementary, for federal-adjacent work).

NIST 800-53 rev 5

CA-8, RA-5 control family evidence.

Who runs the test

AWS Advanced Consulting PartnerMicrosoft Solutions Partner (Azure)ISO 27001:2022 certifiedSOC 2 Type IIOSCP-certified lead engineersCEH on every engagementAWS Security Specialty

Apply for your free penetration test

We review applications within 2 business days and respond by email. No sales call until after our scoping conversation.

Frequently asked questions

Is this really free — what's the catch?

Genuinely free. The pentest is our way of demonstrating capability to qualified prospects. We invest 40-60 engineer-hours per engagement on the expectation that some customers will engage us for paid remediation or ongoing managed services. Roughly 35% of free pentest recipients convert to a paid engagement within 12 months; the rest simply get the report and move on. No hidden fees, no invoice.

Why do you require an application instead of just a form?

Because a 40-60 hour engagement run by senior engineers has real cost. We filter for companies that would benefit and that we could plausibly serve — typically 50+ employees running production cloud workloads with an active compliance or security concern. Approving and running one bad-fit engagement means we could not run another company's free pentest that quarter.

Is this authorised testing?

Yes, always. After the scoping call we sign a mutual NDA and a Letter of Authorisation (LoA) that documents scope, timing, targets, and permitted techniques. Your legal team receives the LoA before any testing begins. We do not test anything not explicitly listed. This matters because unauthorised testing is illegal under the US Computer Fraud and Abuse Act (CFAA) — we do not cut corners here.

How long does the full process take?

About 10 business days end-to-end. Days 1-3: application review and scoping call. Days 4-7: active testing. Days 8-10: report writing and debrief call. We can compress this for time-sensitive audit deadlines; tell us during the scoping call.

Will the report be accepted by my SOC 2 / HIPAA / PCI auditor?

Generally yes. Our reports are mapped to the specific control requirements each framework expects (e.g., SOC 2 CC6.1/CC6.6/CC7.2, PCI 11.4.1-3). We have had reports accepted by Big 4 and mid-size audit firms on behalf of SOC 2 and PCI customers. Your auditor may still request additional evidence or specific scoping — we will adjust if so.

What if you find something critical?

We notify you within 4 business hours if we find anything we consider actively exploitable or a breach in progress. The written report is delivered at the end of the engagement, but critical findings get same-day disclosure. Remediation is offered on a paid basis; you are under no obligation to engage us for it.

Do you do this for startups under 50 employees?

Rarely. We occasionally make exceptions for high-growth Series B companies with an imminent SOC 2 audit, but the baseline expectation is 50+ employees. If you are earlier-stage, we recommend an automated scan first (we can point you at free tools) and engaging us later when the production surface area justifies a human pentest.

Who owns the findings and report?

You do. The report is your property; we retain an anonymised copy in our internal case library for process improvement. We do not publish or share findings. The NDA covers both directions.