Opsio - Cloud and AI Solutions
Penetration Testing Services

Free Penetration Testing Services

Qualified US companies get a full cloud + web-app penetration test at no cost — a real engagement, not a scanner dump. 30-minute scoping call, 5 business days to report, delivered by senior engineers with OSCP, CEH, and AWS Security certifications.

Apply for your free pentest

Who qualifies

Established US companies with 50+ employees running production workloads on AWS, Azure, or GCP. We prioritise SaaS, fintech, and healthcare organisations with an upcoming SOC 2, HIPAA, or PCI DSS audit, and we run one free engagement per company per calendar year. We do NOT qualify pre-revenue startups under 50 employees, agencies asking on behalf of a client, organisations without production cloud workloads, anyone seeking a recurring or multi-application pentest programme (that is the paid penetration testing service), or requests for red-team, social engineering, or on-premise scope. If you fall outside the free criteria but still need a pentest, our paid service handles the broader scope — apply or message us and we will route you to the right team.

Day 1-3

1. Apply & scoping call

Submit the application. We review within 2 business days and schedule a 30-minute scoping call where we confirm eligibility, discuss scope, and sign a mutual NDA plus Letter of Authorisation (LoA).

Day 4-7

2. Penetration test

Our team runs the agreed scope against your cloud environment: IAM review, S3/Blob exposure scan, public-service enumeration, OWASP Top 10 on one public web app, and external perimeter test. All testing is authorised in writing.

Day 8-10

3. Report & debrief

You receive a PDF report mapped to OWASP, CIS Benchmarks, and your compliance framework (SOC 2 / HIPAA / PCI). 45-minute debrief call with a senior engineer. Remediation is paid and optional — the pentest itself is genuinely free.

What's included

  • AWS or Azure cloud configuration review (IAM, S3/Blob, KMS, security groups)
  • External perimeter scan of public-facing services
  • OWASP Top 10 scan of one web application (up to 20 pages)
  • Exposed-secrets check (GitHub, public endpoints)
  • CIS Benchmark gap analysis
  • PDF report mapped to SOC 2 / HIPAA / PCI DSS controls
  • 45-min debrief with a senior engineer (OSCP / CEH / AWS Security)

What's not included

  • Social engineering or physical security testing
  • On-premise infrastructure (cloud workloads only)
  • Mobile app binary analysis
  • Full-scope red-team engagement
  • Internal network or Active Directory pentest (paid service only — see /penetration-vulnerability-testing-service/)
  • Multi-application or recurring annual pentest programme (handed off to the paid penetration testing service)
  • Remediation work to fix the findings (offered separately on a paid basis after the free pentest)
  • Retest after remediation (paid service deliverable, not included here)
  • Compliance certification itself (we provide evidence artefacts; an accredited auditor performs the audit)

Report aligned to your compliance framework

SOC 2 Type II

CC6.1, CC6.6, CC7.2 controls — pentest evidence accepted by all major US auditors.

HIPAA Security Rule

Aligned with §164.308(a)(8) Evaluation standard; covers ePHI-touching workloads.

PCI DSS 4.0

Requirement 11.4.1-3 internal and external penetration testing.

ISO/IEC 27001:2022

A.8.29 Security testing during development and acceptance.

FedRAMP Moderate

CA-8 Penetration Testing (supplementary, for federal-adjacent work).

NIST 800-53 rev 5

CA-8, RA-5 control family evidence.

Who runs the test

AWS Advanced Consulting PartnerMicrosoft Solutions Partner (Azure)ISO 27001:2022 certifiedSOC 2 Type IIOSCP-certified lead engineersCEH on every engagementAWS Security Specialty

Apply for your free penetration test

We review applications within 2 business days and respond by email. No sales call until after our scoping conversation.

Frequently asked questions

What's the difference between this free pentest and your paid penetration testing service?

Scope and depth. The free engagement is a focused 40-60 engineer-hour assessment with a fixed scope: one AWS or Azure cloud configuration review, one external perimeter scan, OWASP Top 10 on one public web application (up to 20 pages), an exposed-secrets check, and a CIS Benchmark gap analysis — delivered in 10 business days with a single PDF report mapped to SOC 2, HIPAA, and PCI. Our paid penetration testing service at /penetration-vulnerability-testing-service/ covers larger or more sensitive scopes: multi-application web/API testing, internal network and Active Directory pentests, segmented PCI cardholder-data environments, red-team engagements, mobile binary analysis, retesting after remediation, and engagements requiring NDA-bound onsite work. If you need anything beyond the included list, or you want a recurring annual pentest programme, the paid service is the right path. Many customers run the free pentest first to get familiar with us, then commission the paid engagement for broader scope or a follow-up retest.

Is this really free — what's the catch?

Genuinely free. The pentest is our way of demonstrating capability to qualified prospects. We invest 40-60 engineer-hours per engagement on the expectation that some customers will engage us for paid remediation or ongoing managed services. Roughly 35% of free pentest recipients convert to a paid engagement (remediation, managed cloud security, or our paid penetration testing service) within 12 months; the rest simply get the report and move on. No hidden fees, no invoice for the free pentest itself.

Why do you require an application instead of just a form?

Because a 40-60 hour engagement run by senior engineers has real cost. We filter for companies that would benefit and that we could plausibly serve — typically 50+ employees running production cloud workloads with an active compliance or security concern. Approving and running one bad-fit engagement means we could not run another company's free pentest that quarter.

Is this authorised testing?

Yes, always. After the scoping call we sign a mutual NDA and a Letter of Authorisation (LoA) that documents scope, timing, targets, and permitted techniques. Your legal team receives the LoA before any testing begins. We do not test anything not explicitly listed. This matters because unauthorised testing is illegal under the US Computer Fraud and Abuse Act (CFAA) — we do not cut corners here.

How long does the full process take?

About 10 business days end-to-end. Days 1-3: application review and scoping call. Days 4-7: active testing. Days 8-10: report writing and debrief call. We can compress this for time-sensitive audit deadlines; tell us during the scoping call.

Will the report be accepted by my SOC 2 / HIPAA / PCI auditor?

Generally yes. Our reports are mapped to the specific control requirements each framework expects (e.g., SOC 2 CC6.1/CC6.6/CC7.2, PCI 11.4.1-3). We have had reports accepted by Big 4 and mid-size audit firms on behalf of SOC 2 and PCI customers. Your auditor may still request additional evidence or specific scoping — we will adjust if so.

What if you find something critical?

We notify you within 4 business hours if we find anything we consider actively exploitable or a breach in progress. The written report is delivered at the end of the engagement, but critical findings get same-day disclosure. Remediation is offered on a paid basis; you are under no obligation to engage us for it.

Do you do this for startups under 50 employees?

Rarely. We occasionally make exceptions for high-growth Series B companies with an imminent SOC 2 audit, but the baseline expectation is 50+ employees. If you are earlier-stage, we recommend an automated scan first (we can point you at free tools) and engaging us later when the production surface area justifies a human pentest.

Who owns the findings and report?

You do. The report is your property; we retain an anonymised copy in our internal case library for process improvement. We do not publish or share findings. The NDA covers both directions.