Pentesting, compliance, and how we work

A penetration test is an authorized attack simulation against your systems. A qualified operator attempts to exploit vulnerabilities the way a real attacker would. Not just scan for them. The output is a report documenting every finding, the proof of exploitation, business impact, and specific remediation steps. Penetration testing is distinct from vulnerability scanning (automated, CVE-based) and security auditing (policy and process review).

A vulnerability scan is automated and identifies known CVEs based on fingerprinting. A penetration test is manual, attempts to actually exploit the findings, and chains individual issues into realistic attack paths. Compliance frameworks like PCI DSS 4.0 require both. Vulnerability scans satisfy Requirement 11.3. Penetration tests satisfy Requirement 11.4.

Timelines depend on scope. A website security check runs 48 hours. A platform-specific audit runs 5-7 days. A full-stack audit runs 10-14 days. Compliance-driven engagements (PCI DSS 4.0, HIPAA, SOC 2, CMMC) run 2-12 weeks depending on organization size and control maturity.

Valtik Studios offers three standard tiers: $500 website security check, $1,500 platform audit, $3,500 full-stack audit. Compliance engagements (PCI DSS 4.0, HIPAA, SOC 2, CMMC) are quoted individually based on scope. Typically $8,000-$75,000 for small-to-mid engagements, scaling up for enterprise. We provide fixed-price quotes after a scoping call. No hourly billing surprises.

Yes. PCI DSS 4.0 Requirement 11.4 mandates both internal and external penetration testing annually, plus after any significant change to the cardholder data environment. Segmentation testing is required annually for merchants and every six months for service providers. See our PCI DSS 4.0 Penetration Testing page for the full breakdown.

The current HIPAA Security Rule requires an evaluation of security controls but does not explicitly mandate penetration testing. The proposed HIPAA Security Rule update published December 2024 would explicitly require annual penetration testing for Covered Entities and Business Associates. Most OCR-audited organizations treat pentesting as a de facto requirement.

SOC 2 readiness is the pre-audit work that prepares your company for the formal SOC 2 audit conducted by a CPA firm. A proper readiness assessment identifies gaps, implements controls, collects evidence, and produces a remediation roadmap so the actual audit becomes a confirmation instead of a discovery process. B2B SaaS companies selling to enterprise typically need SOC 2 Type II to pass procurement.

Cybersecurity Maturity Model Certification 2.0 became final rule December 16, 2024. Any company in the Defense Industrial Base handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) needs CMMC certification. Level 1 for FCI only (17 practices, self-assessment). Level 2 for CUI (110 practices aligned to NIST 800-171 Rev. 2, triennial C3PAO assessment). Level 3 for CUI in higher-threat programs (government-led assessment).

We work across the spectrum. Our $500 website security check is designed for small businesses. Our compliance engagements scale from small practice ($8-18K HIPAA assessments) to enterprise ($75K+ SOC 2, CMMC, PCI DSS). Many of our clients are 10-250 employee companies in Connecticut and Dallas-Fort Worth. We also work with enterprise clients nationwide.

Yes. Valtik Studios is a Connecticut LLC. We work with clients across Connecticut (Hartford, New Haven, Stamford, Bridgeport, Waterbury, Greenwich) and nationwide, including strong presence in Dallas-Fort Worth. On-site work is available anywhere in Connecticut and throughout the DFW metroplex.

Every engagement is led by a senior consultant from kickoff to report. There is no junior hand-off, no offshore report writing, no project management intermediary between you and the operator finding your bugs. We stay small on purpose. It keeps quality high and communication direct.

Every engagement produces: (1) an executive summary suitable for board review, (2) a detailed findings report with proof-of-exploit for every finding plus CVSS and CWE mapping, (3) a remediation roadmap prioritized by risk, (4) compliance-specific attestation if applicable (QSA letter, HIPAA documentation, SOC 2 evidence package). Retest of remediated findings is included within 90 days at no additional cost.

We align to NIST SP 800-115, OWASP Testing Guide v4.2, OWASP API Security Top 10, PTES, and MITRE ATT&CK. Compliance engagements explicitly map to the requirements of the framework (PCI DSS 4.0, HIPAA Security Rule, SOC 2 Trust Services Criteria, CMMC 2.0 practices, NYDFS 23 NYCRR 500). Our methodology is documented and we can provide it as part of the engagement scoping.

Yes. Retest of remediated findings is included in every engagement within 90 days of initial report delivery. We verify that remediation is effective and update the report with remediation status. Beyond 90 days or for findings that require multiple retests, we bill at an hourly rate.

Start with our free website security check. We scan your public-facing systems and email a plain-English findings report in 48 hours. No sales pitch, no obligation. If you want to move forward with a real engagement, we schedule a scoping call and quote fixed-price.

Yes. We handle post-incident assessments, root cause analysis, and remediation verification. For active incidents requiring immediate response (ransomware in progress, active exfiltration), we work alongside your incident response retainer firm or law firm. Our engagement typically begins after the immediate containment and focuses on forensics, remediation validation, and regulator-ready documentation.

External pentesting simulates an unauthenticated attacker from the internet attacking your external-facing systems. Internal pentesting simulates a malicious insider or a compromised workstation and tests what an attacker can do after they are already inside the network. Compliance frameworks like PCI DSS 4.0 require both. Enterprise security programs should run both annually.

We can, but we typically advise clients to engage us for testing and a separate team or firm for remediation. This is industry best practice for separation of testing and fix. We do offer remediation advisory on an hourly basis and can recommend remediation-focused firms if your team lacks capacity.

Yes. We sign mutual NDAs before any detailed scoping discussion. For engaged clients, we maintain documented ROE (Rules of Engagement), signed permission letters, and scope-of-work documents. Testing only begins after all authorization is in place.

We advise on bug bounty program launches and manage triage for private programs. Bug bounties are complementary to pentesting, not a replacement. Pentests are scheduled, scoped, and thorough. Bug bounties are opportunistic and find bugs pentests miss. Mature security programs run both. See our bug bounty program building blog post for the full breakdown.