PentX runs real, exploit-proven pentests in hours. You deliver the report under your own brand, own the client relationship, and keep up to 90% of every engagement. No pentester to hire. No subcontractor taking your margin. Optional CREST-certified human co-sign when an auditor or insurer asks for it.
Cyber insurance questionnaires, ISO 27001 and SOC 2 audits, PCI-DSS 4.0, NIS2, and vendor security reviews are all pushing your SMB clients toward annual pentesting. When they ask and you say “we don’t do that,” a security boutique gets the project, and a seat at the table with your client.
You sell the project, a boutique does the work, keeps most of the margin, and becomes visible to your client. You carry the risk; they earn the credibility.
A senior pentester costs six figures, takes months to find, and becomes a single point of failure for scoping, testing, reporting, and retests.
Scanners create tickets, not proof. Insurers, auditors, and boards want a defensible pentest report with validated exploitation, not a CSV of maybes.
Every pentest you can’t deliver invites a security provider into your account. Today it’s the pentest. Next quarter it’s your managed services contract.
PentX closes all four gaps at once: you keep the engagement, the margin, the report, and the relationship, without hiring anyone.
You stay the trusted advisor in front of the client. PentX is the delivery engine behind the curtain.
Add the approved assets: domains, web apps, IP ranges, internal targets, or cloud environments. Scope is enforced at the network layer, so the test physically cannot exceed what you authorize.
Reconnaissance, exploitation, validation, and evidence collection run autonomously across the approved attack surface. No babysitting required.
Every confirmed vulnerability ships with reproducible proof: exploit chain, payloads, request/response captures, screenshots, impact, and remediation steps.
Export the report with your logo, your colors, your language. Optional: a CREST-certified senior engineer reviews and co-signs before it reaches the client.
After remediation, run the included retest and hand over proof the issues are fixed. That’s your natural opening for next year’s engagement.
Drag the sliders. The delivery cost is €250 per pentest on 10-pack pricing. Everything above that is yours.
Most MSPs charge €1,500–€5,000 per engagement depending on scope and market.
Delivery cost assumes 10-pack rate (€250/pentest). Excludes your internal time and follow-on remediation revenue, which is usually 2–3× the pentest itself.
A pentest deliverable built for four audiences at once: the client’s technical team, their executives, their insurer, and their auditor.
Every finding in the report is exploit-proven. If it couldn’t be validated, it doesn’t go in. Your name is on the cover. That’s the standard.
Every MSP founder has the same six doubts before reselling pentesting. Here they are, answered straight.
$ pentx validate --finding WEB-04 --target portal.client-scope.com [>] injecting payload: ' UNION SELECT current_user,version()-- [>] response: HTTP 200 · 1,402 bytes · PostgreSQL 14.11 · user: app_admin [>] evidence captured: request.txt · response.txt · screenshot.png [✓] EXPLOIT VALIDATED · severity: critical · added to report with remediation steps scope-guard: 1 of 1 targets authorized · rate-limit on · kill switch armed · audit log: on
This is what “exploit-proven” means: if it can’t be reproduced, it doesn’t reach your client.
A US Northeast IT company serving financial-sector clients went from 8–12 outsourced pentests a year to 125 engagements in 5 months, cut cost per engagement by 70%, and turned PCI-DSS 4.0 and SOC 2 evidence into an on-demand service.
CTDefense reduced report production from 25 hours of manual writing to 4 hours of senior review, freeing senior engineers for remediation and client-facing advisory without reducing report defensibility.
Forward Defense submitted PentX-powered reports to Big Four auditors for 12 months with 100% acceptance and zero revisions. MSP-grade delivery, auditor-ready evidence.
| Option | What happens | What it costs you |
|---|---|---|
| Say “we don’t do that” | Client buys from a security boutique | The project, the margin, and a competitor inside your account |
| Hire a pentester | You build internal capacity | Six-figure fixed cost, months of hiring, one-person bottleneck, retention risk |
| Subcontract to a boutique | Someone else delivers your project | Most of the margin, slower delivery, your client meets your subcontractor |
| Resell a scanner | You get raw technical findings | Your team still validates, prioritizes, and writes the report. And clients can tell the difference |
| Deliver with PentX | Exploit-proven pentest under your brand, in hours | From €250 per engagement. You keep up to 90% and the client never leaves your orbit |
PentX gives you the economics of software, the credibility of exploit-proven testing, and the commercial control of a white-label service.
Every paid pentest includes one retest. Scope is confirmed before launch, so you always know your delivery cost before you quote a client.
MSPs rarely fail at pentesting for lack of demand. They fail for lack of an offer. The MSP Launch Kit closes that gap on day one.
No. Scanners list what might be vulnerable. PentX delivers a pentest-style engagement: it exploits, validates, and documents what is actually vulnerable, with reproducible evidence, business impact, remediation guidance, and a client-ready report. Nothing reaches the report without proof.
Not unless you tell them. On the Partner tier the entire client experience is white-labeled: your logo, your colors, your report template, your positioning. You own the relationship, the pricing, and the delivery.
The authorized scope is enforced at the network layer, so the test cannot touch assets you have not approved. Rate-limiting, kill switches, and full audit logs are built into the delivery model, and exploitation is performed with production-safe techniques.
PentX-powered reports have been accepted by Big Four auditors with zero revisions over 12 months. For insurer, auditor, or enterprise review you can add a named CREST-certified senior engineer who reviews and co-signs the report before delivery.
Yes. Your team defines the client scope and reviews the output; PentX handles reconnaissance, exploitation, validation, evidence, and reporting. The Partner launch kit includes the sales deck, proposal template, pricing calculator, and objection battlecard, plus an onboarding session and a review of your first client quote.
One credit covers one approved engagement scope (an external, web, internal, or cloud pentest for one client) plus one retest of the same scope after remediation. Scope is confirmed before launch, so you know your delivery cost before you quote. Large multi-environment scopes may need more credits, but you'll know before the engagement starts.
A clean report is still the deliverable your client is paying for: defensible evidence for insurers, auditors, and boards that their environment was tested against real exploitation. In practice, most environments produce actionable findings, which become your remediation and managed-security pipeline.
With 10-pack pricing your delivery cost can be €250 per pentest. You set your own client price, typically €1,500–€5,000, and keep the margin. Then the findings drive follow-on revenue: remediation projects, retests, compliance support, managed security upgrades, and vCISO services.
Yes. PentX reports support cyber insurance reviews, ISO 27001, SOC 2, PCI-DSS 4.0, and vendor security reviews. For higher-assurance situations, add the CREST-certified engineer co-sign.
A typical external engagement completes in hours once scope is approved. New partners usually go from signup to their first client-ready quote within days, not months.
PentX operates under ISO 27001 and GDPR. Engagement data is scoped to your account, evidence is collected only from assets you authorized, and full audit logs document every action taken during the test.
Each pentest includes one retest of the same scope. Rerun the test after remediation, verify the fixes, and hand the client proof, which is also your opening for next year's engagement.
Open a free account, run the first pentest on your own environment, and judge the report yourself. If it wouldn’t convince you, don’t sell it. If it would, you just found your highest-margin service line.