Productized security audits. Public pricing. Credentialed engineers. Signed reports. 15-day SLA on Pen Test Essential, 30-day on Complete. No procurement treadmill.
20+ Pen Tests Delivered 57 Reports 19 of 20 Audits Surface High-Severity Findings
Deliverables
Every Cloud Upload audit produces concrete artifacts — not consulting deliverables you have to chase. Free Scan ships in minutes. Paid audits ship the same week. Pen Tests ship in 15 days (Essential) or 30 days (Complete) from scope-lock.
40–80 page report on Pen Tests, executive summary plus full findings on $499 audits, summary PDF on Free Scans. Pen Test reports are signed by the credentialed engineer who performed the testing. Auditors and customers can verify authorship.
Web-based version of your report. Never expires. Flagged as stale after 90 days with a re-scan prompt — but the data stays accessible. You can return any time, share with your team, or pass to auditors via the link.
Manual Cloud Audit can scope explicit compliance framework cross-references when your evidence package needs them. Automated tiers (Free Scan, $499 Full Report) ship with CIS AWS Foundations Benchmark v1.5 mapping per finding.
60-day retest included on all Pen Tests. Fix the findings, ping us, we verify. The retest report is a separate signed PDF — same format, marked “retest” — that auditors and customers accept as evidence the findings were closed.
No “consulting hours” billed against vague deliverables. No “draft report” PDFs that get revised after stakeholder calls. The artifact inventory is the contract.
Process
Productized delivery means the engagement is a product, not a project. Stripe checkout, no discovery calls, no kickoff sequence, no contract redlining cycle. Scope is locked before checkout — no scope creep, no surprise change orders.
Free Scan: under 3 minutes (Web) or 10–15 minutes (Cloud) from form submission. $499 Full Audit Report: under 20 minutes from Stripe checkout. Pen Test: 15-day SLA from scope-lock for Essential, 30-day for Complete. Manual Cloud Audit: scoped per engagement, typical 2-week turnaround. Implementation: scoped per engagement.
Scope-lock at checkout. Manual tiers (Pen Test, Manual Cloud Audit) lock scope through a 5-minute scoping form before Stripe. What’s in scope is what we test — no scope creep mid-engagement, no surprise additions billed at end-of-engagement. Out-of-scope discoveries are flagged in the report but not tested without a separate scoping conversation.
Default: status update at scope-lock confirmation, status update mid-engagement, delivery email with signed PDF + live results page link. If we surface anything urgent during testing — exposed credentials, active exploitation paths — we contact you immediately, not at delivery.
Standard mutual NDA available before scoping; we sign yours or ours. Free + paid scans never see authenticated data — public surface only. Cloud audits use a read-only AWS role you deploy via CloudFormation; we read configuration metadata only, never customer data. All scan artifacts retained in your account; you can request deletion via privacy@cloudupload.tech and our automated GDPR endpoint at any time.
If a process step doesn’t fit your situation, talk to us. The product is fixed; the working relationship is human.
Team
Pen Tests and Manual Cloud Audits are performed by senior engineers with industry-standard credentials. Each report names the engineer who performed the testing — auditors and customers can verify the work was done by a named, certified person. Automated audits ($0, $499) run in our pipeline, but the methodology and rule set were authored by the same engineers.
In 19 of 20 recent audits, we surfaced at least one high-severity security issue.
Not luck. Methodology designed to surface issues automation misses — chained vulnerability paths, business-logic abuse, IAM privilege escalation, encryption gaps, FinOps blind spots.
Common questions
Cloud Upload’s SLA is 15 days from scope-lock to signed PDF delivery for Essential, 30 days for Complete. Scope-lock happens immediately after Stripe checkout for Essential ($3,499) and Complete ($5,499) tiers. The window includes testing, validation, and report drafting by the credentialed engineer assigned to your engagement. Custom-tier engagements (internal network, red team, recurring) are scoped per engagement, typically 2–4 weeks.
Cloud Upload audits and pen tests align with industry-standard frameworks: OWASP Web Security Testing Guide (web app testing), OWASP Mobile MASVS (mobile app testing), OWASP API Security Top 10 (API testing), CIS Benchmarks (configuration baselines), CIS AWS Foundations Benchmark (AWS specific), AWS Well-Architected Security Pillar (cloud architecture review), and NIST 800-53 (compliance baseline). Cloud Audit reports ship with CIS AWS Foundations Benchmark v1.5 mapping per finding; pen test reports use OWASP methodology mapping. Manual Cloud Audit can scope additional framework cross-references when requested.
Yes. Cloud Upload’s engineering team holds CISSP Associate (ISC²), CCSP (ISC²), CEH (EC-Council), eMAPT and eWPT (INE Security), GCP Professional Cloud Architect, AWS Solutions Architect Associate, AWS Cloud Practitioner, plus active engagement with OWASP. Each Pen Test and Manual Cloud Audit report names the credentialed engineer who performed the testing — auditors and customers can verify the work.
A 40–80 page signed PDF (length depends on scope and findings count) including: executive summary (1 page, written for non-technical readers), scope and methodology (2–3 pages), findings inventory grouped by severity (10–60 pages depending on findings), evidence per finding (screenshots, payloads, request/response samples), CVSS 4.0 scoring per finding, remediation guidance per finding. Reports are signed by the engineer who performed testing.
Traditional pen tests start with a discovery call, scope through email or kickoff meeting, contract redlining, NET 30 invoicing, and weeks of pre-engagement procurement. The actual testing is a fraction of the timeline. Productized pen testing reverses this: scope through a structured form (5 minutes), pay via Stripe (immediate), test (15-day SLA for Essential, 30-day for Complete), receive signed report (delivery). Same testing methodology and engineer credentials — just without the procurement treadmill. Better fit for SaaS startups and engineering-led security buyers; less fit for buyers who specifically need a discovery-call relationship.
Yes. Pen Test and Manual Cloud Audit reports are signed PDFs — the credentialed engineer who performed the testing is named, and the report includes their certifications. Auditors and customer security teams accept signed PDFs as evidence of independent testing. The live results page version of your report has shareable URLs with access controls so you can share with auditors or enterprise customer security review teams without re-emailing PDFs.
Five steps: (1) Scope through 5-minute structured form — asset, scope, compliance need, authorization. (2) Stripe checkout — instant scope-lock confirmation. (3) Testing window — 15 days for Essential, 30 days for Complete from scope-lock; status update mid-engagement; immediate contact if anything urgent surfaces. (4) Delivery — signed PDF + live results page email. (5) 60-day retest window — fix findings, ping us, we verify and issue a retest report. No discovery call, no kickoff meeting, no NET 30, no procurement.
Still have questions? Talk to the Team →