TrustScope

Stop guessing.
Scope with confidence.

Penetration test scoping is still guesswork — the same engagement gets quoted with 40–100% different effort. TrustScope turns it into a transparent, deterministic man-day estimate that buyers, vendors and auditors can all rely on. One method, verifiable by anyone — the way CVSS scores severity, TrustScope scopes effort.

Run an estimate

No login needed.

The same test, three different prices

Send one penetration test to three vendors and you'll get three very different numbers — sometimes triple each other. Not because anyone's cheating, but because scoping is guesswork, and everyone guesses differently. The cheapest quote usually wins. It's also usually the one that quietly skips things.

And 'we ran a pentest' isn't the same as running it properly. NIS2 and DORA require testing but don't define how thorough it must be — so a one-day box-tick can pass on paper while leaving you exposed. The thing nobody measures is effort: the time a test actually needs to do its job.

How it works

  1. 01

    Describe what you want tested

    A few short questions about the system, its size, the access the tester gets, and any compliance needs. Couple of minutes.

  2. 02

    Get a man-day estimate

    TrustScope calculates how many days the test should take — fixed rules, real-world data. Same answers always give the same number.

  3. 03

    See what's behind it

    The estimate is broken down line by line, so you know exactly why it's that number — not a total you take on faith.

  4. 04

    Know what to prepare

    From the scope, TrustScope lists exactly what the tester will need from you — access, test accounts, documentation — no more, no less, based on what's actually in scope. So the engagement starts without delays.

Engagement · ACME-772-B

Banking portal — Web + API

Verified breakdown
19.4MD
Technical testing13.5 MD
Baseline — Web app + API, grey-box, ~8 endpoints7.0 MD
RBAC matrix (3 roles + tenant isolation)+2.5 MD
Financial transaction workflows (race conditions)+2.5 MD
GraphQL surface — manual depth & introspection+1.5 MD
Compliance evidence3.0 MD
PCI-DSS / DORA evidence mapping3.0 MD
Other2.9 MD
Project management + executive & technical reporting + QA review2.9 MD
Total19.4 MD

Every man-day is itemised and explainable — the same number, whoever runs it.

Grounded in real work, not guesswork

Every estimate runs on fixed rules — no AI guessing the number — calibrated against the recorded effort of real penetration tests, following recognized methodologies like OWASP or OSSTMM.

800+
Reference engagements
10
Pentest categories
8
Compliance frameworks
12
Complexity signals
Read the full methodology →

One method, three audiences

Buyers

Know what a fair test should cost, and defend it internally.

Vendors

Scope fast and transparently, and win on clarity instead of lowballing.

Auditors

A defensible, repeatable basis they can rely on when reviewing NIS2, DORA and ISO 27001 testing.

Scope your next engagement in 90 seconds.

No setup. No login required.

Run an estimate