TrustScope

About TrustScope

TrustScope turns penetration test scoping from guesswork into a transparent, deterministic calculation — one that buyers, vendors, and auditors can all rely on. The same way CVSS gives everyone a shared way to score severity, TrustScope gives the industry a shared way to scope effort: open, verifiable, and not tilted toward either side of the deal.

The problem we solve

Pentest scoping is still set by intuition. Ask two reputable vendors to quote the same engagement and you'll often see the man-day estimates differ by 40–100%. Buyers have no objective way to tell who's right, so they tend to pick the cheapest offer — which is frequently the one that's under-scoped, leaving real risk untested. Vendors, meanwhile, spend hours scoping by feel and then have to defend a number the client can't see inside. TrustScope opens up that grey zone: it shows what an estimate is made of, and why.

A neutral standard, not a sales tool

TrustScope doesn't take a side. The engine produces the same number whoever runs it — a buyer checking if a quote is fair, a vendor scoping an offer, or an auditor planning required testing. That neutrality is the whole point: a buyer can trust the estimate isn't inflated for the vendor's benefit, and a vendor can use it as a fast, defensible basis they're happy to show the client. A shared reference only works if everyone can rely on it equally.

How it works

  1. You describe the engagement. A guided questionnaire walks you through the target systems, depth of testing, environment, access level, and any compliance context (NIS2, DORA, ISO 27001).
  2. The engine calculates the scope. The estimate runs on fixed, documented rules — not AI guesswork. The same inputs always produce the same result, and every rule is laid out in the Methodology section so you can check the logic line by line.
  3. You see what the number is made of. The output isn't just a total. It's broken down across the three real dimensions of effort — technical, compliance, and reporting — so everyone understands exactly where the man-days come from.
  4. You generate a structured brief. From the scope, TrustScope produces the prerequisites you need to provide — access, test accounts, documentation — and a clear brief you can send to one or more vendors for comparable quotes.

Because the calculation is deterministic and documented, two people running the same engagement get the same answer — which is what makes an estimate something you can actually defend.

Grounded in methodology, calibrated on real work

TrustScope combines two layers, and the distinction matters:

  • Methodology — what gets tested.Application scopes (web, API, mobile) follow the OWASP testing guides; infrastructure scopes (external, internal) follow OSSTMM. These define the coverage each engagement type is expected to achieve.
  • Calibration — how long it takes.The man-day baselines and modifiers are derived from the recorded effort of 800+ real penetration testing projects across industries and regions. The numbers reflect time testers actually spent — not theory, and not one team's habits.

The methodology defines completeness; the data defines effort. Together they make an estimate both defensible (anchored to recognized standards) and realistic (matched to what testing actually takes).

What the man-day number actually means

There is no single "correct" duration for a penetration test, and TrustScope doesn't pretend otherwise. The estimate represents the reasonable effort needed to test a system to a professional standard — following the methodologies above — so that realistic, exploitable weaknesses are found and a likely attacker is headed off within a sensible timeframe.

It is deliberately not an upper bound. A tester given unlimited time could always go further — into deep research, novel exploit development, and edge cases that stop being time-efficient and stop being standard practice. And a real attacker with strong motivation to break a specific system may spend far more time than any ethical engagement ever would. TrustScope estimates the standard, methodology-driven effort that converges on effective coverage in a sensible timeframe — not the theoretical maximum, and not the bare minimum a vendor might quote to win on price.

That's the point: a defensible reference for what good, standard testing costs in time — something buyers, vendors, and auditors can agree is reasonable. It's the difference between doing a pentest and doing it properly — between a result you can stand behind and a box ticked on paper.

Who it's for

  • Buyers (CISOs, security and compliance teams)to know what a fair man-day count looks like and defend it internally, instead of guessing whether a quote is reasonable.
  • Vendors (pentest teams, MSSPs)to scope offers quickly and transparently, and win on clarity rather than lowballing.
  • Auditors and regulators (NIS2, DORA, ISO 27001)for a defensible, repeatable basis to plan and justify testing.

Your data

Your inputs are used only to produce your estimate. They are not shared with vendors without your action, and they are never used to train any model. We calibrate the engine against real-world projects to keep estimates accurate — grounded in actual engagements, not marketing claims.

Where we're going

A penetration test shouldn't be a black box where the price is guessed. Every estimate should have a clear methodology, be explainable, and be comparable across vendors. Our long-term goal is to make TrustScope the shared standard for pentest scoping — calibrated on real projects and trusted equally by every side — so that "scoped with TrustScope" means the same thing to a buyer, a vendor, and an auditor. Not a single dictated number, but a transparent baseline everyone can start from and adjust with documented reasoning.

Contact

Questions, feedback, calibration data, or a consultation request? Write to david@trustscope.io.