Pricing
Pricing that scales with your evidence cadence.
Free for one verified target. Move to Starter or Growth as your scan frequency grows. Add a Verified report when you need a human-reviewed deliverable.
90-second product demo - coming this week
While we finish the screencast, take the same tour in 60 seconds via the sample report - same data, paginated across the four auditor-ready PDFs.
See a sample PDFStart any paid plan with a 14-day free trial — no charge until it ends. Cancel any time before day 14 and you owe nothing.
A card is collected at checkout so the plan continues automatically after the trial. Manage or cancel from the billing portal.
Free
Kick the tires on a single verified target.
- 1 verified target
- 1 scan / month
- DNS, TLS, security headers
- No PDF export
Starter
Basic automated checks for solo founders.
Billed annually · save 20%
Starts with a 14-day free trial
Start free trial- 3 verified targets (web, API, repo)
- 10 scans / month
- Weekly evidence snapshots
- Executive + Developer PDF reports
- Compliance evidence rows (ISO / SOC2 / OWASP)
- Retest workflow
Growth
Full multi-surface coverage: web, API, repo, mobile, cloud, K8s.
Billed annually · save 20%
Starts with a 14-day free trial
Start free trial- 15 verified targets (any surface)
- 100 scans / month
- Mobile binary scan (APK / IPA)
- Cloud audit (AWS / Azure / GCP via Prowler)
- Kubernetes manifests (Kubescape NSA)
- Advanced API testing (BOLA / BFLA / mass-assignment)
- Repo scan: osv-scanner + gitleaks + Trivy + Semgrep
- All 4 PDF reports (Executive / Developer / Compliance / Trend)
- KEV + EPSS prioritization
Agency
Repeatable multi-client coverage with branded reports.
Billed annually · save 20%
Starts with a 14-day free trial
Start free trial- 50 verified targets across 25 client workspaces
- 15 team members
- Branded PDF reports (Executive / Developer / Compliance / Trend)
- Per-client Compliance dashboard
- Multi-client dashboard with cross-workspace rollup
Enterprise
Custom limits, SSO, regulated environments.
- Custom targets and scan volume
- SSO / SAML
- Advanced RBAC + audit logs
- Internal scanner agent
- Priority support
Web3 / smart contract scanning
Layered on Growth or Agency. Token contracts, public wallet exposure, sanctions signals, liquidity risk, honeypot detection.
- EVM (7 chains): Ethereum, Polygon, BSC, Arbitrum, Optimism, Base, Avalanche
- Sui Move (Beta) - 19 static detectors + UpgradeCap owner classification
- Solana (Beta) - verified-build + upgrade authority + Anchor IDL + SPL authority
- Slither + Mythril + Echidna analysis (EVM)
- Honeypot + fee-on-transfer detection
- Owner classification (EOA / Safe / Timelock)
- OFAC SDN compliance lookup
- Web3 risk score on every target
Invasive testing (active attack payloads)
Layered on Growth or Agency. The active checks that send real attack payloads - safely, only on targets you explicitly authorize (staging recommended).
- Active web scanner (OWASP ZAP): SQLi / XSS / CSRF / SSRF / path traversal / cmd injection / SSTI
- OpenAPI contract fuzz (Schemathesis): generated POST / PUT / DELETE
- Mass-assignment probe: privileged-field PATCH (confirmed CWE-915)
- Host-header injection: password-reset + cache-poisoning primitive
- Two-gate safety: add-on + explicit per-target authorization
- Per-tool opt-out, staging-first, no DoS / brute-force
Verified Security Report - currently unavailable. Automated evidence reports remain available across Starter, Growth, and Agency.
All plans require verified target ownership for full scans. NANOTESTING is not a certified penetration test or a compliance attestation.
Questions
Straight answers about what NANOTESTING does and doesn't do.
If you don't see your question, contact the team. We try to be specific about scope so you can evaluate fit.
Stop sending screenshots. Start sending reports.
Create an account, verify your target, and run a safe automated assessment in minutes.