01
Recon
Map every endpoint, every framework, every footgun. Manual scanners run a fixed signature set. The swarm runs against your actual surface.
9 / 10
OWASP API TOP 10 / FULL COVERAGE(improper inventory: partial)
SaaS-nativepen testing.Multi-tenant by default.
Cross-tenant isolation tested on every ID parameter. Identity-provider coverage across Clerk, Auth0, Okta, Stytch, Cognito, Firebase, and Supabase. The full audit trail your SOC 2 Type 2 auditor reads before they open the report.
SaaS engagement · scopemulti-tenant
01
Multi-tenant isolation
Every ID parameter probed for cross-tenant access
02
Identity-provider coverage
Clerk · Auth0 · Okta · Stytch · Cognito · Firebase · Supabase
03
OWASP API Top 10
BOLA, BFLA, mass assignment, business-flow abuse
04
SOC 2 Type 2
CC4, CC7 mapped. Auditor-ready evidence artifact.
05
Auditor role
Read-only Clerk role. No engineering credentials.
06
PTaaS cadence
Recurring per release. 30-day free retest.
Sealed deliverable: report + audit trailSOC 2 Type 2 ready
30+
Specialists
<1hr
To first finding
$4,995
Flat. One number.
30d
Free retest
The engagement
One swarm. Four phases.
02
Triage
Specialists own classes of attack. Auth flaws. Access control. Injection. Logic. Each agent probes its vector and cites the request that proved it.
03
Exploit
Verified PoC for every Critical and High. Multi-step chains are first-class. The chain analyst composes findings into one exploit path.
04
Report
Markdown narrative. Full audit trail. JSON for tooling. Your auditor reads the action that matches the verdict.
The differentiator
Receipts on every finding.
Every tool call. Every request. Every grep. Every submit. Every verify. Streams to the dashboard live and ships with the report. Your SOC 2 reviewer doesn't have to take our word for it. They open action 1,847 and read what we did.
audit trail · engagement 0a9b3 · actions 142–150
014214:11:08[recon]http_request GET /api/internal/health200
014314:11:09[recon]http_request GET /api/internal/users?role=admin200
014414:11:10[auth]submit_finding token-leak in /api/internal/usershigh
014514:11:32[broken-access]source_grep authorize\(.*role7 hits
014614:11:48[broken-access]http_request POST /api/role/upgrade403
014714:12:14[broken-access]http_request POST /api/role/upgrade -H X-Forwarded-User: admin200
014814:12:15[broken-access]submit_finding privilege bypass via X-Forwarded-Usercritical
014914:12:32[chain]submit_finding CHAIN-2 IDOR + role bypass = full takeovercritical
015014:13:08[reviewer]verify CHAIN-2 reproducible against live targetsealed
Continued through engagement completionSealed and signed
200Successful response or benign result
highVerified high-severity finding
criticalVerified critical finding or chain
The price
One number. Read the receipts.
No per-target pricing. No per-finding pricing. No "starts from". One engagement, one fee, one audit trail.
$4,995
Flat per engagement
01
30+ specialists
chain_analyst · idor · prompt_injection · broken_access · +26 more
02
Verified PoC
Every Critical and High, reproducible
03
Audit trail
Every action logged, evidence-grade
04
Signed report
Cryptographically attested. Auditor-deliverable. Prospect-ready.
05
30-day retest
Free verification once you fix
06
SOC 2 evidence
Auditor-ready, no extra prep
Start engagementFree preview before you pay anything.
Questions
What buyers ask. Receipts attached.
The questions every engineering and security lead asks before they fund an engagement. Read the answers here, before the kickoff call.
- 01What is SaaS penetration testing?
SaaS penetration testing focuses on the attack surfaces specific to multi-tenant web applications: cross-tenant isolation, identity provider integration, API security boundary, and the audit deliverable that satisfies SOC 2 Type 2 reviewers.
- 02How does Swarm test multi-tenant isolation?
Multi-tenant specialists probe every ID parameter for cross-account access, validate org-scoping on every API call, and test session-token reuse across tenants. Findings include the IDOR-class bugs traditional pentests miss because they sample rather than enumerate.
- 03Which identity providers does Swarm cover?
Clerk, Auth0, Okta, Stytch, Cognito, Firebase, Supabase Auth, and custom IDPs. Specialists describe the mechanic first; stack-specific paths and library names appear as illustrative anchors. JWT-alg bugs, missing org-scope checks, and session-fixation paths are covered across providers.
- 04Can my auditor see the audit trail?
Yes. The full audit trail is downloadable from the dashboard and is the canonical evidence artifact for your SOC 2 review. A dedicated read-only Auditor Clerk role gives your external compliance professional dashboard access without engineering credentials.
- 05Does Swarm cover the OWASP API Top 10?
Full coverage on 9 of 10 categories: BOLA, broken authentication, object property-level auth, resource consumption, BFLA, sensitive business flow abuse, SSRF, security misconfiguration, unsafe API consumption. Improper Inventory is partial. See /owasp-coverage for the per-category breakdown.
- 06What is BOLA and how is it tested?
BOLA (Broken Object-Level Authorization) is the API equivalent of IDOR. Every ID parameter in your API is tested for cross-account access. Swarm enumerates ID-bearing endpoints from the OpenAPI / dashboard inspection and probes each with attacker credentials.
- 07Does Swarm satisfy SOC 2 Type 2 pen-testing requirements?
A Swarm engagement is designed to satisfy SOC 2 Type 2 Trust Services Criteria CC4 (Monitoring) and CC7 (System Operations). The full audit trail is your evidence artifact; the structured report is your finding documentation. See /compliance for the full mapping.
- 08Is Swarm a PTaaS (penetration testing as a service)?
Yes. Swarm is offered as PTaaS: recurring engagements triggered per release cycle, with a shared findings history and a free retest within 30 days of remediation baked in. This replaces the traditional human retainer for teams running continuous-deployment pipelines.
- 09How long does a SaaS pen test take?
The free attack-surface preview returns in a few minutes. The full engagement run completes the same day. Compare against the two-to-four-week timeline of a human firm pen test.
Read the receipts.
ENTER YOUR DOMAIN. SWARM MAPS YOUR ATTACK SURFACE IN JUST A FEW MINUTES.No card. Free preview.