Third-party pen testing
without the $20,000 invoice.

Enterprise-grade penetration testing powered by OWASP ZAP methodology — compliance-ready reports your auditors and clients will accept, at 1/10th the cost of a traditional engagement.

Start Your First Scan View Sample Report

What You Get

Full-Scan DAST

OWASP ZAP full-scan with AJAX spider and active attack rules — the same methodology used by professional pen testers to find OWASP Top 10 vulnerabilities, XSS, SQL injection, and more.

Authenticated Testing

We test behind your login pages using securely stored credentials — because that's where critical vulnerabilities actually live. Surface what unauthenticated scanners miss.

Compliance-Ready Reports

Professional PDF reports with CVSS scores, CWE references, and remediation guidance — formatted to satisfy auditors, clients, and compliance requirements like SOC 2 and PCI-DSS.

Continuous Monitoring

Track remediation progress over time with historical scan data and trend charts. Prove your security posture is improving — to your team, your clients, and your auditors.

Verified Scope Control

Domain verification ensures testing stays within authorized scope — a core requirement of proper penetration test methodology. You only scan what you own.

External DAST

No agents to install, no code changes required. We attack your application from the outside — exactly as a real attacker would. Pure black-box testing, zero friction.

How It Works

1

Register Your Target

Enter your application URL and a verification email at your domain to define the authorized test scope.

2

Verify Domain Ownership

Click the link in your verification email to confirm authorization — a required step in any professional pen test engagement.

3

Activate Your Subscription

$500/year per site. Testing begins automatically — weekly full scans and daily baseline regression scans start immediately.

4

Review Findings & Export Reports

Triage vulnerabilities on your dashboard, track remediation progress, and download compliance-ready PDF reports on demand.

Fix It Once. We Verify It Automatically.

With a traditional pen test, you get a report, fix the issues, and then pay thousands more to schedule a rescan to prove remediation. That cycle can take months.

Smoke Test runs every week. When you fix a vulnerability, the next scan picks it up automatically — no rescan request, no additional cost, no waiting. Your dashboard shows exactly when each finding was resolved, giving you a clear audit trail of continuous improvement.

Your clients and auditors don't want a point-in-time snapshot from six months ago. They want proof that your security posture is current. That's what continuous automated pen testing delivers.

Simple Pricing

Traditional penetration tests cost $5,000–$50,000 per engagement. Smoke Test delivers the same OWASP methodology and professional reports at 1/10th the cost.

Per Site
$500/year
  • Weekly full penetration test (OWASP ZAP)
  • Daily baseline regression scans
  • Authenticated testing behind login
  • Compliance-ready PDF reports (CVSS, CWE)
  • Continuous monitoring dashboard
  • OWASP Top 10 full coverage
  • Email alerts for new findings
Start Your First Scan

FAQ

Will this satisfy our compliance requirements?

Our reports are formatted to meet the third-party penetration testing requirements found in SOC 2 Type II, PCI-DSS, and similar frameworks. Reports include CVSS scores, CWE references, affected URLs, and remediation guidance — the same elements auditors look for.

Is this a real penetration test?

Yes. Smoke Test runs OWASP ZAP full-scan with AJAX spider and active attack rules — not just a passive vulnerability scan. It actively probes for exploitable conditions including injection flaws, broken access controls, and security misconfigurations, the same way a professional pen tester would.

How does this compare to a manual pen test?

Manual pen tests offer deeper creative analysis for complex logic flaws, but cost $5,000–$50,000 per engagement and happen once or twice a year. Worse, when you fix something, you have to pay for a rescan to prove remediation. Smoke Test provides continuous automated coverage using the same core tooling — when you fix a vulnerability, the next weekly scan verifies it automatically. No rescan fees, no scheduling delays. You always have a current, reportable result.

Who runs the scans?

Scans are fully automated using industry-standard OWASP ZAP — the same engine used by security teams and pen testers worldwide. No offshore labor, no manual review delays. Results are available immediately after each scan completes.

Can we use these reports for client audits?

Yes. Reports are professional-grade PDFs that include vulnerability details, CVSS severity scores, CWE classifications, affected endpoints, and remediation recommendations. Designed to be handed directly to clients, auditors, or compliance reviewers.

Can I cancel anytime?

Yes. Manage your subscription through the Stripe customer portal. No contracts, no lock-in.

Built by Security Professionals

We've spent 20+ years working with security-conscious clients — organizations where a data breach isn't just a bad day, it's an existential event. In that time, one problem came up again and again: clients needed a third-party penetration test to satisfy a compliance requirement or close a deal, but the quotes from pen test firms were absurd.

Smoke Test exists because we got tired of telling clients their only option was a $15,000 engagement. We built the tool we wished existed — professional, OWASP-compliant, automated, and priced for the real world. Not a startup experiment. A tool born from two decades of real-world security work.