OSCP-certified testers. Manual CDE penetration testing that satisfies Requirements 11.4.1 through 11.4.5. QSA-ready reports with segmentation validation — starting at $2,000.
Meet With A Team Member ↗External CDE Penetration Testing
We attack every internet-facing system in scope of your cardholder data environment — web apps, APIs, payment gateways, admin portals — from an attacker’s perspective. Satisfies 11.4.2.
Internal CDE Penetration Testing
We simulate a breached endpoint inside your CDE and test lateral movement, privilege escalation, and segmentation controls. Requirements 11.4.2 and 11.4.3 both satisfied in one engagement.
Segmentation Testing
We validate that your out-of-scope networks can’t reach the CDE. Required annually for merchants, every six months for service providers under Requirement 11.4.5.
QSA-Ready Report in 5 Days
Findings mapped to specific 11.4 sub-requirements. CVSS scores, reproduction steps, and remediation guidance formatted exactly how your Qualified Security Assessor expects. Free retest included.
Fixed Price from $2,000
No hourly billing. No surprise scope changes. Fixed quote within 24 hours of your scoping call. The price you’re quoted is the price you pay.
OSCP-Certified Testers
Every tester holds OSCP or equivalent (CREST, CEH). Credentials your QSA will recognize on sight. We document our methodology to satisfy Requirement 11.4.1.
Every sub-requirement covered in a single engagement. Your QSA gets everything they need.
Manual testing of every attack surface your QSA will evaluate under Requirements 11.4.2 and 11.4.3.
CARDHOLDER DATA ENVIRONMENT
We test every system that stores, processes, or transmits cardholder data — and every system connected to one. Payment flows, tokenization endpoints, admin interfaces, and the network segments between them.
NETWORK SEGMENTATION
Requirement 11.4.5 requires you to prove your out-of-scope networks can’t reach the CDE. We test from both sides and produce evidence your QSA can validate without additional testing.
READY FOR YOUR PCI DSS PENTEST?
Tell us about your CDE and audit timeline. Get a fixed scope and quote from a certified pentester — not a sales rep — within 1 business day.
Meet With A Team Member ↗Does PCI DSS v4.0 require a penetration test?
Yes. Requirement 11.4 is explicit: you need manual penetration testing of your CDE — internal and external — at least annually and after any significant change. An ASV scan doesn’t satisfy Requirement 11.4. Neither does a vulnerability assessment.
What’s the difference between an ASV scan and a PCI pentest?
An ASV scan satisfies Requirement 11.3.2. A penetration test satisfies Requirement 11.4. They are separate requirements with different methodologies. v4.0 makes this distinction more explicit than v3.2.1.
How often does PCI DSS require a penetration test?
At minimum annually for both internal and external testing, plus after every significant change. Service providers must also perform segmentation testing every six months under 11.4.5.
Does the tester need specific PCI qualifications?
The tester must be organizationally independent and qualified. Our testers hold OSCP, CREST, and CEH — credentials your QSA will recognize on sight. We document our methodology to satisfy Requirement 11.4.1.
How much does a PCI DSS penetration test cost?
Starting from $2,000. Fixed price scoped to your CDE size and complexity. Get a quote within 24 hours — no hourly billing, no surprise overruns.