ImmuniWeb On-Demand

There is no hard limit on the number of URLs or domains per package. All targets should, however, belong to the same business application. For example, an e-commerce platform may span multiple subdomains, APIs, or third-party web services—these can be covered by a single package. Testing a different system, like e-banking, would require a separate package.

At the start of project creation, you can configure specific requirements for testing and reporting. Options include authenticated testing (e.g. 2FA/SSO), excluding specific vulnerabilities or areas, or prioritizing cloud pivoting or container escaping. All reports include PCI DSS and GDPR sections by default.

Each package tier includes more human analyst time and testing resources. The larger your scope, the larger the package you'll need to ensure full coverage of your application’s vulnerabilities and threat vectors. Contact us for a custom quote based on your scope.

Yes, we test applications and APIs hosted in AWS, Azure, GCP, and other public clouds. We detect OWASP Top 10 and SANS Top 25 vulnerabilities, cloud misconfigurations, and attempt privilege escalation and pivoting via IAM policies, IMDS flaws, and more.

ImmuniWeb collaborates with external law firms that can issue a legally recognized letter of compliance upon completion of your penetration test.

By default, your data resides on ImmuniWeb’s servers in Switzerland and Canada (GDPR-compliant). On request, your data can be stored in another jurisdiction for an additional cost. You can request secure data deletion at any time. No public cloud services are used.

Yes, we offer advantageous pricing for government, academic, and non-profit organizations. Please contact our sales team to see if your organization qualifies.