Deal-rescue guide

A customer asked for a pentest report. Don’t lose the deal.

You're mid-deal, the contract is close, and procurement sends a security questionnaire asking for your latest penetration test report. You don't have one. Here's exactly what they're really asking for — and the fastest honest way to answer it.

What should you do when a customer asks for a penetration test report? Don’t panic, and don’t buy a $10,000 engagement in a panic either. First, read what the questionnaire actually requires — usually recency, independence, and a scope that covers the product they’ll use. Then get a scoped manual audit fast: Bug Circuit runs a free critical-bug check first, and a $49 one-time manual audit delivers a written report plus a letter-style attestation you can hand to their security team. Finally, answer the questionnaire honestly — reviewers reject vague answers far more often than they reject small vendors.

What security questionnaires actually ask for

Security questionnaires look intimidating, but the penetration-testing questions almost always reduce to four checks. Before you spend anything, read the exact wording and confirm which of these your customer requires:

  • Recency — a report from the last 6–12 months, or since your last major release. A three-year-old PDF won’t pass.
  • Independence — testing performed by a third party, not your own developers. “Our team reviews the code” is not an answer to this question.
  • Relevant scope — the testing must cover the product they will actually use, not a marketing site or an old version.
  • Remediation evidence — what you did about the findings. A report full of open criticals is worse than no report; a report showing findings fixed and re-tested is the strongest answer you can give.

Notice what’s usually not required for SMB and mid-market reviews: a specific accreditation, a six-figure engagement, or a 40-page methodology appendix. Reviewers want evidence that a competent, independent human tested the thing they’re about to buy — recently.

The $10k trap: why the traditional route kills deal momentum

The reflex move is to Google “penetration testing company” and request quotes. Here’s what that costs you: traditional pentests average around $18,000, with common ranges of $5,000–$20,000, and even the “small business” floor at established firms sits around $3,500–$4,000. Worse than the price is the timeline — discovery calls, scoping documents, and a start date 2–6 weeks out. Deals die in that gap. Your champion moves on, procurement escalates, a competitor with a report in hand wins.

Traditional pentest route vs a productized audit when a deal is blocked
Traditional pentest firmBug Circuit
Price$5,000–$20,000+ (avg ~$18,000)$49 one-time; $299 with fixes + cover
Time to start2–6 weeks of scoping calls firstStarts after checkout and domain verification
Sales processDiscovery call → proposal → negotiationNone — published pricing, buy it today
DeliverableFormal report (eventually)Written report + attestation letter
Deal impactMomentum lost while you waitAnswer the questionnaire this week

To be clear about the honest trade-off: a $49 audit is a productized, small-site scope — not a multi-week enterprise engagement, and we never pretend otherwise. But when the requirement is “recent independent manual testing of the product,” a tightly scoped manual audit answers it, and the price difference is the difference between deciding today and losing a quarter.

What Bug Circuit delivers for exactly this situation

  • A full written report — every finding with severity, evidence, plain-English impact and exact fixes. Written to be shared with enterprise customers, not just read internally.
  • A letter-style attestation — a one-page statement of who tested, what was in scope, when, and the methodology, so you can satisfy the questionnaire without exposing your full vulnerability details.
  • An honest scope statement — the report says precisely what was and wasn’t tested. No inflated language, because a security reviewer will see through it and it’s your credibility on the line.
  • Manual testing by a human engineer — the access-control, auth-flow and business-logic testing that questionnaires are really probing for, and that scanners can’t do.
  • Legal, authorized testing — domain-ownership verification and a recorded Authorization to Test before anything active runs. Reviewers care about this; so do we.

And the caveat, stated upfront rather than buried: if your customer’s questionnaire demands a CREST-style accredited engagement or a formal compliance-framework audit, our productized audit doesn’t meet that requirement — we’ll tell you before you pay, and there’s a 14-day money-back guarantee before the audit begins in any case.

Three questionnaire answers you can adapt

Reviewers reward specific, honest answers. Here are three templates to adapt once you have a report in hand — replace the bracketed parts with your details.

1. “Have you had a third-party penetration test?”

“Yes. [Product] was manually security-tested by an independent third party, Bug Circuit, in [month, year]. Testing covered [the production web application, including authentication, access control and business logic]. A written report and an attestation letter are available on request under NDA.”

2. “Describe your remediation process for findings.”

“All high and critical findings from our most recent audit have been remediated and re-tested by the testing provider. Lower-severity findings are tracked in our backlog with target dates. The report includes per-finding remediation status.”

3. If they require an accredited engagement you don’t have

“Our most recent testing was a scoped manual web-application security audit by an independent provider, not a CREST-accredited engagement. We’re happy to share the report and attestation, and to discuss whether that satisfies your policy or whether an accredited engagement is required at our current stage.” — Honesty here costs you nothing; getting caught overstating it costs you the customer.

After the report: fix, re-test, and answer stronger

The strongest questionnaire answer isn’t “we were tested” — it’s “we were tested, we fixed what was found, and the fixes were verified.” That’s what the Signal plan ($299) exists for: the full manual audit, then we fix the high and critical issues with you, re-test them, and keep security cover on the site for 3 months while your deal closes and you keep shipping. If you’d rather handle fixes with your own team, the $49 Circuit report gives your developers exact remediation steps for every finding — and you can see both options on the pricing page.

Common questions

Do I need a penetration test to close enterprise deals?
Very often, yes. Most enterprise procurement includes a vendor security review, and independent security testing evidence is one of the most common hard requirements. Some reviewers accept a recent third-party security audit report; others specifically ask for a penetration test. Read the exact wording — the difference matters, and answering it honestly matters more.
What is a letter of attestation for a penetration test?
A short document from the testing provider — separate from the full report — stating who performed the testing, what was in scope, when it was done, the methodology, and a summary of results. It exists so you can give a customer proof of testing without handing over your full vulnerability details. Bug Circuit provides a letter-style attestation with every paid audit.
How recent must a penetration test report be?
Most questionnaires accept a report from the last 12 months; stricter ones ask for the last 6, or for testing after any major release. If your only report is older than that, or predates a big change to the product, expect the reviewer to ask for a fresh one. A new scoped audit is usually faster than negotiating an exception.
Can I send an automated scan report instead of a pentest report?
You can, but experienced reviewers recognize scanner output immediately, and many questionnaires explicitly ask whether testing was manual. Automated scanners cannot find business-logic, access-control or authentication-flow flaws, and sub-$1,500 “pentests” from big firms are usually rebranded automated scans. If the questionnaire asks for a penetration test and you send a scan, you risk the answer being rejected late in the deal — the worst possible time.
Is a $49 audit enough to satisfy a security questionnaire?
For many SMB and mid-market reviews that ask for evidence of recent independent manual security testing — yes, a scoped manual audit with a written report and attestation letter is exactly what they are asking for. If the questionnaire demands an accredited engagement (CREST or similar), a specific compliance framework, or an enterprise-scale scope, a $49 productized audit does not meet that bar, and we will tell you so before you pay rather than after.

Keep reading

Blocked by a questionnaire right now?

Run the free passive check on your domain first — no login, no impact on your site — then get the full manual audit and attestation from $49.

Passive recon only. No login, and no impact on your site. Deeper testing needs domain verification.

Ready for the full manual audit? See transparent pricing →