A customer asked for a pentest report. Don’t lose the deal.
You're mid-deal, the contract is close, and procurement sends a security questionnaire asking for your latest penetration test report. You don't have one. Here's exactly what they're really asking for — and the fastest honest way to answer it.
What security questionnaires actually ask for
Security questionnaires look intimidating, but the penetration-testing questions almost always reduce to four checks. Before you spend anything, read the exact wording and confirm which of these your customer requires:
- Recency — a report from the last 6–12 months, or since your last major release. A three-year-old PDF won’t pass.
- Independence — testing performed by a third party, not your own developers. “Our team reviews the code” is not an answer to this question.
- Relevant scope — the testing must cover the product they will actually use, not a marketing site or an old version.
- Remediation evidence — what you did about the findings. A report full of open criticals is worse than no report; a report showing findings fixed and re-tested is the strongest answer you can give.
Notice what’s usually not required for SMB and mid-market reviews: a specific accreditation, a six-figure engagement, or a 40-page methodology appendix. Reviewers want evidence that a competent, independent human tested the thing they’re about to buy — recently.
The $10k trap: why the traditional route kills deal momentum
The reflex move is to Google “penetration testing company” and request quotes. Here’s what that costs you: traditional pentests average around $18,000, with common ranges of $5,000–$20,000, and even the “small business” floor at established firms sits around $3,500–$4,000. Worse than the price is the timeline — discovery calls, scoping documents, and a start date 2–6 weeks out. Deals die in that gap. Your champion moves on, procurement escalates, a competitor with a report in hand wins.
| Traditional pentest firm | Bug Circuit | |
|---|---|---|
| Price | $5,000–$20,000+ (avg ~$18,000) | $49 one-time; $299 with fixes + cover |
| Time to start | 2–6 weeks of scoping calls first | Starts after checkout and domain verification |
| Sales process | Discovery call → proposal → negotiation | None — published pricing, buy it today |
| Deliverable | Formal report (eventually) | Written report + attestation letter |
| Deal impact | Momentum lost while you wait | Answer the questionnaire this week |
To be clear about the honest trade-off: a $49 audit is a productized, small-site scope — not a multi-week enterprise engagement, and we never pretend otherwise. But when the requirement is “recent independent manual testing of the product,” a tightly scoped manual audit answers it, and the price difference is the difference between deciding today and losing a quarter.
What Bug Circuit delivers for exactly this situation
- A full written report — every finding with severity, evidence, plain-English impact and exact fixes. Written to be shared with enterprise customers, not just read internally.
- A letter-style attestation — a one-page statement of who tested, what was in scope, when, and the methodology, so you can satisfy the questionnaire without exposing your full vulnerability details.
- An honest scope statement — the report says precisely what was and wasn’t tested. No inflated language, because a security reviewer will see through it and it’s your credibility on the line.
- Manual testing by a human engineer — the access-control, auth-flow and business-logic testing that questionnaires are really probing for, and that scanners can’t do.
- Legal, authorized testing — domain-ownership verification and a recorded Authorization to Test before anything active runs. Reviewers care about this; so do we.
And the caveat, stated upfront rather than buried: if your customer’s questionnaire demands a CREST-style accredited engagement or a formal compliance-framework audit, our productized audit doesn’t meet that requirement — we’ll tell you before you pay, and there’s a 14-day money-back guarantee before the audit begins in any case.
Three questionnaire answers you can adapt
Reviewers reward specific, honest answers. Here are three templates to adapt once you have a report in hand — replace the bracketed parts with your details.
1. “Have you had a third-party penetration test?”
“Yes. [Product] was manually security-tested by an independent third party, Bug Circuit, in [month, year]. Testing covered [the production web application, including authentication, access control and business logic]. A written report and an attestation letter are available on request under NDA.”
2. “Describe your remediation process for findings.”
“All high and critical findings from our most recent audit have been remediated and re-tested by the testing provider. Lower-severity findings are tracked in our backlog with target dates. The report includes per-finding remediation status.”
3. If they require an accredited engagement you don’t have
“Our most recent testing was a scoped manual web-application security audit by an independent provider, not a CREST-accredited engagement. We’re happy to share the report and attestation, and to discuss whether that satisfies your policy or whether an accredited engagement is required at our current stage.” — Honesty here costs you nothing; getting caught overstating it costs you the customer.
After the report: fix, re-test, and answer stronger
The strongest questionnaire answer isn’t “we were tested” — it’s “we were tested, we fixed what was found, and the fixes were verified.” That’s what the Signal plan ($299) exists for: the full manual audit, then we fix the high and critical issues with you, re-test them, and keep security cover on the site for 3 months while your deal closes and you keep shipping. If you’d rather handle fixes with your own team, the $49 Circuit report gives your developers exact remediation steps for every finding — and you can see both options on the pricing page.
Common questions
Do I need a penetration test to close enterprise deals?
What is a letter of attestation for a penetration test?
How recent must a penetration test report be?
Can I send an automated scan report instead of a pentest report?
Is a $49 audit enough to satisfy a security questionnaire?
Keep reading
Blocked by a questionnaire right now?
Run the free passive check on your domain first — no login, no impact on your site — then get the full manual audit and attestation from $49.