Transparent pricing — no sales calls

Real penetration testing, priced for small sites.

The industry average penetration test costs thousands and starts with a discovery call. We publish our prices, scope the work for small websites, and a human still does the testing.

How much does a website security audit cost? Traditional penetration tests run $5,000–$20,000+ because they are scoped for enterprises. Bug Circuit productizes the same manual testing for small websites: a free critical-bug check, a $49 one-time full manual audit, or $299 for the audit plus fixes and 3 months of security cover. Every price includes a written report and a 14-day money-back guarantee before testing begins.
Pulse

Is your site exposed? Find out.

$0free
  • 1 domain
  • Manual critical-bug check by our team
  • A straight yes or no answer
  • Standard queue · no report, no card
Scan free
  • Covers one domain that you have verified you own.
  • A member of our team reviews it by hand — there is no automated scanner.
  • You get a single answer: does your site have any critical bugs, yes or no.
  • Free checks sit in our standard queue and are not prioritised.
  • No written report and no severity breakdown are included.
  • No card is needed, and you can upgrade any time to see the detail.
Circuit

A deep audit, done by hand.

$49one-time
  • 1 domain
  • A person audits your whole site
  • Full written report of every bug we find
  • Premium support + a real contact
Get Circuit

Upgrade to Signal within 3 days and we credit everything you paid — you only cover the difference.

  • Covers one domain that you have verified you own.
  • A security engineer manually audits your whole site, by hand.
  • You receive a full written report of every vulnerability we find.
  • Each finding comes with its severity, the evidence, and a clear fix.
  • This is a one-time engagement with no ongoing monitoring.
  • Includes premium support and a named person from our team as your contact.
Most popular
Signal

We find it, we fix it, we watch it.

$2993 months

Extend in 3-month blocks. +$36 per extra 3 months.

  • 1 domain
  • Full manual audit + report
  • We fix every high and critical for you
  • Security cover as you ship updates
  • Premium support + a real contact
Get Signal
  • Covers one domain that you have verified you own.
  • The same full manual audit and written report as Circuit.
  • We fix every high and critical issue for you, not just report it.
  • Includes 3 months of security cover so we watch your app as you ship updates.
  • Extend the cover in 3-month blocks whenever you need longer.
  • Includes premium support and a named person from our team as your contact.

How that compares to a traditional pentest

Traditional penetration test vs Bug Circuit
Traditional pentest firmBug Circuit Circuit — $49Bug Circuit Signal — $299
Price$5,000 – $20,000+$49 one-time$299 / 3 months
TestingManual (senior consultants)Manual (senior tester, productized scope)Manual + re-tests after fixes
ScopeCustom, negotiated over callsSmall-site web attack surfaceSmall-site scope + fix support
Time to start2–6 weeks of scopingStarts after checkoutStarts after checkout
ReportFormal PDFFull written reportFull report + fix verification
Best forEnterprises, formal complianceSmall sites, WordPress, indie SaaSBusinesses that want it fixed, not just found

The honest caveat: a $49 audit is not a 3-week enterprise engagement, and we never pretend it is. It is focused manual testing of the attack surface a small website actually exposes — which is exactly what most small businesses need and can afford. If your scope is bigger, we’ll say so before taking your money.

Every paid plan includes

  • Manual testing by a human — logic flaws, access control, and auth issues automated scanners miss.
  • A written report you can share — severity, evidence, plain-English impact, and exact fix steps.
  • Authorized, legal testing — domain ownership verification and a recorded Authorization to Test first.
  • 14-day money-back guarantee — full refund before your audit begins, no questions asked.
  • Real support — talk to the people who actually tested your site, not a ticket queue.

Common questions

Why is Bug Circuit $49 when a penetration test normally costs $5,000+?
Traditional pentest pricing carries enterprise overhead: scoping calls, project managers, compliance paperwork, and consultancy day rates. We productized the work instead — a tight, well-defined scope for small websites, one senior tester working a repeatable methodology, and zero sales process. You get real manual testing on the attack surface a small site actually has. If your application is very large or you need a formal compliance-grade engagement, we’ll tell you honestly that you need a bigger scope.
Is this a real manual test or an automated scan?
A human security engineer tests your site by hand — logic flaws, access control, authentication weaknesses, the things scanners can’t reason about. We use tools where they help, but every finding is verified and written up by a person. Here’s exactly what the difference is.
Is there a money-back guarantee?
Yes. You can request a full refund within 14 days of payment, any reason, as long as your manual audit hasn’t begun. The full terms are in our refund policy.
What do I actually receive?
A written report of every vulnerability found — severity, evidence, impact in plain English, and exact remediation steps. On Signal, we also fix the high and critical issues with you and keep monitoring for 3 months. The report is suitable to share with customers who ask for proof of security testing.
Do you test any website?
Only domains you prove you own. Verification (email, DNS, file, or meta-tag) plus a recorded Authorization to Test happens before any active testing — that keeps everything legal and above-board.
What if you find nothing serious?
Then the report says so — and that clean report is the deliverable: documented evidence a human tested your site and what was checked. Most sites we test have at least a handful of fixable issues.

Keep reading

Not sure yet? Start with the free check

Run the free passive scan and see your exposure first — no login, no charge, no impact on your site.

Passive recon only. No login, and no impact on your site. Deeper testing needs domain verification.

Ready for the full manual audit? See transparent pricing →