Independent
security
assessments.
Professional security checks on your systems — structured, scoped, and delivered with a clear report on exactly what to fix and how. Faster and more accessible than a traditional firm, without compromising on rigour.
Formal signed report included — suitable as documented evidence of security due diligence.
This illustrates the scale of real-time global cyber threats — the same threat landscape your systems are exposed to every day. An assessment identifies your exposure before someone else does.
Direct. Structured.
No agency overhead.
A credible independent security assessment without the overhead, timelines, or invoices of a traditional firm — regardless of your size.
Compliance & due diligence
Preparing for Cyber Essentials, ISO 27001, investor due diligence, or a client security requirement. An independent assessment gives you a documented, credible starting point.
Pre-launch review
External assessment of your web app, API, or infrastructure before it goes live or is opened to customers. Catches what internal review misses.
Looking for a direct, no-overhead engagement
Whether budget is the constraint or you simply want a direct engagement without account managers and agency overhead — SynthBreach offers fixed pricing, clear scope, and a single point of contact throughout. Including local professional services and financial firms in the Channel Islands.
You need it done but don't know where to start
Security can feel opaque. Submit the form with a description of what you have — the right scope and tier will be confirmed before any commitment.
No agency.
No overhead.
SynthBreach runs independent security assessments for businesses that want real coverage without the overhead, timelines, or price tag of a traditional agency engagement.
AI-assisted tooling combined with manual validation. Every finding is verified before it reaches you. Honest reporting — no inflated severity, no upsell, no markup.
Currently accepting first engagements at founding rate.
Pricing reflects that. The output quality does not.
How an engagement works
Five steps. The first and last are yours — everything in between is handled for you.
Fill in the scope form
Describe your website, app, or system and what you want checked. No technical knowledge needed — plain English is fine. Scope and fixed price confirmed before anything is agreed.
Sign the authorisation agreement
A short document sent to you by email confirming you own or have permission to test the systems listed. Sign and return it — takes two minutes. Required before any work begins, no exceptions. Protects both parties.
50% pro-forma invoice
Once scope and authorisation are confirmed, a pro-forma invoice is issued for 50% of the agreed fee. Assessment begins on receipt.
We run the checks
Structured security assessment runs against your agreed scope using professional tooling. All findings reviewed by a human before they go anywhere near your report.
Receive report, pay balance
Your report is ready. Final 50% invoice issued on delivery. Report delivered by email in Word format (.docx) on receipt of cleared payment.
!Important notice — SynthBreach provides limited-scope security assessments and does not guarantee the absence of vulnerabilities. Services are provided without warranties of any kind, express or implied. Testing is conducted only within agreed written scope with explicit authorisation from the verified system owner. All client information is treated as strictly confidential and will not be disclosed to third parties without written consent, except where required by law. Findings represent the state of assessed systems at the time of testing only. Full terms ↗
What gets checked
Not sure which applies? That's fine — most people aren't. Describe what your business has online in the contact form and the right scope will be confirmed before any commitment.
External Network Assessment
What this means for your business: unprotected or misconfigured systems facing the internet are the most common starting point for attacks. This assessment tells you exactly what's exposed and what needs addressing.
Automated discovery and assessment of internet-facing infrastructure. Identifies open ports, running services, software versions, and misconfigurations that could be leveraged by an attacker. Suitable for any business with an online presence or internet-facing servers.
Web Application Assessment
What this means for your business: a compromised web app can expose customer data, damage your reputation, and create legal liability. This assessment identifies the issues most likely to be targeted before they're found by someone else.
Structured assessment against the OWASP Top 10 — the industry's definitive list of the most critical web application vulnerabilities. Covers authentication issues, input validation flaws, access control weaknesses, and insecure configurations. Suitable for any website, portal, or customer-facing application.
API Security Assessment
What this means for your business: if your product or platform uses an API, it's a potential entry point. Poorly secured APIs have been behind some of the most significant data breaches in recent years — this assessment checks yours.
Assessment of REST and GraphQL API endpoints covering authorisation failures, excessive data exposure, authentication weaknesses, and rate limiting issues. APIs are one of the most common entry points in modern data breaches — and one of the most frequently overlooked.
Attack Surface & OSINT Review
What this means for your business: before attacking, criminals research their target using publicly available information. This assessment shows you what they'd find — leaked credentials, forgotten systems, exposed data — so you can act first.
Passive reconnaissance of your external footprint using open-source intelligence techniques. Identifies exposed subdomains, leaked credentials, publicly indexed sensitive data, forgotten or shadow systems, and information that could be used to target your business. No access to your systems required — purely external and non-intrusive.
Cloud Configuration Review
What this means for your business: misconfigured cloud storage and permissions have caused some of the most publicised data breaches in recent years. This review checks your cloud environment is set up securely, not just set up.
Review of cloud environment configuration across AWS, GCP, and Azure. Identifies publicly exposed storage buckets, overly permissive access controls, insecure service configurations, and common misconfigurations that have led to some of the largest data breaches in recent years.
Database & Injection Testing
What this means for your business: your database likely holds your most sensitive information — customer records, payment data, login credentials. SQL injection is one of the oldest and most exploited attack techniques. This assessment tests whether yours is protected.
Automated detection and validation of SQL injection vulnerabilities and database exposure issues. Covers input fields, login forms, search functions, and any interface that interacts with a database. SQL injection remains one of the most exploited vulnerabilities in web applications.
Human-reviewed findings
Every result is checked before it goes into your report. No raw tool output, no unconfirmed results — only verified findings make it through.
Written report delivered by email
A single clear report in Word format (.docx), delivered directly to your inbox. Covers every finding with severity ratings, evidence, and step-by-step remediation guidance.
Severity-rated findings
Every issue is rated using the CVSS industry standard — so you know what's critical, what's moderate, and what order to tackle things in.
Compliance-ready format
Findings referenced against recognised industry standards where applicable — useful if you need to present the report to a regulator, insurer, or investor.
Out of scope
Physical security testing, social engineering, red team exercises, 24/7 monitoring, and internal network assessments are not currently offered. If your requirement falls outside the above services, get in touch and it will be confirmed before any commitment.
The direct alternative
to agency engagements.
Traditional security firms are structured around enterprise procurement — lengthy queues, account managers, and minimum contract values that don't suit every engagement. SynthBreach offers a direct alternative: fixed pricing, clear scope, and faster turnaround, for any business that needs a credible independent assessment.
Price
Agency engagements typically start at £5,000–£20,000+. SynthBreach starts at £249. That's not a discount — it reflects the actual cost structure. No offices, no account managers, no overhead to recover.
Security requirements at every stage
Whether you're pre-launch, scaling, or established — investors ask, compliance frameworks require it, and the cost of a breach at any stage far outweighs the cost of an assessment. There's no minimum size for taking security seriously.
Direct accountability
Every engagement is reviewed before delivery. No account managers, no handoffs. You deal directly with whoever ran the test.
Tested by the same kind of system that's attacking you
Attackers are already using AI to scan faster, identify weaknesses at scale, and automate what used to take days. A traditional manual review can miss what an AI-assisted approach catches. SynthBreach uses the same category of tooling on your systems before someone with worse intentions does.
| Factor | SynthBreach | Typical Agency |
|---|---|---|
| Starting cost | From £249 | £5,000–£20,000+ |
| Time to start | Within 24h of sign-off | 1–4 week queue |
| Report delivery | Same week as sign-off | 1–3 weeks after |
| Who runs it | Direct contact throughout | Varies by allocation |
| Minimum contract | None | Often required |
| Pricing transparency | Fixed, listed publicly | Quote-based |
| Engagement model | Any size — direct, no minimums | Enterprise procurement |
The tradeoff is real. Less experience than a senior consultant at an established firm. More accessible, more direct, and a fraction of the cost.
Common questions
Plain answers to the most common questions — no technical knowledge needed to understand them.
ready to proceed?
Describe your target.
Get a scope and price within hours.
No commitment until scope and price are agreed. If the request isn't right for this service, that's confirmed before you pay anything.
Fixed rates. No surprises.
Per engagement. No retainer. Report delivered within the same week of scope sign-off and payment. These are founding rates — they will increase as the service matures. Current pricing is locked in at the point of engagement.
50% payment required before assessment begins. Final report delivered upon receipt of remaining balance. Results are never released before payment is cleared.
One target. Suitable for a single website, web app, API, or network endpoint.
- ✓1 target (web app, network, or API)
- ✓Structured assessment, OWASP-aligned methodology
- ✓Human-reviewed findings
- ✓CVSS-rated report with evidence and remediation steps
- ✓Delivered by email (.docx)
- —Retest (available as add-on)
Up to three targets. Same methodology and report format as Starter — more coverage for businesses with multiple systems.
- ✓Up to 3 targets (web app, network, API, or cloud)
- ✓Structured assessment, OWASP-aligned methodology
- ✓Human-reviewed findings
- ✓CVSS-rated report with evidence and remediation steps
- ✓Delivered by email (.docx)
- —Retest (available as add-on)
More complex scope. Discussed first — capability confirmed before any commitment.
- ✓Multiple targets, complex environments
- ✓Full report suite
- ✓Compliance evidence package
- —Declined if beyond current capability
All engagements require a signed authorisation agreement before work begins. Testing does not start without verified written permission from the system owner. Founding rates are subject to increase — current pricing is locked in at the time of engagement.
Request an assessment.
Describe your target and what you want tested. If the scope isn't right for this service, that gets confirmed before you commit to anything.
// assessment request