Clear scope · No agency overhead · Results within the week

Independent
security
assessments.

AI-assisted tooling. Human-reviewed findings. Every engagement scoped, priced, and delivered faster than a traditional firm — without the invoice to match.

Request an assessment How it works

£249 starting price

UK & CI serving

Faster than agencies

threat-monitor // global activity

live

who this is for

Built for the gap
agencies ignore.

If you need a credible external security review without a five-figure invoice, this is for you.

Compliance & due diligence

Preparing for Cyber Essentials, ISO 27001, investor due diligence, or a client security requirement. An independent assessment gives you a documented, credible starting point.

Pre-launch review

External assessment of your web app, API, or infrastructure before it goes live or is opened to customers. Catches what internal review misses.

Priced out of traditional firms

Agency engagements start at £5,000–£20,000+. If that's not in budget but security matters, this exists for that gap — including local professional services and financial firms in the Channel Islands.

You need it done but don't know where to start

Security can feel opaque. Submit the form with a description of what you have — the right scope and tier will be confirmed before any commitment.

about

No agency.
No overhead.

SynthBreach runs independent security assessments for startups, small businesses, and technical teams who want real coverage without a five-figure agency quote.

AI-assisted tooling combined with manual validation. Every finding is verified before it reaches you. Honest reporting — no inflated severity, no upsell, no markup.

Currently accepting first engagements at founding rate.
Pricing reflects that. The output quality does not.

How this works

✓Pricing reflects the actual cost structure — no offices, no account managers, no overhead to recover.

✓Every finding is reviewed and verified before it reaches your report. No raw tool output, no unconfirmed results.

✓If a scope falls outside reliable delivery capability, that's confirmed before any payment is taken.

✓No work starts without a signed authorisation agreement. No exceptions.

✓Severity ratings are accurate. Nothing is inflated to make the report look more impressive.

!Point-in-time assessment only. Testing once does not equal ongoing security.

process

How an engagement works

Four steps. You handle two of them.

01 — SCOPE

You define the target

Submit the request form with your target, test type, and confirmation you own or have written permission to test the systems. Scope and price are confirmed before any work begins.

02 — DISCOVERY

Automated reconnaissance

Structured discovery runs across your defined scope — mapping services, endpoints, authentication flows, and configuration issues that form the basis for testing.

03 — VALIDATION

Controlled proof-of-concept validation

Findings from discovery are validated with controlled, scoped techniques. The goal is confirming real risk — not demonstrating capability. All activity stays within the agreed scope boundary.

04 — REPORT

You receive your report

Findings with CVSS scores, evidence, and clear remediation steps. Delivered to your secure Firebase dashboard. Report turnaround is faster than a traditional agency engagement.

!Important notice — SynthBreach provides limited-scope security assessments and does not guarantee the absence of vulnerabilities. Services are provided without warranties of any kind, express or implied. Testing is conducted only within agreed written scope with explicit authorisation from the verified system owner. All client information is treated as strictly confidential and will not be disclosed to third parties without written consent, except where required by law. Findings represent the state of assessed systems at the time of testing only. Full terms ↗

services

What I assess

Unsure which applies? Describe your setup in the contact form.

Network

External Network Test

Reconnaissance and testing of internet-facing infrastructure. Open ports, exposed services, outdated software, and misconfiguration. Suitable for any externally accessible server or service.

Web Application

Web App Test

Structured testing against OWASP Top 10. SQL injection, XSS, broken authentication, IDOR, session management, and business logic issues.

API

API Security Review

REST and GraphQL testing. Broken object-level authorisation, excessive data exposure, rate limit bypasses, authentication weaknesses, and mass assignment.

Recon · Good first step

OSINT & Surface Mapping

Passive discovery of your external footprint. Subdomains, exposed credentials, leaked data, and shadow IT — what an attacker sees before they start. A natural starting point if you're unsure of your exposure.

Cloud

Cloud Configuration Review

Misconfigured storage, overpermissioned IAM, exposed metadata services, and insecure serverless functions. AWS, GCP, Azure.

included in every engagement

▸

Human-reviewed findings

Every result is checked before it goes into your report. No false positives that weren't caught, no automated output passed off as analysis.

▸

Dual-format report

Technical detail with CVSS scores and remediation steps for engineers. A plain summary for non-technical stakeholders. Both in every report, no extras.

▸

Secure findings dashboard

Results hosted on Firebase. Private link, access controlled. Share with your team without handing over a static PDF.

▸

Framework mapping

Findings mapped to MITRE ATT&CK and OWASP Top 10 where applicable. Useful for compliance conversations and understanding risk in context.

Out of scope

Physical security testing, social engineering, red team exercises, 24/7 monitoring, and internal network assessments are not currently offered. If your requirement falls outside the above services, get in touch and it will be confirmed before any commitment.

why synthbreach

Built for teams that agencies ignore.

Traditional security firms are priced and structured for enterprise procurement. SynthBreach fills the gap — startups, small businesses, and technical teams who need a credible independent assessment at a sensible price.

Price

Agency engagements typically start at £5,000–£20,000+. SynthBreach starts at £249. That's not a discount — it reflects the actual cost structure. No offices, no account managers, no overhead to recover.

Supporting early-stage companies

Startups have real security requirements — investors ask, compliance frameworks require it, and breaches at your stage can be fatal. Serious testing shouldn't have to wait until Series B.

Direct accountability

Every engagement is reviewed before delivery. No account managers, no handoffs. You deal directly with whoever ran the test.

Tested by the same kind of system that's attacking you

Attackers are already using AI to scan faster, identify weaknesses at scale, and automate what used to take days. A traditional manual review can miss what an AI-assisted approach catches. SynthBreach uses the same category of tooling on your systems before someone with worse intentions does.

vs traditional firm

Factor	SynthBreach	Typical Agency
Starting cost	From £249	£5,000–£20,000+
Time to start	Within 24h of sign-off	1–4 week queue
Report delivery	Same week as sign-off	1–3 weeks after
Who runs it	Same person throughout	Varies by allocation
Minimum contract	None	Often required
Pricing transparency	Fixed, listed publicly	Quote-based
Target client size	Startups, SMBs, small businesses	Enterprise-focused

The tradeoff is real. Less experience than a senior consultant at an established firm. More accessible, more direct, and a fraction of the cost.

faq

Common questions

The things most people ask before committing to a test.

What counts as one target? ▶

One target means one distinct asset — a single domain (e.g. app.company.com), one IP range, one API, or one cloud account. Subdomains count separately. If you're unsure, describe your setup in the form and it'll be clarified before any payment.

What do you need from me to start? ▶

Your target URL or IP range, a brief description of the system, confirmation you own or have permission to test it, and a signed authorisation agreement. Credentials are only required if we've agreed an authenticated test.

What format is the report? ▶

Every engagement produces two documents: a technical report with CVSS-scored findings, evidence, affected endpoints, and remediation guidance — and a plain-English executive summary covering overall risk and priority actions. Both delivered via a secure Firebase dashboard. PDF export available.

Is retest included? ▶

Retest is included in the Growth tier. For Starter, retest can be added for a reduced flat fee — confirm your fixes are actually fixed. Mention it when requesting and it'll be quoted as a single line item.

Can I use the report for compliance? ▶

Yes. Findings include timestamps, methodology, and CVSS scores — the standard fields most frameworks ask for. Growth tier includes MITRE ATT&CK and OWASP Top 10 mapping. A Data Processing Agreement is available on request.

How long does the test take? ▶

The assessment itself runs over one to two working days. The final report is delivered within the same week as scope sign-off and payment — typically sooner. Custom scopes may take longer; this is confirmed before any work begins.

ready to proceed?

Describe your target.
Get a scope and price within hours.

No commitment until scope and price are agreed. If the request isn't right for this service, that's confirmed before you pay anything.

Request an assessment View pricing

pricing

Fixed rates. No surprises.

Per engagement. No retainer. Report delivered within the same week of scope sign-off and payment. These are founding rates — they will increase as the service matures.

50% payment required before assessment begins. Final report delivered upon receipt of remaining balance. Results are never released before payment is cleared.

Starter

One target. Suitable for a single web app, API, or network endpoint. Honest output, no padding.

£249/engagement

1 target · same-week delivery · 50% upfront

✓1 target (web app, network, or API)
✓Structured assessment, OWASP-aligned methodology
✓Human-reviewed findings
✓Technical report with CVSS scores and PoC
✓Firebase findings dashboard
—Executive summary
—Retest verification
—Priority scheduling

Request this

BEST VALUE

Small Business

Growth

Up to three targets across multiple surfaces. Scope agreed before work starts.

£399/engagement

Up to 3 targets · same-week delivery · 50% upfront

✓Up to 3 targets
✓Web app, network, API, and cloud coverage
✓Human-reviewed findings
✓Technical report + executive summary
✓Firebase real-time findings dashboard
✓MITRE ATT&CK + OWASP mapping
✓Retest verification included
✓Compliance evidence export

Request this

Larger Scope

Custom

More complex scope. Discussed first — capability confirmed before any commitment.

Let's discuss

Scoped before any commitment

✓Multiple targets, complex environments
✓Full report suite
✓Compliance evidence package
✓DPA available
—Declined if beyond current capability

Get in touch

All engagements require a signed authorisation agreement before work begins. Testing does not start without verified written permission from the system owner. Founding rates subject to increase.

contact

Request a test.

Describe your target and what you want tested. If the scope isn't right for this service, that gets confirmed before you commit to anything.

✓Response same day in most cases

✓Fixed price and scope confirmed before any work begins

✓Signed authorisation required — no exceptions

→hello@synthbreach.gg

// engagement request

Name *

Email *

Company / Project

Test type *

Target *

Budget range

Additional context

I confirm I own or have explicit written authorisation to test the systems listed above. *

Used only to respond to this request. Not shared with anyone. Privacy Policy.

Independentsecurityassessments.

Built for the gapagencies ignore.

No agency.No overhead.