Pricing

Practical, scope-based pricing

VEXA does not treat security like a one-size-fits-all product. Pricing depends on scope, complexity and timelines – but we keep the model simple and transparent so you can plan budgets without surprises.

How we think about pricing

The exact numbers are agreed together after a short discussion, but most VEXA engagements follow one of these patterns.

Fixed-scope assessment

A clear, one-time engagement with a well-defined target (for example, a single SaaS application, API surface or Kubernetes cluster) and agreed timelines.

Best when you know what needs testing and have specific internal or external deadlines to meet.

Phase-based engagement

A slightly larger scope broken into phases (for example, app first, then cloud review or AI features), so that your team can fix important issues between phases instead of being overwhelmed at the end.

Training & workshop programs

Pricing for training is usually based on duration (1–3 days) and audience size. Colleges and community programs may be eligible for special pricing, especially for focused, hands-on batches.

Typical pricing bands

The ranges below are examples only. Final pricing depends on actual scope, technology stack, integrations and urgency. For accurate numbers, please share a short description of your context via the security or training forms.

SaaS / web & API pentest

Scope: main web application and key API endpoints.
Includes manual testing, basic recon and business logic checks.
Output: detailed report with prioritised findings and remediation ideas.

Pricing is usually quoted per engagement once we understand size, auth models and integrations.

Cloud & Kubernetes review

Scope: selected AWS/Azure accounts, key workloads and clusters.
Focus on IAM, network paths, workload isolation and logging.
Output: risk-focused summary and phased hardening plan.

Pricing depends on number of environments, clusters and how much depth you need in each area.

Red team / adversarial simulation

Scope: agreed objectives and constraints, realistic attack paths.
Mix of technical and social techniques (within legal boundaries).
Output: narrative report with timeline, impact and recommendations.

These are highly customised and priced after a detailed scoping call.

Training & workshops

Scope: 1–3 day programs or shorter focused sessions.
Audience: students, early professionals or internal engineering teams.
Output: sessions, materials and optional post-session guidance.

Pricing depends on duration, audience size and whether labs are provided by VEXA or the host.

What we do not do

To keep expectations clear, a few things VEXA does not offer as a primary service:

Race-to-the-bottom “checkbox” pentests with unrealistic timelines.
Guaranteed vulnerability counts or “bug bounty style” competitions.
Using aggressive scare tactics to upsell unnecessary work.

If you mainly need a specific compliance checkbox, we can still discuss how to balance that with practical value.

Next step: the easiest way to get real numbers is to share a short description of your context. Companies can use the security assessment form, and colleges or students can use the training enquiry form.