Your AppExchange Listing Is a Revenue Gate. Clear It in 48 Hours.
Salesforce AppExchange, Atlassian Marketplace, ServiceNow Store, and Microsoft AppSource all require a security review before you can list. We deliver the audit-ready pentest report you need, aligned to what each marketplace actually checks, starting at $1,500 with results in 48 hours.
Most ISVs Hit the Security Review Gate Too Late
You're Already in the Queue
The Salesforce AppExchange review takes 6 to 9 weeks. By the time most ISVs realize a pentest report is required, they're already delaying a deal that was waiting on the listing.
Traditional Pentests Are Built for Enterprises
Legacy firms quote $15,000 to $25,000 and a 4 to 6 week timeline. That is not a viable option for a seed-stage ISV with one enterprise deal on the line and a 9-week review window already ticking.
This Is Not a One-Time Requirement
Salesforce runs periodic re-reviews when new vulnerability patterns emerge. Atlassian requires a CREST-accredited pentest annually, per app. Build this into your security budget now.
From Kickoff to Pentest Report in 48 Hours
Scope in 30 Minutes
Tell us your stack, your target marketplace, and your timeline. We configure the engagement and confirm scope on a quick call or async via email.
AI Agents Test in 48 Hours
Our AI agents execute autonomous exploitation across your web app, API, and infrastructure. Every finding is validated by a senior US-based ethical hacker before it goes in the report.
Audit-Ready Report, Delivered
You receive a pentest report formatted to the requirements of your target marketplace: DAST output compatible with Salesforce submission, CREST-aligned findings for Atlassian, and a full executive summary for your security team.
Every Major SaaS Marketplace Security Review, Covered
Mandatory for All Managed Packages
Every paid and free managed package on AppExchange requires a security review before listing. Salesforce uses Checkmarx for static analysis and OWASP ZAP or Burp Suite for dynamic testing. Roughly 50% of first submissions fail. The review costs $999 per attempt and takes 6 to 9 weeks.
Mandatory Annual Pentest Per App
All cloud apps on Atlassian Marketplace require a penetration test from a CREST-accredited firm or through the Bugcrowd managed program. Requirements are updated every April with enforcement by end of October. Each app requires its own test.
NowScan Plus External Pentest Evidence
ServiceNow requires partners to submit NowScan automated scan output. External pentest evidence significantly accelerates approval, particularly for applications handling sensitive enterprise data. Enterprise ISVs with high ACV customers should treat this as mandatory.
Security Questionnaire and SDL Review
Microsoft AppSource requires a security questionnaire and Software Development Lifecycle review. Publishers handling sensitive data or targeting government customers face additional requirements. Pentest evidence is expected for higher compliance tiers.
Pentest Pricing Built for ISVs, Not Enterprises
One-off reports for a single submission. Annual plans for recurring marketplace re-reviews.
One-Time Engagement
Autonomous AI exploitation with no human validation layer. Best for free AppExchange apps, early submissions, and teams on tight budgets.
- DAST output formatted for Salesforce submission
- Web app and API coverage
- Audit-ready findings report
AI agents plus senior human validation. Required for paid AppExchange listings, Atlassian cloud apps, and any engagement where a CREST-aligned report is needed.
- Everything in AI-Only
- Senior US-based ethical hacker validation
- CREST-aligned methodology
- Business logic and chained vulnerability testing
- Free remediation retest included
Fully manual engagement for complex managed packages, ServiceNow enterprise listings, and teams requiring a comprehensive red team report.
- Everything in Hybrid
- Dedicated senior tester team
- Full attack chain documentation
- Remediation consulting included
Annual Compliance Plans
For ISVs on multiple marketplaces or subject to periodic re-reviews. Covers your annual pentest requirement across Salesforce, Atlassian, and ServiceNow.
Annual pentest coverage for a single marketplace. Ideal for early-stage ISVs needing to meet Salesforce periodic re-review or Atlassian annual renewal.
Annual pentest coverage for up to two marketplaces. Includes quarterly check-in with your StealthNet account manager and priority scheduling.
Full annual security coverage across all major marketplaces. Includes unlimited re-tests, continuous vulnerability monitoring, and a dedicated senior security advisor.
Enterprise-Grade Testing. ISV-Friendly Pricing.
Common Questions
Get a Pentest Quote
Tell us about your listing and we will respond with a scoped quote within one business day.
48-hour delivery. Senior US-based testers. Reports formatted for every major marketplace submission.
No commitment required. We scope every engagement before sending a proposal.
CREST-aligned
Methodology accepted by Atlassian
DAST-ready output
Formatted for Salesforce submission
48-hour delivery
From kickoff to audit-ready report
Prefer to read first? Read the full AppExchange security review guide →
Related: Web app pentest · API pentest · SOC 2 pentest · Pricing