I'm building a $500 pentesting solution for small dev teams. Follow how it is going here.
Security
April 25, 2026
Building a $500 pentest tool for small dev teams (week 1)

A client I had been doing cloud architecture for came to me a while ago with a challenge I keep seeing:

Their biggest customer was pressing them on security. Questionnaires, evidence, a pentest report. At the same time, their WAF was lighting up with attackers actively probing for a way in.

The squeeze was real. On one side, a deal that depended on producing security artifacts they didn't have. On the other side, evidence in their logs that the threat wasn't theoretical.

But, they're a tiny team. No security lead. No $15,000 budget for a traditional pentest.

So they asked me: "Can you help?"

What I've been building

I've been building the answer for the last few months. An agentic black-box pentesting tool that runs a real test, scoped against the OWASP Top 10. Agents perform recon, exploitation attempts, validation, and produce an audit-ready report.

The thing that distinguishes this from a vulnerability scanner is that the agents attempt the exploit, observe the response, and decide whether the attempt actually worked. A scanner says "this endpoint might be vulnerable to SQL injection." The agent says "I tried injecting a payload, the server returned a different response than the control, and here's the evidence." Every reported finding is replayed and confirmed before it makes the report. False positives at this price point are unacceptable. The whole pitch is "certainty for teams that don't have a security person to triage."

On the price

The $500 test isn't a watered-down $15,000 test. It's a deliberately scoped one. Web application, OWASP Top 10, focused on the kinds of issues that show up in security questionnaires and real attacks. It's not a six-week red-team engagement, and it doesn't pretend to be.

$500 is the entry point, not the only option. As the product matures and customers' needs grow, deeper tiers will sit above it. Not because I think pentesting should be cheap. Because I think a small dev team getting squeezed by their enterprise customer shouldn't have to choose between "do nothing" and "spend a month's runway."

There's a real gap between "free vulnerability scanner that produces a 200-page PDF nobody reads" and "$15,000 manual engagement that takes two months and arrives after the deal has already gone cold." That gap is what I'm trying to fill.

Where the MVP is

The MVP is running against that first customer now. It's finding real things. It's also doing some embarrassing things I have to fix. Both are useful.

The wins matter because they prove the foundations work. The first scan surfaced an exposed admin endpoint left over from a refactor six months ago. Nobody had touched it. The team's reaction "how did we miss that for six months?" is the reaction I keep seeing, and it's a reasonable summary of why this category of tool exists.

The embarrassing things matter more right now, honestly. They're how I know what to build next. False positives the agent flagged with high confidence. Framework signatures the recon layer doesn't recognize yet. Edge cases in how validation handles authenticated state. None of these are surprises in the abstract. Every security tool has them, but each one is a real gap I'd rather find now, with a customer who knows what we're doing, than later, with a customer who doesn't.

What this build log is

I'm going to post one of these every week while I build this out. The good weeks and the bad ones. What the tool found. What customers said. What I got wrong about pricing, positioning, etc.

A short version goes up on LinkedIn each Tuesday. The longer version with the technical detail will live here.

What I'll share: technical decisions and why I made them, things the tool found (anonymized), customer feedback, pricing experiments, mistakes, dead ends. What I won't share: anything identifying about specific customers, anything that gives attackers a how-to, anything that would compromise an active engagement.

What I'd love to hear

If you're running a small dev team and your biggest customer just asked for a pentest report, I'd genuinely like to hear how you're handling it. What's stopping you. What you've tried. What didn't work.

If that's you, book a 15-minute call or reply to this on LinkedIn. No pitch. I'm trying to learn.

Week 2 next Tuesday.

My name is Maxim Schram, Enterprise Cloud Architect from New York. Reach out if you want to chat about AWS, Kubernetes or Security.

Contact Me
Address
Skripted LLC
228 Park Ave S #35599
New York, NY 10003
United States
View on Maps
Phone
+1 (646) 543-2059
View on Maps
Inquiries
© 2026 by Skripted, LLC / Made in New York.