Clear, transparent pricing trusted by 700+ businesses
Offensive DAST vulnerability scanner that scans behind login for 10,000+ test cases like OWASP Top 10, ports, CVEs & more
$69/m
Here's how the target is defined
Simply put, a domain with all its site tree URLs is a target. Target can be the URL of a web application, IP, website, API etc.
If your website makes API calls to different domains (eg: api.example.com), you can add them as an extra host during setup without having to purchase another target for it, and all calls to api.examples.com from example.com will be scanned.
.svg)
- 3 monthly vulnerability scans with 10,000+ tests (OWASP, SANS, CVEs)
- Run authenticated scans for full coverage
- 1 Integration (CI/CD, Slack, Jira etc.)
- AI powered conversational vulnerability fixing assistance
$199/m
Here's how the target is defined
Simply put, a domain with all its site tree URLs is a target. Target can be the URL of a web application, IP, website, API etc.
If your website makes API calls to different domains (eg: api.example.com), you can add them as an extra host during setup without having to purchase another target for it, and all calls to api.examples.com from example.com will be scanned.
- Unlimited vulnerability scans with 10,000+ tests (OWASP, SANS, CVEs)
- Run authenticated scans for full coverage
- Unlimited integrations
- AI-powered conversational vulnerability fixing assistance
- Four expert Vetted Scans to ensure zero false positives (on annual billing)
- Compliance view for SOC2, ISO27001, PCI-DSS, HIPAA etc.
$499/m
Target
You get 5 target slots, with the ability to change targets in those slots with a 30-day cooling period. Example: Scan 5 targets, after 30 days scan 5 new targets.
Target Explained: Simply put, a domain with all its site tree URLs is a target. Target can be the URL of a web application, website, API etc. If your website makes API calls to different domains (eg: api.example.com), you can add them as an extra host during setup without having to purchase another target for it, and all calls to api.examples.com from example.com will be scanned.
- Unlimited vulnerability scans with 10,000+ tests (OWASP, SANS, CVEs)
- Run authenticated scans for full coverage
- AI-powered conversational vulnerability fixing assistance
- Flexibly change URLs from 5 target pool (30 day cooling period)
- Four expert Vetted Scans to ensure zero false positives
- Compliance view for SOC2, ISO27001, PCI-DSS, HIPAA etc.
- Account Manager
$699/yr
Here's how the target is defined
Simply put, a domain with all its site tree URLs is a target. Target can be the URL of a web application, IP, website, API etc.
If your website makes API calls to different domains (eg: api.example.com), you can add them as an extra host during setup without having to purchase another target for it, and all calls to api.examples.com from example.com will be scanned.
- 3 monthly vulnerability scans with 10,000+ tests (OWASP, SANS, CVEs)
- Run authenticated scans for full coverage
- 1 Integration (CI/CD, Slack, Jira etc.)
- AI powered conversational vulnerability fixing assistance
$1999/yr
Here's how the target is defined
Simply put, a domain with all its site tree URLs is a target. Target can be the URL of a web application, IP, website, API etc.
If your website makes API calls to different domains (eg: api.example.com), you can add them as an extra host during setup without having to purchase another target for it, and all calls to api.examples.com from example.com will be scanned.
- Unlimited vulnerability scans with 10,000+ tests (OWASP, SANS, CVEs)
- Run authenticated scans for full coverage
- Unlimited integrations
- AI-powered conversational vulnerability fixing assistance
- Four expert Vetted Scans to ensure zero false positives (on annual billing)
- Compliance view for SOC2, ISO27001, PCI-DSS, HIPAA etc.
$4999/yr
Target
You get 5 target slots, with the ability to change targets in those slots with a 30-day cooling period. Example: Scan 5 targets, after 30 days scan 5 new targets.
Target Explained: Simply put, a domain with all its site tree URLs is a target. Target can be the URL of a web application, website, API etc. If your website makes API calls to different domains (eg: api.example.com), you can add them as an extra host during setup without having to purchase another target for it, and all calls to api.examples.com from example.com will be scanned.
- Unlimited vulnerability scans with 10,000+ tests (OWASP, SANS, CVEs)
- Run authenticated scans for full coverage
- AI-powered conversational vulnerability fixing assistance
- Flexibly change URLs from 5 target pool (30 day cooling period)
- Four expert Vetted Scans to ensure zero false positives
- Compliance view for SOC2, ISO27001, PCI-DSS, HIPAA etc.
- Account Manager
Compare plans & FIND the right one for you
Hacker style pentest by certified pentesters made agile & dev friendly with PTaaS platform. Meet & exceed SOC2, ISO, HIPAA needs
$1,999/yr
Unlimited vulnerability scans with 3000+ tests (OWASP, SANS etc.)
Unlimited integrations with CI/CD tools, Slack, Jira & more
Four expert vetted scan results to ensure zero false positives when billed yearly
Compliance reporting for SOC2, ISO27001, PCI-DSS, HIPAA etc.
P.S. This is a compliance view for vulnerabilities reported by our automated scanner (& pentest too if your plan includes that) and shouldn’t be confused with the Pentest/VAPT required as a part of various compliances. If trying to achieve compliance, then you should look at our Pentest Plan which includes a Pentest report required by various auditors.
Everything in the Scanner plan
$5999/yr
1 Target
Here's how the target is defined for a Pentest/VAPT:
- If you have a SaaS app, the entire app with all its APIs and underlying cloud is 1 target.
- If you have a mobile app, one Android app is considered as one target and one iOS app is considered another target. If they share code base, we offer a tailored discounted pricing.
- In case of networks, cloud, IPs and APIs - multiple clouds, IPs, APIs etc. can be clubbed into one target. Please schedule a call for tailored pricing.
$199/mo
If your website makes API calls to different domains, you can add them as an extra host without having to purchase another domain.
Let's say you have a customer dashboard at https://app.example.com/ and an admin dashboard at https://admin.example.com/ with different login pages, then you will need 2 targets.
Click the 🛈 icon to know more.
- Pentest (VAPT) by security experts in OWASP, SANS, PTES etc. standards
- Cloud configuration review (AWS/GCP/Azure)
- Pentest of APIs consumed within Target
- 2 Re-scans to verify fixes
- Pentest report for SOC2, ISO27001, HIPAA etc. compliances
- Publicly verifiable pentest certificate
- Unlimited DAST vulnerability scans with 10,000+ tests (DAST 'scanner' plan)
- Named account manager
- Shared Slack channel
$9999/yr
2 Targets
- If you have a SaaS app, the entire app with all its APIs and underlying cloud is 1 target.
- If you have a mobile app, one Android app is considered as one target and one iOS app is considered another target. If they share code base, we offer a tailored discounted pricing.
- In case of networks, cloud, IPs and APIs - multiple clouds, IPs, APIs etc. can be clubbed into one target. Please schedule a call for tailored pricing.
- Pentest (VAPT) by security experts
in OWASP, SANS, PTES etc. standards - Cloud configuration review (AWS/GCP/Azure)
- Pentest of APIs consumed within Target
- 2 Re-scans to verify fixes
- Pentest report for SOC2, ISO27001, HIPAA etc. compliances
- Publicly verifiable pentest certificate
- Unlimited DAST vulnerability scans with 10,000+ tests (DAST 'scanner' plan)
- Named account manager
- Shared Slack channel
- Custom SLA & payment options
Contact us for custom plan
- Pentest (VAPT) by security experts in OWASP, SANS, PTES etc. standards
- Cloud configuration review (AWS/GCP/Azure)
- Pentest of APIs consumed within Target
- Pentest report for SOC2, ISO27001, HIPAA etc. compliances
- Pentest report for SOC2, ISO27001, HIPAA etc. compliances
- Publicly verifiable pentest certificate
- Unlimited DAST vulnerability scans with 10,000+ tests (DAST 'scanner' plan)
- Named account manager
- Shared Slack channel
- Custom SLA & payment options
$999/yr
If your website makes API calls to different domains, you can add them as an extra host without having to purchase another domain.
Let's say you have a customer dashboard at https://app.example.com/ and an admin dashboard at https://admin.example.com/ with different login pages, then you will need 2 targets.
Know More
Weekly vulnerability scans with 3000+ tests (OWASP, SANS etc.)
Essential features like pentest dashboard, PDF reports and scan behind login
Compare plans & fiND the right one for you
Continuously discover & scan every API in your infrastructure for broken access control, authorization flaws, OWASP Top 10 & more
$199/m
$199/mo
If your website makes API calls to different domains, you can add them as an extra host without having to purchase another domain.
Let's say you have a customer dashboard at https://app.example.com/ and an admin dashboard at https://admin.example.com/ with different login pages, then you will need 2 targets.
Click the 🛈 icon to know more.
- Scan 100 API Enpoints/m
- API Observability
- API DAST Scanning (X Test Cases)
- Authenticated API Scanning
- 1 Integration (Jira/Slack/CI/CD)
- 1 Integration (Jira/Slack/CI/CD)
- OWASP Top 10 Coverage
- 3 Users
- Account Manager
- Scan upto 200 API Endpoints
- API Observability
- API DAST Scanning (X Test Cases)
- Authenticated API Scanning
- API Inventory
- Unlimited integrations (CI/CD, Jira, Slack)
- OWASP Top 10 Coverage
- 10 Users
- Scan for 300+ API Enpoints/month
- API Observability
- API DAST Scanning (X Test Cases)
- Authenticated API Scanning
- API Inventory
- Unlimited integrations (CI/CD, Jira, Slack)
- 15 Users
- Named Account Manager
$399/yr
$199/mo
If your website makes API calls to different domains, you can add them as an extra host without having to purchase another domain.
Let's say you have a customer dashboard at https://app.example.com/ and an admin dashboard at https://admin.example.com/ with different login pages, then you will need 2 targets.
Click the 🛈 icon to know more.
- Scan 100 API Enpoints/m
- API Observability
- API DAST Scanning (X Test Cases)
- Authenticated API Scanning
- 1 Integration (Jira/Slack/CI/CD)
- 1 Integration (Jira/Slack/CI/CD)
- OWASP Top 10 Coverage
- 3 Users
- Account Manager
- Scan upto 200 API Endpoints
- API Observability
- API DAST Scanning (X Test Cases)
- Authenticated API Scanning
- API Inventory
- Unlimited integrations (CI/CD, Jira, Slack)
- OWASP Top 10 Coverage
- 10 Users
- Scan for 300+ API Enpoints/month
- API Observability
- API DAST Scanning (X Test Cases)
- Authenticated API Scanning
- API Inventory
- Unlimited integrations (CI/CD, Jira, Slack)
- 15 Users
- Named Account Manager
Compare plans & FIND the right one for you
Inventory Integrations
(CI/CD, Jira, Slack)
We've got tailored options for those who deal with a diverse infrastructure
For Partners
Think your customers would love Astra too? Let's join forces.
- Compliance platforms
- Insurance providers
- MSSPs
- Auditors
For Enterprises
Need something more tailored? Our enterprise plan has got you covered.
- Pricing that fits your multi-target needs
- Custom SLAs and contracts
- Flexible deployment options
- Named account manager
Loved by leading security conscious companies around the world
.avif)
.webp)
"Astra identified several moderate and high severity issues that our team never thought existed. We are working in the Mental Health space and data privacy and security are extremely critical to us. That being said, I am thankful for their service."
“A key standout during our Astra Pentest was the solid support via Slack, making communication easy and efficient. The platform itself is user-friendly, and the Jira integration greatly streamlined issue resolution for our team, seamlessly fitting into our existing workflow”
"Astra's exceptional manual penetration testing and efficient automated tools have provided invaluable insights into our application's security, making them our trusted partner for comprehensive and reliable security measures"
Trusted by 700+
Engineering Teams
.webp)
FAQs
Frequently asked questions
How do you define a target for DAST Scanner?
Do you offer discounts on multi-year commitments or bundled services?
Does Pentest (PTaaS) cover specific compliance requirements (e.g., SOC 2, PCI, ISO 27001)?
What is the timeline for manual and automated testing, including rescans?
How do you define a target for Pentest (PTaaS)?
- If you have a SaaS app, the entire app with all its APIs and underlying cloud is 1 target.
- If you have a mobile app, one Android app is considered as one target and one iOS app is considered another target. If they share code base, we offer a tailored pricing starting from $2200/app depending on the scope
- In case of networks, cloud, IPs and APIs - multiple clouds, IPs, APIs etc. can be clubbed into one target. Please schedule a call for tailored pricing.
What is covered in automated vs manual pentesting/VAPT?
How can I validate the fixed vulnerabilities?
Do you work with our developer in patching the vulnerabilities?
Find & fix every vulnerability with Astra
Astra's continuous pentest platform: PTaaS for expert led pentesting, DAST Scanner for continuous vulnerability detection & API Security Platform for API observability &
vulnerability scanning - all working together to secure your applications.
2 Million+
Vulnerabilities Uncovered
3,000+
Pentests Completed
4.6/5
on G2
