Total Tests:
This Week:

ImmuniWeb® Continuous

Reducing complexity and costs

ImmuniWeb® Continuous leverages our award-winning AI and Machine Learning technology to rapidly detect new
code, augment and accelerate web penetration testing. Our continuous web security monitoring is enhanced
with just-in-time web penetration testing and 24/7 access to our security analysts.

Continuous Penetration Testing Made Simple

Zero False-Positive SLA

Money-Back Guarantee for
a single false-positive

24/7 Just-in Time Testing

Once your code is changed, our
experts will promptly test it

In-Depth Testing

Business logic testing, SANS Top 25,
PCI DSS & OWASP coverage

Actionable Reporting

Tailored remediation guidelines
and 24/7 support

DevSecOps Tailored

One-click WAF virtual patching,
SDLC & CI/CD integration

How It Works

  1. Pick up a web
    application or API
  2. Customize testing,
    pay and start
  3. Get verified
    security alerts 24/7

Multirole Dashboard for DevSecOps

Developers Environment

Jira DevSecOps Integration HP DevSecOps Integration Bugzilla DevSecOps Integration Splunk DevSecOps Integration Mantis DevSecOps Integration Defectdojo DevSecOps Integration

Web Application Firewalls

Continuous Penetration Testing For Any Need

Internal & External Web Apps

Virtual Appliance technology for
internal applications testing

APIs and Web Services

Comprehensive coverage of API &
Web Services (REST/SOAP)

Open Source Security

Software Composition Analysis (SCA)
tests for 20,000+ known CVE-IDs

Black & White Box

Authenticated (including 2FA/MFA)
or Black Box testing

Attack Simulation

Threat-aware testing scenarios and
attack vectors upon request

  • OWASP Testing Guide
  • NIST SP 800-115 Technical Guide to Information Security Testing and Assessment
  • PCI DSS Information Supplement: Penetration Testing Guidance
  • FedRAMP Penetration Test Guidance
  • ISACA’s How to Audit GDPR
NIST SP 800-115 Technical Guide to Information Security Testing and Assessment
PCI DSS Information Supplement: Penetration Testing Guidance
FedRAMP Penetration Test Guidance
OWASP Testing Guide
  • Common Vulnerabilities and Exposures (CVE) Compatible
  • Common Weakness Enumeration (CWE) Compatible
  • Common Vulnerability Scoring System (CVSSv3)
Common Vulnerabilities and Exposures (CVE) Compatible Common Weakness Enumeration (CWE) Compatible Common Vulnerability Scoring System (CVSSv3)
  • Injection Flaws

  • Many other "High" Risk Vulnerabilities

  • Buffer Overflows

  • Cross-Site Scripting (XSS)

  • Insecure Cryptographic Storage

  • Improper Access Control

  • Insecure Communications

  • Cross-Site Request Forgery (CSRF)

  • Improper Error Handling

  • Broken Authentication and Session Management

ImmuniWeb Continuous Packages and Pricing


Express package is best suited for uncomplicated websites, for example, a presentational website with some dynamic functionality.

It also fits to audit a small part of a larger web application. Business websites running WordPress or Drupal with a few third-party plugins match well the package.

Small dynamic website


Small e-commerce website

SMB package is best suited for medium-sized websites and small e-commerce applications with several APIs.

It also fits to audit a small part of a larger web application. Websites running standardized e-commerce systems such as Magento match well the package.


Corporate Pro
Multirole critical application

Corporate Pro package is best suited for business critical applications of large size that require sophisticated business logic testing under multiple user roles and interacting with different APIs.

Multifunctional e-banking or complicated CRM systems fit well this package, as well as applications based on web solutions from SAP, Oracle or Microsoft.


Midsized CRM, ERP or HRM

Corporate package is best suited for business applications with several user roles, diverse dynamic functionality and APIs.

Medium-sized e-banking or payment processing systems also fit well into this package.

Continuous Penetration Testing Tailored for Your Needs
1 24/7 Testing
  • Rapid Detection of New / Updated Code
  • Continuous Penetration Testing:
    • SANS Top 25 Full Coverage
    • OWASP Top 10 Full Coverage
    • PCI DSS 6.5.1-6.5.11 Full Coverage
    • AI to Augment Human Testing and Analysis
    • Machine Learning to Accelerate Testing
    • Authenticated Testing (2FA / SSO)
    • REST/SOAP API Testing
  • Full Customization of Testing
2 Reporting
  • Zero False-Positive SLA
  • Threat-Aware Risk Scoring
  • Tailored Remediation Guidelines
  • Web Interface, PDF and XML Formats
  • PCI DSS and GDPR Compliances
  • CVE, CWE and CVSSv3 Scores
3 Remediation
  • Unlimited Patch Verifications
  • Vulnerability Notifications (SMS / Email)
  • 24/7 Access to Our Security Analysts
  • DevSecOps & CI/CD Tools Integration
  • One-Click Virtual Patching via WAF
  • Multirole Dashboard
$995 / month
$1,495 / month
$3,495 / month
$5,495 / month
VISA MasterCard American Express Maestro Visa Electron PayPal Bank Transfer

How It Works

  1. Pick up a web
    application or API
  2. Customize testing,
    pay and start
  3. Get verified
    security alerts 24/7

Testimonials and Customer References

Frequently Asked Questions

  • Q
    How are the penetration testing packages different?
    The main difference is the amount of human time spent on a project to detect the most sophisticated, untrivial and novel security vulnerabilities. All other technical and reporting capacities and features are the same.
  • Q
    How many URLs can be grouped within one package?
    We recommend grouping different URLs in one package only if they belong to the same business application. For example, your ERP or e-banking system may be located across several (sub)domains and have APIs on different URLs - all of them are suitable to be group into one package at the first step of project creation. Contrariwise, it will be inappropriate to group your CRM and unrelated Partner Portal in one package.
  • Q
    Can I test my internal web applications and APIs?
    Yes, we will provide you with ImmuniWeb Virtual Appliance (VA) for this purpose. Being a Virtual Machine (VM) image composed of open source software only, the VM is always under your full control (root access). The VM will securely route ImmuniWeb testing traffic to your internal web applications and APIs. It usually takes just a few minutes to deploy the VM internally. We recommend deploying the VM in an isolated VLAN with access only to the applications to be tested.
  • Q
    What is your rapid detection of new and updated code?
    Rapid detection of new or updated code is based on our award-winning machine learning and AI technology. It continuously and safely crawls your web applications, and as soon as a change is detected, our security analysts will rapidly intervene to manually test the change for sophisticated vulnerabilities on top of intelligently automated and accelerated 24/7 vulnerability scanning.
  • Q
    What is your Instant vulnerability notifications feature?
    You can customize notifications about newly detected security vulnerabilities by email, SMS or phone. You can configure the notifications by vulnerability risk levels to dispatch the notifications across your team in a timely and agile manner.
  • Q
    Can I choose a specific timeframe for penetration testing?
    Yes, if necessary, you can request a specific timeframe for your project. Please, indicate the preferred testing period in “Special Requirements” field during the first step of project creation. By default, all projects start at 9:00 AM CET of the scheduled day.
  • Q
    How easily can I customize my penetration testing package?
    When creating a project, just specify in plain English any special requirements for testing and remediation, from scope and methodology to reporting. For example, you may command to spend additional time on sophisticated 2FA bypass techniques, avoid reporting low-risk XSS or provide in-depth remediation guidelines for PHP developers, and we will do so.
  • Q
    How does your remediation work?
    We provide actionable remediation guidelines for each of the detected vulnerabilities. Moreover, you have unlimited access to our security analysts might you have any further questions about remediation. Furthermore, we offer one-click virtual patching via WAF by F5, Imperva, Fortinet, Barracuda, Qualys and DenyAll
  • Q
    What is your zero false-positive contractual SLA?
    It is a binding contractual clause for every project with no exception. The clause clearly stipulates that for one single false positive in your report you will get back the entire amount paid for one week of subscription.
  • Q
    What is your threat-aware risk scoring?
    All exploitable and confirmed vulnerabilities will receive a CVSSv3 Base score. Moreover, we assess and indicate such important criteria as public availability of exploit, ongoing exploitation campaigns in the wild or vendor-supplied solution for the vulnerability. Issues that cannot be exploited or confirmed (e.g. a security flaw presumably affecting your Admin area where we do not have an access), will be added separately as security warnings without a CVSSv3 score.
  • Q
    Which formats of report do you provide?
    In addition to our DevSecOps-enabled, multi-role dashboard you can download a report in PDF and XML formats. We offer one-click integration with the most popular developers, CI/CD and DevSecOps tools, such as Jira or Mantis. Likewise, you can securely access your report data via our API.
  • Q
    What is your 24/7 access to security analysts (SOC)?
    All ImmuniWeb customers get unlimited access to our security analysts via ImmuniWeb Portal. You can ask questions about exploitation, remediation or any other project-related topics.
  • Q
    Where is penetration testing data stored?
    All penetration testing data is securely stored in our ISO 27001 infrastructure in Canada and Switzerland (both recognized by the European Commission as countries providing an adequate level of data protection for the purpose of GDPR). Upon your request all data can be securely deleted at any moment.
  • Q
    What is the added-value of your Machine Learning and AI?
    Our award-winning Machine Learning technology, based on Artificial Neural Networks (ANN), considerably reduces the testing time. Differently from automated scanners that penetration testers use to conduct basic testing, our proprietary technology delivers a superior quality of testing and sends less HTTP requests. While our AI technology, based on various Deep Learning algorithms, is used for intelligent automation of the testing processes thereby ensuring that all possible attack vectors and exploitation techniques are properly tested. Eventually, what a traditional penetration testing delivers in a week, our team of penetration testers will likely deliver in a couple of days or even faster.

Gartner Peer Insights Recommends

Gartner Peer Insights
Ask a Question