We audit like hackers think, not like scanners run.
Diginno helps SaaS, e-commerce, and SMB teams with real web apps/APIs find meaningful risk before customers, partners, or attackers do. Clear scope. Clear report. Clear remediation roadmap.
- ✓We only test within written authorization and agreed scope.
- ✓AI accelerates recon and report drafting; important findings are manually verified.
- ✓No public case study or PoC is published without system-owner approval.
Target segments
Fundraising SaaS teams
Mid-size e-commerce
API-heavy SMBs
> When should you audit?
No dedicated security team
Founders or generalist IT teams are left guessing whether their web app is exposing real customer or business data.
Investor or enterprise partner asks for security posture
You need a clear report that can be discussed with investors, partners, and your technical team.
Automated scanners do not explain real risk
A long list of warnings does not tell you what to fix first, what is noise, or what can become an attack chain.
> How is this different from a scanner?
AI-augmented, not AI-replaced
Diginno uses AI to speed up recon, read JavaScript bundles, group endpoints, spot suspicious patterns, and draft reports. Final judgment remains human-owned.
Faster recon: fingerprinting, headers, public CVEs, endpoint maps.
Clearer reports: executive summary, risk matrix, remediation roadmap.
Safer delivery: no out-of-scope exploitation, no AI-only critical finding.
> Pilot packages with clear scope
Security Scan
VND 7.5M - 12.5M
$300-$500 · 2-3 days
Re-passive + automated scan for 1 domain
Web Audit
VND 20M - 60M
$800-$2,500 · 5-10 days
Scan + manual black-box audit for 1 web app
Audit + Fix
VND 60M - 125M
$2,500-$5,000 · 10-20 days
Audit + fix top CRITICAL/HIGH + retest
Retainer: monthly re-scan from VND 5M/month.
> A clear process, not a black box
Scope & 1-page SOW
Agree on domains, apps, APIs, test accounts, technical limits, and timeline.
Recon & mapping
Fingerprint the stack, map endpoints, review JS bundles, public exposure, and security headers.
Manual verification
Test within signed scope, verify important findings, and reduce false positives.
Report & debrief
Deliver the report, explain attack chains, prioritize fixes, and offer retesting.
> What you receive
Want to see how our report differs from scanner output?
The sample report shows how Diginno communicates risk in founder language and engineering roadmap format, not as a raw vulnerability dump.
Responsible disclosure
If you find a vulnerability in a Diginno-owned system, please report it responsibly. We appreciate good-faith reporting within safe boundaries.
security@diginno.netIn scope
- ✓ Diginno-owned domains and systems
- ✓ Non-destructive, reproducible issues
- ✓ Reports with enough detail for safe reproduction
Out of scope
- ! DDoS or stress testing
- ! Spam, social engineering, phishing
- ! Destructive testing or data exfiltration
- ! Public disclosure without written consent
Our commercial services follow the same principle: no unauthorized testing, no fear-based selling, no scope creep.
> Frequently asked questions
Does Diginno test without authorization?
No. Active testing only starts after written scope confirmation. Before that, we only discuss or perform a public-information security screen with client approval.
How many domains or apps are included?
Pilot pricing assumes 1 domain or 1 main web app. Extra subdomains, partner APIs, or admin portals are scoped in the SOW.
Can Diginno fix vulnerabilities after the audit?
Yes. Audit + Fix includes remediation for agreed top CRITICAL/HIGH issues and retesting after fixes.
Can the report be shared with investors or enterprise partners?
Yes. The report includes an executive summary, risk matrix, and remediation roadmap. If formal compliance or certification is required, we will clearly state what is outside Diginno scope.
Want to know what your web app is exposing?
Start with a 15-minute security screen: small scope, no deep probing, no scare tactics, just the next risks worth checking.
Leads from this form are saved to contact_submissions with source=security_service_page and forwarded through the existing automation webhook.