Vulnerability scanning & assessment — transparent pricing
A vulnerability scan tells you what an attacker can see and reach before they act on it. Brocent runs external, internal, authenticated and web-application scans, then hands you a prioritised, remediation-ready report your auditors and cyber-insurer will accept — not a raw tool dump. Buy it as a one-time assessment or as a managed, always-on service.
Three ways to scope a scan
Every tier includes a human-written executive summary, a prioritised technical findings report (CVSS-scored) and a remediation call. No black-box scores.
Essential
Up to ~20 assetsExternal perimeter scan for lean teams and first-time buyers.
One-time assessment
From US$1,200
Managed (recurring)
From US$150 / mo
- External / internet-facing asset discovery
- Unauthenticated network + port scan
- CVSS-scored, prioritised findings report
- Executive summary + remediation call
- Re-scan to confirm fixes (one-time: 1 included)
- Managed: monthly scan + emerging-threat alerts
Professional
Up to ~100 assetsExternal + internal + authenticated + web-app — the audit-grade tier.
One-time assessment
US$3,500–6,000
Managed (recurring)
US$400–700 / mo
- Everything in Essential
- Internal network & authenticated scanning
- Web-application / API scan (OWASP Top 10)
- Cloud posture check (Azure / AWS / M365)
- Unlimited re-scans + prioritised remediation roadmap
- Managed: continuous scanning + quarterly review
Enterprise / Compliance
Unlimited assets · multi-siteFull-scope programme aligned to PCI-DSS, ISO 27001 and China MLPS (等保).
One-time assessment
US$8,000–15,000
Managed (recurring)
From US$1,200 / mo
- Everything in Professional
- Multi-site / multi-entity coverage
- Compliance mapping: PCI-DSS, ISO 27001, MLPS 等保
- Executive + board-ready technical reporting
- Dedicated security engineer + named contact
- Managed: continuous VM programme + monthly review
All prices in USD, indicative starting points, tax exclusive. Invoiced in HKD, SGD, CNY, JPY or EUR on request. Regional pricing (APAC / EU-UK / Middle East) available — final quote depends on scope, asset count and location.
How Brocent compares to the market
Global self-serve tools charge per asset and leave you to run, read and remediate them. Brocent delivers the outcome — a report and a fix plan — often below the cost of the tool licence alone.
| Vendor / tool | What you get | Typical price |
|---|---|---|
| Tenable Nessus Pro | Scanner licence (self-run) | US$4,790 / yr |
| Qualys VMDR | Per-asset platform (self-run) | ~US$199–250 / asset / yr |
| Rapid7 InsightVM | Per-asset platform (self-run) | ~US$23 / asset / yr (512 min) |
| Intruder.io | SaaS scanner subscription | ~US$99–240 / mo |
| Consultancy pen-test | One-time manual engagement | US$5,000–20,000 |
| Brocent Essential | Managed scan + report + fix plan | From US$150 / mo |
Third-party list prices as of July 2026; vendor pricing changes and enterprise tiers are quote-only. Brocent runs industry-standard engines under the hood — you pay for the assessment, prioritisation and remediation, not another licence to manage.
Vulnerability scanning — pricing questions
Is a scan the same as a penetration test?
No. A vulnerability scan is automated, broad and repeatable — it finds known weaknesses across many assets. A penetration test adds manual exploitation to prove impact. Scans start from US$1,200; full manual pen-tests are scoped separately (from US$3,500). Many clients scan monthly and pen-test annually.
How is the one-time price decided?
By scope: number of live assets / IPs, whether internal and authenticated scanning is included, and how many web apps or cloud accounts are in range. The tiers above are indicative starting points — send us an asset count and we'll return a fixed quote within one business day.
What do I actually receive?
A human-written executive summary, a CVSS-scored technical findings report ranked by real-world risk, and a remediation call. Managed tiers add a tracked remediation roadmap and re-scan confirmation. We never hand over a raw tool export and call it a report.
Do you cover PCI, ISO 27001 or China 等保?
Yes. The Enterprise / Compliance tier maps findings to PCI-DSS, ISO 27001 and China's MLPS (等保) so the report drops straight into your audit evidence. We support quarterly external scans where PCI or CE+ requires them.
Which regions do you serve?
Hong Kong, China, Japan, Singapore and across APAC as standard, with EU/UK and Middle East delivery on request. Pricing is USD headline; we invoice locally and adjust for regional scope.
Get your vulnerability scan scoped
Send us an asset count and your compliance target — we'll return a fixed-fee quote and a sample report within one business day. No obligation.