SaaSFort Your last penetration test cost €12,000 and produced a 94-page PDF. Somewhere on page 37, there’s a finding about a missing X-Frame-Options header. The procurement team at your largest prospect glanced at the executive summary, asked “what’s your security grade?”, and moved on to the next vendor.
This happens constantly. SaaS vendors invest in pentests — which they should — but misunderstand what enterprise buyers actually use to make decisions. The pentest proves depth. The security grade drives the shortlist.
How Enterprise Procurement Actually Works
A typical enterprise vendor evaluation follows three gates:
Gate 1: Initial screening (30 seconds). The procurement analyst scans your security documentation. Do you have a security page? A grade? A recent scan? If yes, you pass to Gate 2. If not, you’re filtered out before anyone reads your pentest report.
Gate 2: Questionnaire review (2-4 hours). The security team sends a DDQ or SIG questionnaire. Your answers need evidence — scan reports, compliance mappings, policy documents. A security evidence package determines how quickly you clear this gate.
Gate 3: Deep dive (1-2 weeks). Only 2-3 finalists reach this stage. Here’s where the pentest report matters — the security team reads it cover to cover, checks remediation timelines, and assesses your vulnerability management maturity.
The security grade gets you through Gate 1. The pentest report earns trust at Gate 3. Skip either one and you lose — but skipping the grade means you never reach Gate 3.
What a Security Grade Communicates
An A-F letter grade does something a pentest report cannot: it gives a non-technical stakeholder an instant, comparable signal.
| Audience | What they need | Pentest | Grade |
|---|---|---|---|
| CISO | Technical depth, remediation status | ✅ Primary tool | ✅ Summary metric |
| Procurement analyst | Go/no-go signal for shortlisting | ❌ Too long to parse | ✅ Instant signal |
| VP of Engineering | Risk assessment for board reporting | ⚠️ Needs translation | ✅ Board-ready metric |
| Legal/Compliance | Regulatory evidence | ⚠️ Needs NIS2/ISO mapping | ✅ If compliance-mapped |
| CEO/CFO | ”Are we exposed?” | ❌ Won’t read 94 pages | ✅ One-glance answer |
SaaSFort’s grading formula is transparent: (passed_checks / 60) × 100 — A+ (95+), A (90+), B (75-89), C (60-74), D (45-59), F (below 45). No black box. No proprietary algorithm that changes quarterly. A prospect can verify the grade by running the same scan themselves.
When You Still Need a Pentest
A security grade measures your external posture — what’s visible from outside. A pentest goes deeper: authenticated testing, business logic flaws, privilege escalation, API abuse scenarios. These are different tools for different questions.
You need a pentest when:
- An enterprise contract requires it (common in financial services and healthcare)
- You’re storing sensitive data (PII, PHI, financial records)
- Your application has complex business logic that automated scanners can’t evaluate
- You haven’t had one in the past 12 months and your application has changed significantly
You don’t need a pentest when:
- You’re responding to an initial vendor screening (a grade is sufficient)
- You’re proving basic security hygiene to a mid-market buyer
- You need continuous evidence rather than a point-in-time snapshot
- Your budget is €500/month and a pentest costs €12,000-€25,000 annually
Most SaaS companies under 100 employees need one pentest per year and continuous automated scanning in between. The pentest establishes depth. The ongoing grade demonstrates consistency. Both matter — at different stages and for different audiences.
For a detailed comparison of pentesting vs automated scanning, see our pentest alternative guide. For why external scanning is now a SaaS baseline beyond just pentesting, we cover the full case.
The NIS2 Dimension: Continuous Evidence
NIS2 Article 21 doesn’t require a pentest. It requires “appropriate and proportionate technical and organizational measures” — with emphasis on continuous risk management, not annual snapshots.
BSI auditors want to see:
- Baseline evidence — your initial security posture (run a free scan for this)
- Continuous monitoring — regular scans showing posture over time (CI/CD integration automates this)
- Compliance mapping — findings linked to Art. 21(2) measures (NIS2 PDF export covers this)
- Improvement trajectory — documented remediation from your initial baseline to current state
A pentest from 14 months ago doesn’t satisfy “continuous.” A weekly automated scan with timestamped reports does. For German SMBs navigating NIS2 compliance, our 10-step checklist shows how automated scanning fits into the broader compliance framework.
Under §38 BSIG, German CEOs are personally liable for cybersecurity oversight. A security grade gives them a metric they can track and report to the board without needing to interpret a pentest PDF.
Building Your Evidence Stack
The strongest vendor security package combines both approaches:
| Layer | Tool | Update frequency | Cost |
|---|---|---|---|
| External security grade | SaaSFort (€9-29/mo) | Weekly to per-deploy | €108-348/year |
| NIS2 compliance PDF | SaaSFort NIS2 export | Per scan | Free (public endpoint) |
| Penetration test | Third-party firm | Annual | €12,000-25,000/year |
| Compliance framework | ISO 27001 or BSI Grundschutz++ | Continuous | €25,000-80,000 (first year) |
| DDQ response package | Security evidence package | Quarterly updates | Internal effort |
The security grade runs continuously at low cost. The pentest validates depth once a year. The compliance framework provides the governance wrapper. Together, they cover every gate in the procurement process.
FAQ
Can a security grade replace a penetration test?
No, and it shouldn’t try. A grade measures external posture across 60 automated checks. A pentest covers authenticated testing, business logic, and attack scenarios that automated scanners can’t evaluate. They answer different questions. Use the grade for initial screening and continuous evidence. Use the pentest for annual deep assessment.
What security grade do enterprise buyers expect?
Grade B (75+) is the typical minimum for enterprise shortlisting. Grade A (90+) puts you ahead of most competitors. Grade C triggers “remediation required” conversations. Grade D or F usually means immediate disqualification. For NIS2 compliance, the grade maps directly to your Article 21(2) control coverage.
How much does a penetration test cost vs automated scanning?
Annual pentest: €12,000-25,000. Automated scanning with NIS2 compliance mapping: €108-348/year. Most SMBs need both — the pentest validates depth annually, and the automated grade provides the continuous evidence NIS2 requires.
Do competitors like Detectify or Intruder offer security grades?
Detectify provides severity scoring but not an A-F grade. Intruder uses vulnerability counts. Neither maps to NIS2 controls. For detailed comparisons: SaaSFort vs Detectify, SaaSFort vs Intruder, SaaSFort vs HostedScan.
How does SaaSFort calculate the security grade?
The formula is transparent: weighted ratio of passed checks across 60 tests. Critical findings carry 10 points, high findings 7, medium 4, low 2, passes 5. Score = (earned weight / total weight) × 100. A+ requires 95+, A requires 90+. No hidden algorithm. Any auditor can verify the calculation.
Get your security grade in under 60 seconds. Free scan — 60 checks, A-F grade, NIS2 mapping. No signup required for your first scan. For the complete evidence stack, download our SaaS Security Playbook 2026.
Ready to put this into practice?
Run a free OWASP scan on your domain. First results in under 10 seconds — no signup required.