Is Barrion a penetration test?

Barrion has two scanning modes. The plans on this page run passive, automated scans that never send payloads or attempt logins, safe for production. For active, agent-driven testing with proof-of-exploit (SQLi, XSS, IDOR, SSRF, business logic), see AI pentesting, which is scoped per engagement.

Does Barrion scan behind a login or authenticated areas?

No. Barrion only scans pages reachable without credentials: public-facing URLs and their linked pages up to the plan's crawl limit. It cannot test dashboards, account settings, or any URL requiring a session. This makes it safe to run in production.

What compliance frameworks can I use Barrion reports for?

Paid plan exports are designed as audit evidence for SOC 2 (CC6.x security controls), PCI DSS (Requirements 6 and 12), and ISO 27001. Reports include a timestamped security score, severity-categorized findings, and remediation status.

How is the Barrion security score calculated?

Each security check carries a weighted score based on its CVSS-derived severity. The overall score (0 to 100) is the ratio of achieved score to maximum possible. Scores are tracked across every scan so you can see whether your security posture is improving, stable, or declining over time.

Can I cancel my Barrion subscription at any time?

Yes. You can cancel directly in the dashboard, no emails or support tickets needed. Paid plans also include a 14-day refund window from your first charge.

Pricing

Plans that fit how you ship.

Name: Barrion
Availability: InStock
Author: Barrion

Free first scan, no signup. Paid plans add advanced security checks, continuous monitoring, alerts and audit-ready reports. AI pentesting is scoped per engagement.

Free

$0/mo

No credit card required.

Get started

18 core security checks
Passive, read-only scans
Step-by-step remediation
Security score history
PDF report export
3 pages, 5 scans/day

Essential

$39/mo

7 days free, then $39/mo.

Start free trial

Everything in Free, plus:
+17 advanced checks
Continuous monitoring (1 domain)
Email alerts
GitHub + codebase scanning
SOC 2 / ISO 27001 / PCI reports
20 pages, 50 scans/day
Priority support

Business

$179/mo

7 days free, then $179/mo.

Start free trial

Everything in Essential, plus:
Daily monitoring (10 domains)
Slack & Teams alerts
20 GitHub repos
AI-enhanced codebase scanning
CI/CD scan on commit/PR
200 pages, 500 scans/day
Dedicated support

Enterprise

Custom

For larger teams & estates.

Everything in Business, plus:
AI pentesting engagements
Deeper security coverage
Greater scale & volume
Advanced integrations
Tailored to your needs

Compare plans side-by-side

Need deeper testing?

Real penetration testing, on demand.

On-demand active engagement that probes for SQL injection, IDOR, SSRF, broken access control, and business-logic abuse, with reproducible proof-of-exploit. Scoped per engagement, separate from the monitoring plans above.

See AI Pentesting

Compare plans

Side-by-side, feature by feature.

Feature	Free	Essential	Business
Security checks	18	35+	35+
Standard remediation guidance	✓	✓	✓
Security knowledge base	✓	✓	✓
Security score trend history	✓	✓	✓
AI Stack Guidance	3/month	Unlimited*	Unlimited*
Manual scans per day	5	50	500
Pages per scan (crawling)	3	20	200
GitHub Repo Connections	0	1	20
Code Scan	–	Rule-based	Rule-based + AI-Enhanced
AI Remediation PRs	–	5/month	Unlimited*
CI/CD Triggers	–	–	✓
Report export	PDF summary	Board-ready & audit-ready PDF	Board-ready & audit-ready PDF + CSV
Continuous monitoring	–	1 domain + subdomains, weekly scanning	10 domains + subdomains, daily scanning
Vulnerability alerts	–	Email	Email, Slack, Teams
Support	Basic	Standard	Priority

FAQ

Frequently asked.

What is Barrion and how does it enhance website security?

Barrion is a security testing and monitoring platform for engineering teams, and it works in three ways. Passive scanning keeps a continuous, read-only watch over your live web apps and APIs. Codebase scanning connects to GitHub and checks your code for hard-coded secrets, insecure patterns and vulnerable dependencies. AI pentesting goes on the offensive, running agent-driven attacks that prove which vulnerabilities are genuinely exploitable. Every finding comes with a step-by-step fix you can ship right away.

How safe is Barrion to use for security testing?

Passive scanning and codebase scanning are completely safe to run, including against production. Passive scans only read your live app, so we never submit forms, brute-force endpoints or touch anything that changes state, and codebase scanning just reads your repository. AI pentesting is more aggressive by design, since its job is to confirm real exploits, so it runs rate-limited and non-destructive, and you agree the scope with us before it starts.

What types of security issues does Barrion identify?

It depends on the surface. On your live apps, Barrion catches misconfigurations across TLS and HTTPS, security headers, cookie flags, CORS policy, DNS records, email authentication (SPF, DKIM, DMARC), network exposure and the usual web hygiene gaps. In your codebase it finds secrets committed to the repo, insecure code patterns and vulnerable dependencies. AI pentesting surfaces the exploitable stuff, like SQL injection, cross-site scripting and broken access control, each one backed by proof it can actually be exploited.

What specific security checks does Barrion perform?

For live apps it checks TLS and HTTPS configuration, HTTP security headers, cookie flags, CORS policy, DNS and email authentication records, network exposure and common web hygiene issues. In your codebase it looks for hard-coded secrets, insecure patterns and vulnerable dependencies. AI pentesting takes it further by actively chaining requests to confirm exploitable flaws. Whatever the source, findings are ranked by severity and come with clear, step-by-step remediation.

What is Barrion's smart crawling?

Smart crawling automatically discovers the pages and endpoints of your app so scans cover the surface that matters, without you manually listing every URL.

How often does Barrion perform security scans?

You can run a scan manually whenever you want. Continuous monitoring of your live apps runs on its own (weekly and up on Essential, daily on Business), codebase scans can fire on every commit or pull request, and we alert you the moment something new shows up.

Is Barrion suitable for security testing of all business sizes?

Yes. Live-app monitoring, codebase scanning through GitHub and AI pentesting all work just as well for a solo developer as for a startup, a scale-up or an enterprise security team, without adding headcount.

How does Barrion handle data security and privacy during security testing?

Live-app and codebase scans are read-only by default, and we never store or expose sensitive data from your application. AI pentests are rate-limited and non-destructive, built to confirm whether something is exploitable without altering your data or affecting availability.

What if I'm not satisfied with Barrion's security testing service?

Paid plans start with a free trial, and you can cancel anytime. If something isn't right, contact us and we'll make it work for your team.

How does Barrion help with SOC 2, ISO 27001, NIS2, and other compliance frameworks?

Barrion produces audit-ready PDF and CSV reports suitable for SOC 2, ISO 27001, PCI DSS and NIS2, ready to share with auditors, customers and your board.

Anything else? Email contact@barrion.io.