VaultDevLabs
Scope Lock Review

Request Security Snapshot scope approval

Lock the scope for an authorised no-login review of your public website, API or webhook surface. We confirm ownership, boundaries and fit before any testing begins.

Not sure whether the target fits? Ask a scope question

Credited against Snapshot if approved
No scan starts automatically
Approved target required
Not a pentest

Scope Lock Review

£99

Credited if approved

Target

Approved URL/domain/API

Scope type

No-login V2

Testing

Not started

Next step

Human scope review

Credit

£99 applied if approved

No automatic scan

Authorisation checked first

Snapshot package recommended

No automatic scanning

Authorised targets only

Human scope approval

Credited if approved

Authorised scope only

Human-reviewed findings

No-login V2 by default

Retest proof available

Scope paths

Which surface needs approval?

Website Security SnapshotGeneral public web exposure.WooCommerce + Stripe Security ReviewCheckout, webhooks and store exposure.Public API Security ReviewOpenAPI, GraphQL, CORS and route exposure.

What Scope Lock includes

A human gate before the review starts

Scope Lock is not an auto-scan. It confirms whether the proposed target and boundaries are suitable for a Security Snapshot before testing is scheduled.

Confirm target/domain/API fit

We check whether the submitted website, API, webhook path or WooCommerce surface fits the no-login Security Snapshot scope.

Review authorisation details

You provide the approved target and ownership/control context before any review work is accepted.

Confirm no-login V2 boundaries

Default scope stays public and non-destructive. Logged-in role testing needs a separate written V3 approval.

Recommend the right package

We confirm whether Launch Snapshot, Standard Snapshot, retest or a separate path is the best commercial fit.

Credit the £99 if approved

The Scope Lock Review is credited against your Security Snapshot when the target is approved and you continue.

What happens next

Clear approval before any testing

The commercial path stays buyer-friendly without creating unsafe expectations. Scope, permission and fit are confirmed first.

1

Pay £99 and send target details

Checkout opens the request. You send the approved URL, domain, API or webhook surface plus the worry you want checked.

2

VaultDev confirms fit

We check authorisation, boundaries, package fit and whether no-login V2 is the right review path.

3

You get the safe next step

If approved, the £99 is credited when you continue. If not, you get a clear reason before testing begins.

Guardrails

Safe by design, bounded by approval

Scope Lock exists so Security Snapshot starts from written boundaries, not assumptions.

No automatic scanning

Authorised targets only

No login required by default

No credential attacks

No destructive testing

No data exfiltration

No refunds, order edits or payment mutation

V3 credentialed testing requires separate written approval

What we need from you

Enough detail to confirm fit

The support path is intentionally plain. Send the target, ownership context and what you are worried about; we will confirm the next safe commercial step.

Name and business email

Company or site name

Approved URL, domain, API or webhook path

What you are worried about

Whether you own or control the target

Whether this is WooCommerce, Stripe/webhook, SaaS/API or other

Preferred package if you already know it

Package guide

Scope Lock points you at the right package

Prices are shown before VAT handling is confirmed in checkout copy. Final scope is agreed before review work starts.

Launch Snapshot

£495

Know obvious public exposure fast for one approved website, store or API.

Standard Snapshot

£895

Evidence pack for fixes and handoff, with route hints/OpenAPI/static review where provided.

Snapshot + Retest

£1,250

Standard review plus focused fix verification and before/after proof summary.

Retest only

£195

Available where there is an agreed finding and a scoped fix-verification target.

FAQ

Scope, payment and safety questions

Is this a pentest?

No. Scope Lock and Security Snapshot are authorised external security review steps. They are not a CREST/CHECK pentest, Cyber Essentials assessment, PCI ASV scan, legal opinion or certification.

Do you need login details?

No for the default V2 review. Scope Lock confirms whether the public no-login surface is appropriate. Credentialed role testing needs a separate written V3 approval and test accounts.

Does a scan run automatically?

No. Nothing runs automatically after the request. VaultDev confirms the target, authorisation, boundaries and fit before any testing begins.

What if my target is not approved?

You get a clear reason. Common reasons include unclear authorisation, unsupported scope, high-impact testing requirements or a request that belongs in a separate engagement.

Is the £99 credited?

Yes. The Scope Lock Review is credited against Security Snapshot if the target is approved and you continue with the recommended package.

Can you help fix issues after?

Yes. Fix work is scoped separately after findings are clear. Retest proof can verify agreed changes once they are deployed.

Authorised scope only

Confirm the target before the Security Snapshot starts.

No automatic scanning. No destructive testing. No credential attacks. Scope, ownership and fit are checked first.