elevendown.com

What It Is

ElevenDown positions itself as a next-generation offensive security and Penetration Testing as a Service (PTaaS) platform, providing continuous security testing for SaaS, APIs, cloud infrastructure, and AI/LLM applications. It is not a single-purpose scanner; instead, it emphasizes manual validation by certified researchers, exploit-chain construction, remediation guidance, and retesting certification.

Core Capabilities and Deliverables

Its coverage is broad: Web applications, APIs, networks, cloud infrastructure, Android, code review, threat modeling, AI/LLM/AI Agent security, and digital brand protection. API testing covers REST, GraphQL, gRPC, and WebSocket; cloud assessments cover AWS, GCP, and Azure, including IAM, storage, Kubernetes, containers, and IaC. The AI security component covers emerging risks such as the OWASP LLM Top 10, prompt injection, RAG poisoning, Agent tool abuse, jailbreaks, and resource exhaustion. The workflow includes asset discovery, deep analysis, exploitation testing, guided remediation, retesting, and certification. Reports include developer-friendly remediation advice, prioritization, and a walkthrough call.

Pricing and Compliance

The website lists the Growth tier from USD 499 per project, including Web + API + Network testing, a full logic assessment, and one free retest. The first project is free, with payment only after satisfaction; enterprise plans are customized based on scope. On the compliance side, the team’s certifications include OSCP, CEH, CISSP, GPEN, AWS Security Specialist, and CCNA Security. The reports are said to support SOC 2, PCI-DSS, HIPAA, and ISO 27001 requirements, with signed attestation letters and a clean pentest certificate available.

Pros and Cons

The main strengths are comprehensive coverage, manual testing that is more valuable than purely automated scanning, and direct access to testers via Slack, Teams, and email. Critical vulnerabilities are reported immediately through encrypted channels, making the service suitable for fast-moving teams. The free first project and starting price of USD 499 also lower the entry risk. The drawbacks are that the website does not disclose the company’s country, legal entity, data residency, payment methods, its own security certifications, or Chinese-language support. Enterprise pricing is not transparent, and details about the continuous monitoring platform are also relatively limited.

Best Fit and Access from China

ElevenDown is best suited for startups, growing SaaS companies, API-heavy businesses, cloud-native teams, and companies building AI/LLM products. Typical use cases include pre-launch testing, compliance-driven penetration testing, code review, and architectural threat modeling. The website does not specify access from China, payment, or invoicing details, so it is advisable to confirm network accessibility, support for international credit cards or wire transfers, NDA terms, and cross-border data provisions in advance. If local delivery and Chinese compliance support are required, it may be worth comparing domestic providers such as 奇安信, 绿盟科技, 安恒信息, 启明星辰, and 知道创宇.