We’re an Ethical Hacking and Pentesting company offering services to identify cybersecurity vulnerabilities. In the following table, we outline what differentiates us from our competitors:

Table 1. Comparative table


Fluid Attacks

Others' tools


Our combination of technology and human expertise ensures that all of our reported findings are vulnerabilities – 0% false positives (lies).

They report about 35% false positives.*


Thanks to our combination of technology and human expertise, we have a 0% false negatives (omissions).

They may reach a rate of 80% false negatives.*

All in one

We provide comprehensive testing through a single solution, including the following techniques: SAST, DAST, IAST, SCA, Pentesting, DevSecOps, fuzzing, manual code review, reversing (if the source is not given), false positive elimination, exploitation with public, private, and custom exploits, user enumeration, password guessing and cracking, and trojan infection.

Their standard solutions do not include all techniques. It is common that some have to be acquired separately.


We validate the following standards: OWASP, GDPR, NERC, NIST, PCI DSS, HIPAA, ISO27002, CWE, CVE, EPR, BSIMM9, COMMON CRITERIA, as well as company-specific requirements.

They validate only some of the standards mentioned.

Fast & automatic

Our scans take minutes for deterministic vulnerabilities and hours or days for the most critical vulnerabilities.

Generally, their scans take minutes or hours.


Our standard service includes consulting and clarification by hackers (via Integrates) so that users understand vulnerabilities.

Usually, companies provide support to the users of the tools as an additional and expensive service.

Break the build

We break the build without false positives.

They break the build with false positives.


Hybrid (automated tools + hands-on expert review).


By combining vulnerabilities A and B, we discover a new, higher impact vulnerability C, which may compromise more registers.

They do not achieve that correlation.

Safe mode

We can operate in safe mode, avoiding being detected by the SOCs or affecting service availability in productive environments.

They can operate in safe mode but in a limited way, only for some checks.

Type of evidence

Some of our most relevant evidence is (1) portions of code, (2) images of the attack with explanatory annotations, (3) animated GIFs of the attack, (4) executive reports in PDF, (5) technical reports in XLS and PDF, and (6) graphics and metrics illustrating the system’s security status.

Some of their most relevant evidence is portions of code and executive reports.


We can do exploitation as long as we have (1) an available environment and (2) the appropriate authorization.

There is no exploitation because they are not capable of doing DAST.


Through Integrates, the entire security testing process is centrally managed, the vulnerability remediation process is controlled, permanent support is provided to the development teams, and executive indicators for organizational management are delivered in a simple way and in real time.

In some companies, the tools are fragmented and do not have a single centralized management process.

Zero-day vulnerabilities

Our hackers are skilled at finding zero-day vulnerabilities.

They fail to find these vulnerabilities.


Our cost is variable and proportional to the number of developers building and modifying the code.

They tend to have a fixed cost, which is independent of the development team’s size.

* Data from a 3-year experiment run by Fluid Attacks on 6 commercial tools and 6 open source tools.

Do you want more information about our services? Do not hesitate to contact us.

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy