Pre-IPO Pentest: S-1, B3, NYSE, Nasdaq
Exhaustive pentest for companies in the pre-listing phase. Feeds the cybersecurity risk chapter of the prospectus. SEC SK 1.05, B3 IAN, NYSE/Nasdaq cyber disclosure.
Why now
The real pain
The coordinating bank, the IPO law firm and the PCAOB auditor open the cyber risk pack in month 4 of the roadshow. Companies without serial pentest over the last 24 months become a prospectus finding and a pricing-discount trigger. SEC requires incident disclosure within 4 business days (SK 1.05). Without readiness, the IPO is delayed or loses traction.
Context and regulation
/attack-surface
Pré-IPO
Every engagement is designed for your environment. The points below are part of our standard playbook for this sector — final scope is adapted to your stack and contract.
Exhaustive attack-surface pentest
All critical surfaces — web, API, mobile, cloud, AD, infra. No gap that turns into a prospectus finding.
ATT&CK-mapped Red Team
Adversarial simulation with goal: "compromise a system material to the investment thesis".
Third-party risk audit
Critical vendors, SaaS, outsourced services — reverse cyber due diligence.
Cyber risk chapter
Support to draft the cybersecurity risk chapter in prospectus / F-1 / IAN, aligned with SK 1.05.
Incident response C-level tabletop
Validation of the 4-day SEC/BACEN/ANPD disclosure runbook. Crisis-ready team after IPO.
Objective evidence for PCAOB
Technical report + remediation plan + documented retest, accepted by independent auditors.
Post-listing: continuous pentest
Monthly retainer cadence to maintain disclosure compliance after IPO.
/methodology
Genuinely manual pentest
Automated scanners find what's documented. Real attackers find what isn't. 90% of the work is manual — performed by specialists holding OSCP, CISSP, CRTO and GPEN.
01 · Reconnaissance
Target mapping, OSINT, footprint, sector-specific threat modeling.
02 · Discovery
Deep enumeration, complementary scanning, manual exposure identification.
03 · Exploitation
Manual validation with controlled PoC, finding chaining, escalation.
04 · Report
Executive + technical, step-by-step replication, mapped to applicable regulation.
/why-trust
Who has trusted our work
Engagements with Brazilian companies in listing phase on B3 and NYSE. Team has run cyber due diligence pre-IPO in fintech and healthtech.
Technical assessment recognized in highly regulated, mission-critical environments — the pentest that finds what nobody had found before.
Douglas Lopes
Founder · CEO · intrus.io
/crivo · integrity program
of pentester candidates fail our Crivo screening
Do you know who's getting access to your environment?
NDAs work in court. They don't work day-to-day. Before first access, every pentester on our team passes background, psychometric profile and integrity testing.
- In-depth criminal, fiscal and professional verification
- Psychometric assessment and risk profile
- Practical integrity testing with controlled scenarios
- Fixed team — non-rotating, no 'stranger every engagement'
/faq
FAQ — Pré-IPO
When should pre-IPO pentest start?
Ideally 6-12 months before the roadshow. In a shorter window (3-6 months) it's possible but scope must be prioritized and remediation effort condensed.
Does the SEC really require incident disclosure in 4 days?
Yes, SK 1.05 (in force since Dec 2023). Companies listed on NYSE/Nasdaq have 4 business days after determining materiality. Without a trained runbook, it's lethal.
How much does it cost?
Pre-IPO exhaustive engagement: BRL 200-600k depending on size and complexity. Includes pentest + Red Team + tabletop + prospectus chapter support. Investment near the discount it prevents.
Do you work with the coordinating bank?
Yes. Often the coordinator (BTG, XP, Itaú BBA, Bradesco BBI, Goldman, JPM) asks for specific evidence. We coordinate deliverables with the bank.
/contact
Confidential pre-IPO meeting
Schedule a confidential meeting. Within 48h we'll send a proposal with scope, timeline and pricing.