🎉 Scytale named 2026 G2 Best Software Award winner in GRC.

Scytale

Log in

Get a demo
Backround
SundaySky

From Big Four to Scytale: Pen Tests That Expose Risks Others Previously Missed

SundaySky, a US-based global video platform serving enterprise customers in regulated industries like healthcare and financial services, maintains SOC 2, HIPAA, and GDPR compliance with Scytale. After years of running pen tests with a Big Four firm, the security team made the switch to Scytale’s penetration testing solution.

Across multiple engagements covering baseline, gray box, and black box scopes, the team has expanded coverage annually, integrated pen test outcomes directly into their GRC program, and surfaced risks no prior test had caught.  

quote icon
SundaySky

Amit Levran

Head of Security
SundaySky

“Our gray box test was a wake-up call. It flagged things we, in all honesty, never tested. From a value perspective, the value is absolutely there – it gives us very good visibility into our environment and things we need to fix.”

Challenges

The team had been running pen tests with a Big Four firm – paying for the logo, but not seeing the insight they expected. “We didn’t feel that we were getting the value to justify the cost of that logo,” Amit explains.

What they actually wanted: a pen test that pushed deeper, surfaced risks they hadn’t already thought to test, and integrated cleanly into their compliance program.

Solution

The team moved to Scytale’s penetration testing solution. Year one was a baseline pen test. Each year since, the scope has expanded as they’ve learned what Scytale can deliver, including gray box, black box, and vulnerability assessment engagements. Pen test results, documentation, and remediation tracking now live inside Scytale’s AI GRC platform, automatically mapping to the compliance controls they fulfill. 

Just as critical was the partnership itself: direct access to Scytale’s in-house pen testers – a team Amit describes as “amazing from the top down.” 

The most recent gray box engagement surfaced risks the team had never explicitly tested, including security exposure from existing customers, a blind spot most security programs deprioritize.

Highlights

  • Deeper pen testing insight
  • Pen testing built into Scytale’s AI GRC platform, i.e. no additional vendors, no separate processes with multiple tools.
  • Vulnerabilities found and fixed within a month
  • Reports R&D acts on directly – no security-to-engineering translation needed 
  • Every finding doubles as audit prep, mapping automatically to a compliance control
  • Coverage expanded annually, from baseline to gray box, black box, and vulnerability assessments

The Result

Today, the team has sharper risk visibility, a stronger security posture, and a GRC program built on pen testing insights that translate directly into action.

“I didn’t need to explain anything to the R&D team. I shared the report, pointed them to page 30, section 2.3 – and it was fixed.”