10 client orgs, one laptop, zero uploaded code.
Salesforce consultancies audit client orgs constantly: pre-engagement discovery, mid-engagement health checks, post-engagement handoffs, compliance evidence packs for regulated clients. The market default for this is CodeScan or Clayton, both per-user-per-month SaaS that charges your team whether you have one client this quarter or ten.
Vulkro flips the economics: one laptop, unlimited Salesforce orgs, fixed annual price, and your client code never leaves the consultant's machine.
The per-engagement math
Suppose your consultancy runs 10 client engagements a year and you have 3 consultants doing Salesforce reviews.
| CodeScan SaaS | Vulkro Consultancy Pack | |
|---|---|---|
| Pricing model | $25 / user / month | $1,499 / year / 10 floating activations |
| Cost for 3 users / year | $900 | $1,499 |
| Cost across 10 client orgs | included | included |
| Per-client incremental cost | $0 | $0 |
| Client code uploaded | yes (SaaS) | no |
| Client NDA implications | "we use a SaaS scanner" | "we run a local CLI" |
| Renewal | automatic | manual |
The Vulkro Pack pays for itself the first time a client asks "is the audit tool a separate data processor?" and the answer is no.
What you get per engagement
-
Per-org HTML compliance reports. Run
vulkro portfolio engagement-bundle <parent-dir> -o report.zipagainst a directory that contains every client SFDX project you manage. The output is one zip with one HTML report per client org plus an index page summarising NIST 800-53 and SOC 2 pass/fail status per org. Hand the zip directly to the client. -
CRUD/FLS taint findings across class boundaries. Vulkro's Apex engine builds an intra-class and cross-class call graph and resolves enforcement and data-op reach. A method that delegates its FLS check to a private helper is no longer a false positive; a method whose DML lives in a callee class is now caught.
-
AppExchange Security Review readiness report. For ISV clients,
vulkro sf-appexchange-reportrenders the same 10-section checklist mapping. Bring it to the kickoff for any client planning a managed-package submission. -
All the Salesforce coverage gaps closed in P8.7. Visualforce (
escape="false"reflected merge fields, dynamicincludeScript), metadata (profile over-privilege, named credentials, connected app OAuth scopes), Flow (system-context DML, hardcoded IDs), PII mapping for the standard SObjects (Account, Contact, Lead, Opportunity, Case, User). -
Pro detector packs for client orgs beyond core CRM. Clients on B2C Commerce, Marketing Cloud, Health Cloud, FSC, CRM Analytics, Salesforce Functions, or Heroku Connect are covered by the same one-year team license. Each pack self-gates on activation markers in the project root, so a vanilla Apex / LWC org never pays the walk cost. Per-pack rules: B2C Commerce | Marketing Cloud | Industries Clouds (Health + FSC) | CRM Analytics | SF Functions | Heroku Connect. Plus the PMD-for-Apex / ESLint LWC / RetireJS wrappers as a one-shot sfdx-scanner replacement.
Multi-org without uploading any of it
The Pack ships 10 floating Pro activations sharing one team_id.
Each activation binds to the laptop on first vulkro activate,
then scans any number of client SFDX projects on that laptop
through a one-year term. There is no per-org gate inside the
engine; the consultant rotates through clients as the engagements
land.
VULKRO_OFFLINE=1 enforces zero network calls at the process
boundary if a client contract requires it. The CVE bundle lives
in the binary; updates ship through a separate signed download
that you control the timing of.
Pricing for the consultancy
The Vulkro Consultancy Pack is $1,499 for one year, 10 floating activations. There is no auto-renewal. When the term expires the CLI keeps working at the Free tier on the bound machines; Pro features prompt for renewal. You buy a fresh Pack when you decide to.
The Pack is sold by inquiry while we validate the audience. Email [email protected] with your consultancy name, rough number of client orgs you audit per year, and how many consultants would use the seats. We reply within one business day.
Why offline matters here
Every client engagement starts with an NDA. Many of those NDAs forbid sending client code to "third-party services" or "external data processors." A SaaS code scanner is exactly the kind of processor procurement teams are getting trained to flag.
Vulkro is a single static binary. No telemetry, no upload, no account, no cloud LLM. Your consultant reads the report, fixes the client's code, writes the deliverable, deletes the local checkout. The audit tool was never a data processor.
Compare with the alternatives
- vs CodeScan: the most common direct comparison.
- vs Snyk: if you have clients pushing SaaS scanners on you.
- vs Semgrep: the open-source angle.
Ready to discuss your engagement model?
Email [email protected]
Tell us your consultancy name, roughly how many client orgs you audit in a year, and how many consultants would be using the Pack. We send back a proposal within one business day.