How Pricing Works for a Main Domain and Similar Sub-Domains

Last updated: June 5, 2026

Introduction

If your application runs across a main domain and multiple sub-domains that share the same (or very similar) codebase, you may be wondering how Astra handles pricing and scan coverage. This article explains how scoping and billing work in that scenario, so you can plan your security coverage without surprises.

Who Should Read This

This is relevant for SaaS companies, agencies, or engineering teams where a single application is deployed across a parent domain and customer-specific or region-specific sub-domains that share 90% or more of the same codebase.

How Sub-Domain Pricing Works by Plan

Pentest Plan

If your sub-domains run the same application as your main domain (with 90% or more code overlap), one pentest covers:

  • A thorough assessment of your primary target domain (e.g., www.domain.com or app.domain.com)

  • Scanning of sub-domains that are reachable as dependencies from within the main target

  • A targeted, non-comprehensive review of remaining sub-domains — not a full independent assessment of each one

Example structure:

Domain

Coverage

www.domain.com

Comprehensive scan

app.domain.com

Comprehensive scan (if it's the main dashboard)

app1.domain.com

Scanned only if it has dependencies linked from the main target

app2.domain.com

Scanned only if it has dependencies linked from the main target

Because the code base is largely identical, fixes applied to vulnerabilities found in the main target can typically be replicated across sub-domains. You can also communicate this to customers or partners as confirmation that the shared codebase has been assessed.

Scanner or Expert Plan

Pricing in these plans is per target. Each unique domain or sub-domain you want scanned independently requires its own target purchase.

You can, however, configure extra hosts within a target's scope to include related sub-domains as part of the same scan session, as long as they share the same root domain.

Best Practices

  • If your sub-domains are customer-facing dashboards running identical code, one pentest on the main domain is usually sufficient for compliance and certification purposes.

  • Apply security fixes from the main domain scan across all sub-domains that share the same codebase.

  • For sub-domains with meaningfully different features, user roles, or backend logic, consider adding them as separate targets for more accurate coverage.

  • When in doubt, discuss your specific structure with the Astra sales team for a tailored scope and pricing recommendation.

Troubleshooting

My sub-domain has unique features not present on the main domain. Will those be tested?

Not comprehensively under a single pentest. If a sub-domain has distinct functionality, it should be set up as a separate target.

Can I list multiple sub-domains on my pentest certificate?

The certificate is issued per target. If you need separate certificates for each sub-domain, each one needs to be set up as its own target.

I'm not sure if my sub-domains qualify as 90% similar. What should I do?

Reach out to your account manager or the sales team. They can review your application structure and recommend the right scoping approach.