Embedding Attestations
Put a verified-pentest signal on your marketing site, README, or trust page
ModernPentest gives you three embeddable formats so prospects can see, at a glance, that your application has been pentested:
- Pill badge — a small, marketing-grade signal
- Attestation card — a richer card with status and severity counts
- Markdown badge — a static image variant for README files
All three link back to your public attestation page, so a click takes the viewer to the full verifiable document.
Embeds are unlocked on paid plans. See Letters of Attestation for the tier matrix.
Where to find the snippets
Open any published attestation in the dashboard at
/dashboard/attestations/[id]. The Embed on your website section at the
bottom of the page lets you switch between the three formats and copy the
ready-to-paste snippet for each. Each tab also shows a live preview of what
the embed will look like, so you can see the difference before choosing.
Only published attestations can be embedded. If your attestation is still in Private mode, the Embed section won't appear — flip visibility to Unlisted or Public first.
Pill badge (220 × 48)
A compact pill with the ModernPentest brand mark, a one- or two-word label, and a green check disc on the right when the attestation is active.
Try it
Switch the controls below to see how the badge renders in each combination of status and framework tag — this is the exact component that ships in the production embed:
- Surface: white, slate-200 hairline border, fully rounded, soft elevation
- Typography: Plus Jakarta Sans, semi-bold, 13px
- Hosts: background-agnostic — the brand mark has its own dark surface so it reads on any host page color
HTML snippet
<iframe src="https://modernpentest.com/embed/trust-badge/<publicId>"
width="220" height="48" frameborder="0"
title="Verified by ModernPentest"></iframe>Replace <publicId> with the value shown on your attestation detail page
(or just copy the snippet directly from the dashboard).
Status states
| State | Visual |
|---|---|
| Active | White pill, dark text, green check on the right |
| Last verified | White pill, muted slate text, no check (expired) |
| Revoked | White pill, red-toned text, no check |
The badge updates automatically — there's nothing to redeploy when an attestation expires or is revoked. The viewer always sees the live status.
Where to put it
The badge is sized for inline placement next to other trust signals. Common spots:
- Footer — alongside compliance badges (SOC 2, GDPR) and customer logos
- Hero section — under the headline as a small "Pentested by" credit
- Pricing page — near the "Enterprise" tier as security validation
- About page — in the security/compliance section
Attestation card (360 × 240)
A full card showing organization, application, status, outcome, and severity counts (where the redaction profile permits).
Try it
Switch status, outcome, framework, and redaction profile to see how each combination affects the card. The "Open findings" outcome combined with the "Minimal" profile shows the redaction-respecting empty body — a common question we get from customers:
HTML snippet
<iframe src="https://modernpentest.com/embed/attestation-card/<publicId>"
width="360" height="240" frameborder="0"
title="ModernPentest Attestation"></iframe>What appears in the body
The card respects the attestation's redaction profile:
- Minimal — when there are zero critical/high open, the outcome banner shows "No critical or high outstanding" in green. When there are open findings, the body shows "Detail withheld by issuer." (no counts shown).
- Standard / Detailed — when there are zero critical/high open, the
outcome banner shows the green status. When there are open findings, a
5-column severity grid (
C / H / M / L / I) shows the counts.
Status pill colors
| State | Pill |
|---|---|
| Active | Green "Verified" + check |
| Expired | Amber "Expired" |
| Revoked | Red "Revoked" |
| Pending | Slate "Pending" (rare — only during PDF render) |
Where to put it
The card carries more visual weight than the badge — give it room to breathe:
- Trust page — as the primary artifact at the top of
/securityor/trust - Sales decks — screenshot the card for slide decks (the public attestation page is the canonical source — refresh the screenshot quarterly)
- Customer portal — a logged-in trust signal for high-touch customers
- Vendor risk responses — embedded in a customer-facing security questionnaire
Markdown badge (for README)
For environments where iframes don't render — most notably GitHub READMEs, PyPI/npm package descriptions, internal wikis — paste a Markdown image link:
[](https://modernpentest.com/trust/<your-org-slug>/<publicId>)This renders the same pill badge as a static SVG, with a click-through to your public attestation page.
The Markdown badge always shows the latest live status. If the attestation is revoked or expires, the badge updates automatically — no need to push a new commit.
Light vs dark host pages
All three embed variants ship with a white surface by default — the goal is to look like a polished marketing chip on any host page. They work best on light or neutral backgrounds (light grey, off-white, very light tinted colors).
For dark host pages, the white pill provides good contrast and is intentional — it pulls the viewer's eye like a sticker on a darker page. If you'd prefer a dark variant, the attestation team is tracking demand — let us know via feedback.
How embeds stay up to date
You don't redeploy or refresh the snippet when an attestation's status changes. The iframe re-fetches the live state from ModernPentest each time the host page loads, so:
- Revoking an attestation immediately turns every embedded badge to "Revoked"
- Expiring turns the pill to "Last verified" without you needing to touch your site
- Renewing with a new attestation requires a new
publicIdin the snippet (the priorpublicIdkeeps showing the old, now-expired attestation — swap it on your site when you publish the renewal)
FAQ
Can I host the badge from my own domain?
Not yet. All three formats are served from modernpentest.com/embed/... so
the cryptographic chain of trust stays clear: anyone inspecting the page
can see the badge is genuinely sourced from ModernPentest. Vanity-domain
embeds are on the roadmap.
Can I customize the colors or copy?
Not yet. The visual language is intentionally consistent so prospects can recognize a genuine ModernPentest signal at a glance. Theming is on the roadmap; copy customization is unlikely (consistent text helps verification trust).
Does the embed iframe affect my page load?
The iframe loads asynchronously and is small (~5 KB for the badge HTML, ~3 KB for the SVG variant). It doesn't block your page render. The Convex query that backs it is cached aggressively at the edge.
Will the embed work on a static site / Jekyll / Hugo / Astro?
Yes. All three formats are plain <iframe> or ![]() markdown — no
JavaScript runtime is required on your site. The iframe brings its own JS
(loaded inside the iframe document) but it's sandboxed.
Can I detect the status programmatically?
For automation use cases — e.g., a CI check that fails if your attestation is revoked — query the public verification endpoint:
curl -s https://modernpentest.com/api/v1/attestations/verify?publicId=<publicId>A future Public API release will include richer programmatic access. See Verification for what the endpoint returns today.
Related
Letters of Attestation
The canonical guide — creating, managing, and verifying attestations.
SOC 2 Reports
Full compliance reports for auditors (different artifact, longer format).
Last updated: April 28, 2026