SQUR vs Horizon3.ai — different segments, overlapping capability

The headline

Where Horizon3.ai wins decisively

Horizon3.ai is the more mature autonomous-pentest platform measured by scale, integration depth, and government / enterprise references. Nearly 5,000 customers, $186M raised across six rounds, FedRAMP High authorisation. Recent moves: 137% YoY ARR growth, enterprise segment grew 485% YoY in 2025, Prosperity7 / Saudi Aramco Ventures investment January 2026.

If your situation is:

• US-headquartered enterprise (1,000+ employees) with a mature security team running continuous validation.
• FedRAMP High or NIST CSF compliance program. US Federal / DoD contracting context.
• Network + identity + lateral-movement testing is the primary attack-surface concern, with web app testing as a complementary scope (now available as NodeZero WebApp Pentest, Early Access).
• You consume through an MSSP partner who already runs NodeZero — partner-channel buying is your norm.
• EU data residency is not a regulatory requirement for you.

— then Horizon3.ai is the right tool, and likely already in your MSSP's stack. SQUR isn't trying to compete in this market.

Where SQUR wins

SQUR addresses the EU SME compliance-driven pentest market that Horizon3.ai's commercial model doesn't reach. The 20–500-employee European company under DORA Article 24 or NIS2 Article 21(2)(e) scope that needs a credible annual pentest report — at a budget that doesn't require a five-figure annual subscription, on a timeline that fits an audit calendar, with data that stays in the EU.

If your situation is:

• EU-headquartered, regulated under DORA, NIS2, GDPR, or ISO 27001.
• 20–500 employees. Lean security function. No dedicated red team budget.
• Need a pentest report for a specific audit, customer requirement, or compliance cycle — not a continuous validation program.
• Web applications, APIs, customer portals, partner integrations are your primary attack surface.
• EU data residency is non-negotiable (regulator-driven, customer-driven, board-driven).
• Want predictable cost: €1,995 fixed per engagement, no annual minimum, no MSSP intermediary.

— SQUR is purpose-built for this. We're not an enterprise continuous-validation platform; we're a fast, audit-ready EU pentest at SME-accessible pricing.

The overlap zone — NodeZero WebApp Pentest

NodeZero entering web application pentesting (Early Access announced 2026) is the most direct overlap with SQUR's capability. Their announcement positions it as "XSS, SQL injection, broken access control, SSRF — with full attack chain across web apps + identity + infrastructure."

This is genuinely competitive on capability. Where SQUR still wins for EU SMEs:

• Pricing model. NodeZero WebApp Pentest comes as a subscription add-on inside the broader NodeZero platform; SQUR is €1,995 per engagement, no platform fee.
• EU data residency. SQUR's report is generated in GCP Brussels; NodeZero's infrastructure footprint is US-anchored.
• Compliance specificity. SQUR's report ships pre-mapped to DORA Article 24 evidence requirements + NIS2 Article 21(2)(e). NodeZero's compliance language is FedRAMP / NIST CSF first.
• Direct buying. NodeZero is partner-first; the MSSP layer adds friction for EU SMEs who don't already have an MSSP relationship.

For US enterprises already on NodeZero infrastructure: their WebApp Pentest add-on is the right call. For EU SMEs starting from scratch: SQUR's direct model removes the MSSP intermediary.

The "could we use both?" question

For enterprises that overlap both segments (e.g. a US-headquartered multinational with EU regulated subsidiaries), a two-vendor pattern is sensible:

• NodeZero quarterly on the US-side infrastructure + identity + network surface. Continuous validation against the broader enterprise estate.
• SQUR quarterly on the EU-side web + API surface for the regulated subsidiary. EU-resident report directly usable as DORA Article 24 evidence by the national supervisory authority.

This pattern is uncommon today because few enterprises are large enough to need both. As NIS2 + DORA enforcement tighten on EU subsidiaries of US multinationals, expect it to become more common.

Honest gaps in SQUR

• No FedRAMP authorisation. If your buying process requires FedRAMP High, SQUR doesn't qualify. Horizon3.ai does.
• No network / infrastructure / identity pentesting. SQUR scope is web + API + authentication + business logic. NodeZero's broader network coverage is genuinely valuable for mature enterprises.
• Not continuous validation. SQUR is per-engagement. NodeZero is continuous. If your security maturity requires continuous CTEM, NodeZero or similar is the right model.
• No MSSP channel program at scale. Our Track 2 / Track 3 ambassador program (launched 2026 — see /partners) is the early version of this. NodeZero has thousands of MSSPs in flight.

Decision framework

1. Geography: US-headquartered or EU-headquartered? — US → NodeZero. EU → SQUR.
2. Scope: network + identity + web, or web + API only? — Both → NodeZero. Web + API → SQUR.
3. Cadence: continuous validation program or per-audit engagement? — Continuous → NodeZero. Per-audit → SQUR.
4. Compliance regime: FedRAMP / NIST or DORA / NIS2? — FedRAMP/NIST → NodeZero. DORA/NIS2 → SQUR.
5. Channel preference: MSSP-mediated or direct? — MSSP → NodeZero. Direct → SQUR.