PentesterraPENTESTERRA
Start Free

Network · Web · API · CI/CD · Code - One Platform

Your Scanner Finds Vulnerabilities. Pentesterra Tells You Which Ones Actually Work.

Verified exploits. Attack chains. Continuous coverage across internal and external perimeter - inside one platform, deployed in minutes.

Schedule a DemoStart Free Tier

What your current stack is missing

Your network scanner finds CVEs. Your DAST tool finds web issues. Your pentest vendor delivers a PDF every 6 months.
None of them tell you: which findings are actually exploitable, how they chain together, or what an attacker gets when they do.

Pentesterra execution model differentiation

Pentesterra runs its own scanning engine, maintains its own knowledge base of exploitation scripts, and deploys its own scanner nodes. LLM reasoning powers adaptive verification - not finding generation. DevGuard's local agent collects only metadata; your source code never leaves your machine.

An attacker doesn't see three reports. They see a path.

Your tools each find pieces. None of them see how those pieces connect into an actual attack route. Pentesterra correlates findings from every source into the chain - and tells you which node to fix first.

Without correlation

ASM

Network Scanner

CVE-2025-0282 - Ivanti pre-auth RCE (CISA KEV)

DAST

Web Scanner

Auth bypass on /api/admin endpoint

Pentest

Annual PDF

AD lateral movement possible (manual note)

3 tickets. No priority. No path. No action.

PentestBrain Attack Chain - fully exploited end-to-end
Initial Accessexploited
CVE-2025-0282 - Ivanti RCE confirmed$ whoami → www-data (remote shell obtained)
Privilege Escalationexploited
Auth bypass → admin panel accessAdmin JWT captured: eyJhbGci… (session active)
Lateral Movementexploited
AD credential extraction → DC accessNTLM hash: CORP\svc_backup (crackable offline)
Impactreached
Customer DB · Finance systemDB connection string obtained from DC registry
Fix priorityPatch CVE-2025-0282 → chain collapses at step 1. Steps 2–4 become unreachable.

Threats your current stack doesn't connect

Each of these attacks happened - or is happening right now. Every tool in your stack might see one piece. None of them show you the chain.

Network → AD → RansomwareCVE-2025-0282

Ivanti VPN pre-auth RCE → domain compromise in 48h

What happens

Ivanti Connect Secure has a stack overflow exploitable without credentials (CVSS 9.0, CISA KEV, exploited by APT UNC5221 in January 2025). Attacker gets a shell in your DMZ, pivots to internal network, extracts AD credentials, deploys ransomware within 48 hours.

Why your scanner misses the chain

Your network scanner detects CVE-2025-0282 and files it as a ticket. Your AD assessment finds lateral movement paths separately. No tool connects: "this CVE + this AD path = ransomware in 2 days." You triage them independently, CVE gets scheduled for next patch cycle.

How Pentesterra catches it

Continuous scan flags CVE-2025-0282 within days of CISA KEV listing. Attack chain engine correlates it with the discovered AD path in the same scan window. First chain node is marked fix-priority - patch the VPN, the entire chain collapses before it's ever executed.

Auth Bypass → Firewall AdminCVE-2024-55591

FortiOS auth bypass → super-admin access - 89 days between your pentests

What happens

FortiOS 7.0.0–7.0.16 and FortiProxy allow an unauthenticated attacker to gain super-admin privileges via a crafted Node.js websocket request (CVSS 9.6). Exploited as a zero-day before disclosure on January 14, 2025. Attacker creates admin account, opens firewall rules to internal segments.

Why quarterly pentest misses it

CVE was disclosed January 14, 2025 - after your Q4 assessment. Next pentest is Q2. Your environment was exposed for 89 days while the patch was available and attackers were already exploiting it.

How Pentesterra catches it

Continuous coverage means the CVE is tested within the same week of disclosure. Potential vulnerability calculation handles firewall management interfaces even when partially protected. Exposure window: hours, not the next quarter.

Business Logic · IDORNo CVE - by design

IDOR in payment API - your DAST never touches it

What happens

An authenticated API endpoint /api/orders/{id} uses sequential integer IDs. Any logged-in customer can enumerate all orders by incrementing the ID - accessing payment details and PII of every other user. No error, no log alert, no CVE.

Why DAST misses it

DAST runs unauthenticated or with a single test account. It can't understand that id=1002 belongs to a different user. It sees a 200 OK and moves on. Business logic flaws need context about what "correct behavior" looks like - DAST doesn't have it.

How Pentesterra catches it

Business Process Detection identifies the payment flow (BP-PAY-001). Authenticated web pentest runs with real credentials across two test accounts. IDOR detection validates cross-account object access. Finding is mapped to PCI-DSS compliance gap with financial risk estimate.

Supply Chain · CI/CDCVE-2025-30066

Compromised GitHub Action exposed CI/CD secrets of 23,000+ repos

What happens

In March 2025, tj-actions/changed-files - a GitHub Action used by 23,000+ repositories - was compromised. Malicious code printed all CI/CD secrets (GITHUB_TOKEN, AWS keys, deployment credentials) to workflow logs. If your AWS credentials were in CI: immediate cloud compromise.

Why network scanners and DAST miss it

Your network scanner doesn't inspect GitHub Actions YAML. Your DAST doesn't scan CI/CD pipeline configs. Your quarterly pentest doesn't include GitHub in scope. The threat lives entirely in the developer's toolchain - outside every traditional security perimeter.

How DevGuard catches it

DevGuard scans GitHub Actions workflow files and cross-references action versions against a continuously updated compromised package and action database. Developer gets a warning before push: "tj-actions/changed-files@v46 is flagged as compromised - pin to safe commit hash or remove." Caught at the developer's machine, before the secret is ever exposed.

"AI pentesting" - what that actually means here

We scan. We run verification. We consult AI where AI is genuinely better than a fixed rule. The scanner is our code - LLM is a tool we reach for, not the engine.

01

Scan driven by playbooks and KB graphs

Scanning is orchestrated by playbooks trained on our continuously updated Knowledge Base - not simple if-else rules. During the scan, enrichment playbooks gather detailed target context and feed it into triage and verification steps in a single pass.

Tools like nmap and nuclei are part of the arsenal - auxiliary utilities inside a proprietary orchestration layer. This lets us manage parallel tasks, distribute scanning across nodes, and control enrichment in ways those tools can't do standalone.

02

Verification: own scripts, KB, nmap/nuclei, Attack Chain

Verification isn't a single method. For each finding we run the most appropriate path: our own non-destructive scripts (separate verify and exploit modes), KB-matched checks, nmap NSE scripts or nuclei templates, Attack Brain Chain for full attack vector simulation - or a generated PoC.

When KB-based logic reaches its limit, we consult LLM. AI is used in specific cases where it genuinely outperforms deterministic rules - it's a consultant in the loop, not the scanner.

03

Attack chains from verified findings

Verified findings from web, network, and DevGuard scans are correlated using a deterministic graph (~145 typed edges). A chain exists only when all connecting nodes have confirmed findings in your environment - no inference, no guesses.

Attack Brain Chain tests full attack vectors end-to-end - the same way a pentester would manually chain findings. Each chain shows progression from initial access to blast radius, with the first node as fix priority.

Where DAST stops. Where we continue.

Most scanners test what's visible without a login. Pentesterra tests what happens when someone is logged in - and deliberately does the wrong thing.

Authenticated testing

Grey-box mode runs with real credentials - session tokens, API keys, or form-based login flows. Auth state is maintained across the entire scan: the scanner doesn't forget who it's logged in as between requests.

  • Form login, OAuth, SSO flows supported
  • Multi-step auth sequences handled
  • Two separate accounts for cross-user access testing

Business logic flaws

IDOR, bypassable workflows, mass assignment, race conditions, unverified state transitions - these aren't CVEs. They're design decisions that let the wrong user reach the wrong resource. No scanner finds them without context.

  • IDOR: can user A access user B's objects?
  • Race condition: two requests, one validation
  • Mass assignment: unintended fields accepted by API
  • Bypassable step: can checkout skip payment verification?

Business process mapping

Pentesterra automatically identifies what business processes are present in the target - payment flows, identity & access, customer data APIs, CI/CD integrations. Each finding is mapped to the process it threatens and the compliance scope it touches.

  • BP-PAY-001 · BP-AUTH-001 · BP-DATA-001
  • Compliance mapping: PCI-DSS, GDPR, HIPAA, SOX
  • Financial risk estimate per affected process

Built for security leaders and technical teams

Different roles need different answers from the same platform.

CISO · VP Security · IT Risk

Security Leadership

  • Board-ready reporting backed by verified evidence - no CVSS guesswork
  • Continuous coverage replaces annual pentest cycles and compliance gaps
  • Full audit trail on every triage override - who buried what and when
Red Teams · DevSecOps · Developers

Offensive & Engineering

  • Exploitation proof attached - PoC from CISA KEV, Metasploit, or ExploitDB
  • Fix what's actually exploitable - not what scores highest on CVSS
  • DevGuard catches secrets and logic flaws before they reach the repo
MSSPs · Security Consultants

Managed Security Providers

  • Isolated scanner nodes and per-scope processing per client
  • White-label PDF reports ready for delivery
  • One control plane across your entire book of business
58%raw scanner noise suppressed before findings reach your team

Signal, not noise.

Each module - network scan, web/API pentest, DevGuard - has its own built-in FP suppression. Findings move through triage automatically; only verified results enter the remediation queue.

  • Mark any finding as False Positive once - it won't resurface on re-scan until the underlying signal changes
  • Enable auto-verify on a scan profile - verification runs per finding automatically at the end of each scan cycle
  • High-watermark logic: once verified, a finding stays verified even if a later scan misses it
  • Every exclusion is logged with full audit trail - who marked it (FP / Accepted Risk / Won't Fix), when, and with what reason. Any team member can review and revoke. Protects against contractors hiding findings they don't want to fix.

Triage Status Model

Every finding passes through 5 evidence levels - from initial scanner detection to confirmed exploitation, with potential vulnerabilities surfaced and queued for KB-script verification before confirmation. The peak status is never downgraded: once a finding is verified, it stays verified even if a subsequent scan misses it.

  • High-Watermark Logic - Best results never downgrades.
    Even if a rescan returns a lower signal, the peak is retained.
  • Latest-Scan Tracking - Status updates every scan cycle.
    Historical and current perspective on each finding.
  • Analyst Overrides - False Positive, Accepted Risk, or Won't Fix.
    Hidden from future scans, but never silently deleted. Every override records: who added it, when, and why. Any team member can see and revoke exclusions - protecting against findings being quietly buried by an analyst or contractor who doesn't want to remediate.

Full-Spectrum Offensive Coverage

Every offensive security discipline in one triage-first control plane.
Verification is driven by PentestBrain - an adaptive reasoning loop that picks the next tool based on what was found, not a fixed script.

VM

Vulnerability Management

Detection, classification, and structured lifecycle tracking of every identified vulnerability.

ASM

Attack Surface Management

Continuous discovery and mapping of external and internal exposure across your infrastructure.

BAS

Breach & Attack Simulation

Automated testing of defenses through controlled offensive scenarios across the environment.

ANPTT

Controlled Automated Pentest

Real exploitation with evidence capture - proof of compromise, not theoretical risk scoring.

Scanned attack surfaces
External perimeter
  • Public IPs & cloud-facing services
  • Domain & subdomain enumeration
  • SSL/TLS exposure & cert issues
Internal network & AD
  • Subnets, segments & internal services
  • Active Directory enumeration
  • Lateral movement paths
Web & API
  • Black-box & grey-box (authenticated)
  • REST, GraphQL, SOAP
  • Business logic & IDOR
CI/CD & supply chain
  • Vulnerable dependencies (DevGuard)
  • Leaked secrets & hardcoded creds
  • Partial-visibility targets (WAF/CDN)

Every gap between scans is an open window.

Between quarterly pentests, your environment changes - new deployments, new CVEs, new misconfigs. An attacker doesn't wait for your next assessment.

Quarterly pentest
Q1
~89 days exposed
Q2
~89 days exposed
Q3
~89 days exposed
Q4
~89 days exposed
≈ 356 days/year exposed
Continuous with Pentesterra
any scope · any frequency · targeted CVE scans on demand
Exposure window: hours
Run as many scans as you need - internal perimeter, cloud, external, specific vulnerability classes. Compliance scope is a subset. Your full attack surface needs continuous coverage.

Evidence-Based Findings

A potential finding is just a signal. Before it reaches your team, it goes through the most appropriate verification path - and arrives with proof attached.

Potential

Unconfirmed signal from scan - could be WAF-masked, banner-inferred, or heuristic match

Verification method chosen by PentestBrain
  1. 1
    Own non-destructive scriptsverify + exploit modes, production-safe
  2. 2
    KB-matched checksknowledge base rule matching per vuln class
  3. 3
    nmap NSE / nuclei templatesauxiliary toolchain under orchestration
  4. 4
    Attack Brain Chainfull end-to-end attack vector simulation
  5. 5
    Generated PoCtargeted proof-of-concept for the specific finding
Verified
  • $ whoami → www-data
  • Admin JWT captured
  • 200 OK · sensitive field exposed
  • NTLM hash: CORP\svc_backup

Evidence attached · enters remediation queue

Tech stack CVE enrichmentDetected technologies trigger KB enrichment. Known-exploited components surface before the scan ends.
Cross-source correlationNetwork, web, and DevGuard findings correlated into a unified picture. FPs filtered before reaching your analysts.

From Findings to Business Risk

Verified findings are correlated into multi-step attack chains - modelling how a real attacker moves through your environment, what they can reach, and what they can extract. Business processes, logic flaws, and compliance gaps are part of the analysis.

  • Attack Chain Analysis - Findings from web, network, and CI/CD sources are correlated against a deterministic relationship graph (~145 typed edges between vulnerability classes). A chain exists only when all connecting nodes have confirmed findings in your environment - no AI inference, no guesses. The first node in the chain is always the fix priority: patch it, and the chain collapses. Each chain shows progression from initial access to full compromise - with blast radius and what an attacker can extract at every step.
  • Business Process & Logic Impact - Chains are mapped to affected business processes and detected logic vulnerabilities: payment flows, identity & access, API logic, CI/CD pipelines. Each finding is scored by the business function it threatens and the financial risk it carries.
  • Compliance Mapping - Automated mapping to OWASP Top 10, PCI-DSS, GDPR Art. 32/33, NIST 800-53, and ISO 27001. Compliance gaps are derived from actual verified findings - not self-assessments.

Controlled Architecture. Protected Data.

All data processing happens within Pentesterra's controlled infrastructure. LLM analysis support operates on sanitized payloads, and sensitive fields are redacted before any model processing. Credentials and assessment evidence remain inside the protected processing perimeter.

  • End-to-end encryption across all processing stages
  • Credential vault isolation - secrets never stored alongside scan data
  • No raw secrets are transmitted to third-party models
  • Per-scope processing isolation within controlled infrastructure
  • Distributed scanner isolation - each node operates within its own security boundary
  • Role-based access segmentation across all platform tiers
  • DevGuard thin client - only metadata collected locally, source code never transmitted to the cloud

Pentesterra Core Concepts

The building blocks behind every finding - from detection to decision.

01

DRSE Dynamic Rule Security Engine

KB-based rule engine that defines automated behavior triggered by scan events: apply a specific scan profile and re-scan a target, send an alert when a certain threat class is detected, or launch an enrichment workflow. Rules are additive - layered on top of standard scan logic without replacing it.

02

Playbooks Scan & Enrichment Orchestration

KB-trained decision graphs that adapt based on what was found - not if-else rules. Enrichment playbooks run during the scan, feeding context into triage and verification in a single pass.

03

Evidence Proof Attached to Findings

Every Verified or Exploited finding ships with proof: API response capture, PoC execution log, or session token. Not a severity score - something you can show to a developer and say "here's the shell."

04

Suppression Smart Override Workflow

Mark a finding as FP, Accepted Risk, or Won't Fix - it disappears from future scans. But the override is never silent: full record stays visible (who, when, reason). Any team member can revoke it. Contractors can't bury findings.

Platform Architecture

From discovery to validated exploitation - inside one autonomous platform.

Pentesterra
Vulnerability Scanner
Web App Pentesting
Evidence‑backed Exploit Triage
AD Lateral Path Mapping
Automated Penetration Tests
DRSE Rule Engine
Attack Chain Correlation
Distributed Scanner Network
Credential Vault Isolation
False Positive Suppression
Executive Risk Reports
Compliance Impact Mapping
DevGuard CI Gate
Playbook Automation
Active Threat Intelligence
PentesterraOffensive Security Platform
Core CapabilitiesVulnerability Scanner · Web App Pentesting · Evidence‑backed Exploit Triage · AD Lateral Path Mapping · Automated Penetration Tests
Intelligence & CorrelationDRSE Rule Engine · Attack Chain Correlation · Distributed Scanner Network · Credential Vault Isolation · False Positive Suppression
Infrastructure & ReportingExecutive Risk Reports · Compliance Impact Mapping · DevGuard CI Gate · Playbook Automation · Active Threat Intelligence

Agentless. Distributed. Scalable.

No persistent agents on target systems. Pentesterra operates through distributed scanner nodes - deployed externally, internally, or on-premise - coordinated through a central execution control plane. Scale assessment coverage without adding resident software or endpoint footprint.

Zero agent installationDistributed scanner nodesCentral control planeHorizontal scaling

Safe to run. Even in staging.

Active scanning doesn't mean uncontrolled scanning. Every operation has explicit boundaries - nothing runs without your consent.

Explicit scope boundaries

Define exactly what gets tested - IP ranges, URL paths, API endpoints, or environment tags. Pentesterra will not reach outside the defined scope. Staging and production run as separate isolated scopes.

Non-destructive by default

All exploit verification uses safe, non-malicious modes - no ransomware simulation, no data destruction. Safe exploitation means proof of exploitability, not damage. Extended toolsets available for GOV under contract.

Rate controls & scheduling

Configure request rate limits and scan windows per node. Run deep assessments during off-hours; lightweight continuous coverage during business hours. No team is disrupted without consent.

Approval gates for exploitation

Automated exploitation can require analyst sign-off before proceeding. Human-in-the-loop mode keeps your team in control of which findings get actively exploited and when.

Workflow built in. Not bolted on.

Findings move through triage, verification, and remediation inside Pentesterra. Where your team already works, verified findings land there automatically.

Verified finding$ whoami → www-data
PentesterraTriage · RBAC · Remediation
Jira ticketAuto-created with full evidence - steps, severity, asset. Developers fix in the tool they know.
REST APITrigger scans, fetch results, pull reports. Full automation without touching the UI.
Built-in RBACAnalysts, engineers, managers each see what their role permits - enforced at UI and API level.

No rearchitecting required.

Start where you are. No credentials to hand over, no CI/CD integration to wire up, no agent sprawl. Black-box scanning works out of the box - authenticated mode is an option you add when it makes sense.

Developer

DevGuard IDE Plugin

Installs in VS Code, Cursor, or Windsurf as a CLI tool. Run it from the developer's terminal before a commit - or leave it on continuous mode. No CI/CD pipeline change needed to start.

  • Runs locally on the developer's machine
  • Only metadata is sent to the cloud - source code never leaves the workstation
  • Results immediately visible to the security team in the web app
  • Connects to CI/CD later when ready - not a prerequisite
Cloud / SaaS

External scanning - SaaS

Sign up, get a Tier, and scan your cloud-facing assets. No credentials required - black-box is the default. The only prerequisite is a DNS TXT record to verify you own what you're scanning (anti-abuse, takes two minutes).

  • Black-box by default - no accounts, no session tokens needed to start
  • Authenticated mode available as an opt-in for deeper grey-box coverage
  • No scanner VM to deploy - Pentesterra's infrastructure scans from the outside
  • Results in the web app - shareable across your team by role
Internal network

Scanner node - inside your perimeter

A lightweight VM deployed inside your network that connects outbound to the Pentesterra cloud. You control it entirely - nobody else can task it. Switch it on only during scan windows if that's your preference.

  • Outbound-only connection - no inbound ports required
  • Only your team can trigger scans on this node
  • Can be shut down between assessments - data stays in the cloud
  • Covers internal hosts, AD, segmented networks, and staging environments
Black-box by defaultNo accounts, credentials, or privileges to hand over. Scanning starts externally - authenticated grey-box mode is optional, added on your terms.
Multi-tenancyOne organization, multiple accounts with isolated scopes. Teams work in parallel without cross-visibility unless explicitly granted.
Role-based accessAnalysts, engineers, managers, and auditors each see what their role permits - enforced at the UI, data, and API/quota level.
Enterprise & GOVFull on-premise or air-gapped PaaS installation available for regulated environments. Discuss requirements with the team before choosing this path.

From free tier to enterprise - supported at every stage

No feature walls. No "contact sales to unlock basics." The platform is fully accessible from day one.

All tiers
  • Onboarding walkthrough included
  • Full platform access from day one
  • DevGuard free to install and run
  • Documentation and operational guides
Enterprise
  • Priority response on critical findings
  • Expanded support windows
  • Dedicated onboarding for large teams
  • Custom scan profile configuration
Platform evolution
  • KB updated continuously - new threats covered immediately
  • New scan modules ship without breaking existing configs
  • Ecosystem expansion: more languages, more registries
  • No model retraining - playbooks pick up changes instantly

Frequently Asked Questions

Everything you need to know before you start.

Take Control of Your Attack Surface.

Start with the free tier or talk to us about your environment - network, web, cloud, or on-prem.

Request a DemoStart Free Tier