Documentation

How Pentu tests your app.

Pentu is a team of AI agents that signs up for your product, uses it like a real customer, and hunts for security and business-logic flaws — then writes a report you actually want to send. This is what it does, and how.

The scan, at a glance

A full scan runs the way a skilled human tester works: understand the product first, then attack it. Recon takes minutes; a full agentic pass takes roughly half an hour.

1
Map the app
A real browser crawls the public site — pages, forms, cookies, and the API calls it makes.
2
Sign up
The agent completes the real signup + onboarding — multi-step wizards, modals, even email verification (it reads its own inbox).
3
Explore logged in
It clicks through the product as a real user and captures the authenticated backend surface.
4
Understand
It figures out what your product actually does, and where the sensitive money/permission/data actions are.
5
Test relentlessly
It explores, forms a hypothesis, tests it, learns, and goes again — with a senior reviewer sending it back for anything it missed.
6
Verify
Every candidate finding is replayed deterministically to confirm it — so the report is real, not guesses.
7
Report
A report you would actually send to your board — with proof, fixes, and everything it verified along the way.

Read on

What makes it different

  • It logs in. Most scanners test the login page. Pentu signs up, gets past the wall, and tests the actual product — as two separate accounts, to catch cross-tenant bugs.
  • It proves things. A finding isn't "the field was accepted" — it's "we escalated the account and then performed an admin-only action." Every issue is replayed to confirm it.
  • It shows its work. The report lists every probe it ran — including the attacks your app correctly defeated, and dozens of controls it verified — because that's evidence too.
  • It's a hybrid. The AI is the brain; a real pentester toolbox (nuclei, sqlmap, testssl, a phone-home SSRF collaborator) does the heavy lifting, and the AI decides when to reach for each.