How Pentu tests your app.
Pentu is a team of AI agents that signs up for your product, uses it like a real customer, and hunts for security and business-logic flaws — then writes a report you actually want to send. This is what it does, and how.
The scan, at a glance
A full scan runs the way a skilled human tester works: understand the product first, then attack it. Recon takes minutes; a full agentic pass takes roughly half an hour.
1
Map the app
A real browser crawls the public site — pages, forms, cookies, and the API calls it makes.
2
Sign up
The agent completes the real signup + onboarding — multi-step wizards, modals, even email verification (it reads its own inbox).
3
Explore logged in
It clicks through the product as a real user and captures the authenticated backend surface.
4
Understand
It figures out what your product actually does, and where the sensitive money/permission/data actions are.
5
Test relentlessly
It explores, forms a hypothesis, tests it, learns, and goes again — with a senior reviewer sending it back for anything it missed.
6
Verify
Every candidate finding is replayed deterministically to confirm it — so the report is real, not guesses.
7
Report
A report you would actually send to your board — with proof, fixes, and everything it verified along the way.
Read on
How a scan works →
The full agentic loop, the models behind it, and how it thinks like a human tester.
What we test →
OWASP coverage, business logic, IDOR, strong logout, SSRF, RLS, stored XSS — and how each is proven.
The toolchain →
The AI orchestrates a real pentester toolbox — nuclei, sqlmap, testssl, and a phone-home SSRF collaborator.
Safe by design →
In-scope only, non-destructive, disposable accounts, and a cleanup guide for anything it created.
Reports & score →
The Pentu Score, the report anatomy, PDF/Markdown/email formats, and per-scan AI cost.
Findings lifecycle →
Turn a finding into a task: ignore it, retest it, or let the next scan verify it is fixed.
What makes it different
- It logs in. Most scanners test the login page. Pentu signs up, gets past the wall, and tests the actual product — as two separate accounts, to catch cross-tenant bugs.
- It proves things. A finding isn't "the field was accepted" — it's "we escalated the account and then performed an admin-only action." Every issue is replayed to confirm it.
- It shows its work. The report lists every probe it ran — including the attacks your app correctly defeated, and dozens of controls it verified — because that's evidence too.
- It's a hybrid. The AI is the brain; a real pentester toolbox (nuclei, sqlmap, testssl, a phone-home SSRF collaborator) does the heavy lifting, and the AI decides when to reach for each.