A team of agents that thinks before it tests.
Pentu's edge isn't more scanning. It's understanding. Eight steps, in order — same way a human pentester operates, only automated.
- 01
Reconnaissance
Pentu maps your public attack surface — subdomains, exposed assets, tech fingerprint, certificate transparency. The same recon a curious attacker would do, automated.
No login required for this step. You can run it as a free scan to see what the internet already knows about your infrastructure.
- 02
Read & understand
Pentu visits your marketing site, your docs, your pricing page. Extracts the implicit rules: trial length, feature gates, billing model. This becomes the test rubric.
A scanner has no idea what your product is supposed to do. Pentu finds out — so it can later catch when your product behaves differently than your marketing promises.
- 03
Sign up as real users
Pentu controls real email inboxes. It signs up free-tier, paid-tier, and admin personas. Confirms emails. Completes onboarding. Sets up payment with test cards. Now it has authenticated sessions across privilege levels.
This is what enables multi-persona testing — IDOR across accounts, privilege escalation, cross-tenant isolation. Generic scanners cannot do this. They have no concept of "another user".
- 04
Build a model
Driving Playwright, pentu maps every reachable page across all personas. Intercepts API calls. Identifies business objects (users, projects, teams, billing). Infers the state machine. Stores it as a structured graph.
The model is what makes pentu fundamentally different. Every later test is generated from this graph, not from a fixed checklist.
- 05
Generate tests
For each object × state × permission gate in the model, pentu generates relevant test variants. OWASP categories are still covered — but applied where the model says they matter most. Hundreds of focused tests, not millions of shallow ones.
Example: pentu sees a share-link feature with billing implications and generates 8 targeted tests for it. A scanner would have run one SQLi attempt on the ID parameter.
- 06
Execute in parallel
Specialist agents run each test in narrow, scoped sessions. Many in parallel. No context bloat between tests. Findings are claimed, never published yet.
Rate-limited to look like real user traffic by default. "Fast mode" for staging environments lets you run hundreds of tests in minutes.
- 07
Verify deterministically
Every claimed finding goes through a verifier loop — a non-LLM runner that reproduces the exact steps. If it can't reproduce, the finding is discarded.
This is what keeps false positives low. AI proposes. Deterministic logic verifies.
- 08
Write the report
Pentu synthesizes the report. Executive summary in plain English. Technical detail with reproduction steps and PoC. Remediation in your codebase's actual patterns (if you've connected your repo). Coverage breakdown so you see what was tested.
The report you'd actually send to your board. Or to your auditor. Or paste into Slack to your engineering team.
Coverage you can verify.
Every pentu report includes a coverage section showing exactly what was tested — and what wasn't. If we couldn't reach a page because the test account lacked permission, we say so. If a third-party integration blocked us, we say so. No claiming success on what we didn't test.