Pricing

No sales calls.
No annual lock-in.

Self-serve from any tier. 7-day trial on paid plans. Cancel from the dashboard. Save 20% on annual billing.

Free
Public recon, no signup required.
$0
/month
Start free scan
  • Monthly external recon scan
  • Subdomain & exposed asset discovery
  • Public security header audit
  • Public Pentu Score (no detail)
  • 1 domain
  • No authenticated testing
  • No business-logic probes
  • No PDF report
Solo
Indie founders, side projects, MVPs.
$29
/month
Start 7-day trial
  • Everything in Free
  • Full agentic scan, once monthly
  • Authenticated multi-persona testing
  • Business-logic probes
  • AI surface testing
  • 1 target (production or staging)
  • PDF report + shareable URL
  • Email support
Most popular
Indie
Real revenue, real users, real risk.
$79
/month
Start 7-day trial
  • Everything in Solo
  • Bi-weekly scans
  • 3 targets (mix of envs)
  • Slack integration
  • Trend tracking over time
  • Coverage breakdown
  • Critical-finding email alerts
Team
Engineering teams shipping fast.
$199
/month
Start 7-day trial
  • Everything in Indie
  • Weekly scans
  • 10 targets
  • GitHub integration (source-aware)
  • Custom test scenarios
  • Compliance evidence export (Vanta, Drata)
  • Priority support
Business
Continuous security, every deploy.
$499
/month
Start 7-day trial
  • Everything in Team
  • Continuous scanning (deploy-triggered)
  • Unlimited targets
  • Multi-environment (staging + prod)
  • Public Pentu Score badge + embed
  • Priority queue
  • SLA: response within 24h

Need more? Talk to us about Enterprise — dedicated compute, SSO, custom scenarios, SLAs. From $2k/month.

Questions, answered.

How is pentu different from Snyk, Aikido, or Detectify? +

Those tools run a fixed list of attack patterns against your endpoints. They're great at finding generic vulnerabilities — CVEs, dependency issues, obvious XSS. But they don't understand your product. Pentu signs up as real users, maps your app, and tests the business-logic flaws that scanners can't see. We complement those tools; we don't replace them at every layer.

How is pentu different from XBOW, Pentera, or human pentesters? +

XBOW and Pentera target enterprise contracts ($50k+/yr). Human pentesters cost $10k-50k per engagement and take weeks. Pentu sits in the gap — agentic depth at SMB SaaS prices. We're not as deep as a top-tier human pentester on the first engagement, but we run every week or every deploy, which catches what an annual pentest misses.

Will pentu break my production? +

It can be told not to. By default, pentu rate-limits itself to look like real user traffic, refuses destructive tests without explicit consent, and flags actions that would create persistent state. Most customers point pentu at staging environments for the heavy testing, and use a lighter "production-safe" profile on production. The choice is explicit and configurable.

Can pentu issue SOC 2 or ISO 27001 certificates? +

No — those require AICPA-licensed CPA firms (SOC 2) or accredited certification bodies (ISO 27001). Pentu can produce evidence that maps to SOC 2 / ISO 27001 controls, packaged for Vanta or Drata, but the formal audit signoff has to come from a human auditor. We make their job cheaper, not redundant.

What happens to data pentu sees during scans? +

Scan compute runs in ephemeral per-customer Google Cloud Run containers, destroyed at scan end. No customer data is used for AI training, ever. Reports are encrypted at rest in R2 with per-account keys. We're EU-hosted by default (Frankfurt) with a US option, and we publish a full data-handling page at /security.

Can I bring my own AI key? +

Yes, on Business and Enterprise tiers. Bring your own Anthropic, OpenAI, or Google AI keys and we'll route inference through them. Useful for customers who want strict control over where their data is processed, or who already have enterprise deals with model providers.

What if pentu misses something and we get hacked? +

Pentu is a snapshot-in-time check, not a guarantee. Every report explicitly frames it that way. We carry professional liability and cyber insurance, but the customer agreement is clear: we improve your security posture, we don't indemnify your full risk. Pair pentu with a WAF, secure development practices, and (for high-stakes systems) at least one human pentest per year.

Annual discount? +

Yes, 20% off all paid tiers when billed annually. Same as the industry standard.