Now in private beta · EU-hosted

Security testing
that actually
understands your product.

A team of AI agents that uses your SaaS like a real user, probes for security and business-logic flaws, and writes a report you would actually send to your board.

✓ Free recon scan ✓ No credit card ✓ Results in 30 min
The pentu puppy, looking curious
A glimpse

It uses your product like a person would.

Not a scanner pinging endpoints. An agent that signs up, navigates, fills forms, and reasons about what it sees.

acme.app/login Welcome back Sign in to continue. Email Password New here? Create account Your projects 3 active workspaces Acme Web 12 members Updated 2h ago Marketing 4 members Updated 1d ago Internal 2 members /proj/42 GET /api/projects/42 authorization: Bearer eyJ… (user_a) ! CRITICAL · IDOR user_a can read /api/projects/42 belonging to user_b (cross-tenant) pentu · reasoning mapping public surface… found 14 endpoints, 3 auth flows signing up user_a signing up user_b creating project for user_b testing tenant boundaries… probing /api/projects/42 as user_a: 200 OK ! cross-tenant read confirmed writing finding… scan in progress · 1 critical found
The Problem

Most security tools tell you what is vulnerable.
Pentu tells you what is broken.

Classical scanners run a fixed checklist against every endpoint. They produce noise — long lists of theoretical issues your team cannot triage, drowning out the things that actually matter.

The bugs that hurt are not in OWASP categories. They live between features. Broken access control when team-membership changes. Coupon stacking via the referral system. A signed webhook that nobody verifies. A free user paying for nothing but using everything.

Those bugs require a tester who actually understands your product. Pentu does.

The Pentu Way

Three things every other tool gets wrong.

🔍

Understands before testing

Pentu reads your marketing site, crawls your docs, signs up, maps every page, and builds a model of how your product works. Only then does it start testing — where the model says it matters.

👥

Plays the role of real users

Multiple personas. Real signups via real email inboxes. Real payments with test cards. Cross-tenant probes. Race conditions. Things a generic scanner cannot even attempt — because they require acting, not just scanning.

📑

Reports that read like a pentester wrote them

Not a CVE dump. Real findings, with business impact in your context, reproducible PoCs, and remediation in your codebase's actual patterns. Send it to your board. Send it to your auditor.

Coverage

What pentu actually tests for.

OWASP top categories plus the business-logic flaws that scanners miss. Every test category is open source in our test catalog so you know exactly what we run.

🔐
Authentication
Signup, login, MFA, OAuth, magic links, session handling
🚪
Access control
IDOR, privilege escalation, multi-tenant isolation, role inheritance
💳
Payment flows
Coupons, refunds, trial extension, currency, race conditions
🧠
Business logic
Cross-feature interactions, workflow violations, state-machine flaws
🤖
AI surface
Prompt injection, jailbreaks, system prompt leaks, cost amplification
🔌
API & webhooks
Signature verification, replay tolerance, undocumented endpoints
💉
Injection
SQL, NoSQL, XSS, SSRF, template injection, file upload abuse
🌐
Infrastructure
TLS, headers, subdomain takeover, exposed buckets, leaked secrets
A real finding

Less noise. More signal.

What a pentu finding actually looks like — written for humans, with the exact reproduction steps and a fix in your codebase pattern.

Critical Finding #PNT-2026-0041
verified · 2.3s replay

A free-tier account can read paid-tier customers' projects

Your GET /api/projects/:id endpoint checks that the requester is authenticated, but not that they own the project. As a free-tier user, I read the full contents of a paid customer's project simply by guessing IDs (they're sequential integers).

Steps to reproduce
1. Sign up as Free User A
2. Sign up as Paid User B, create project (gets ID 8472)
3. As User A, GET /api/projects/8473
   → 200 OK, returns User C's project contents
Suggested fix · src/api/projects/get.ts
// before
const project = await db.projects.findById(id);
return c.json(project);

// after — verify ownership
const project = await db.projects.findById(id);
if (project.organization_id !== user.organization_id) {
    return c.json({ error: 'Not found' }, 404);
}
return c.json(project);
Business impact: complete customer data breach · Estimated fix: 10 min · OWASP A01: Broken Access Control
Built for agents, by agents

Pentu fits inside your agentic workflow.

Every pentu capability is exposed via MCP, REST, CLI, and CI/CD integrations from day one. Ask Claude or Cursor to scan your latest PR. Set up a GitHub Action that gates merges on critical findings. Pipe results into your existing security stack.

  • MCP server — Connect from Claude Desktop, Cursor, Continue, or your own agent. Tools include start_scan, list_findings, suggest_fix
  • CLInpm i -g @pentu/cli and you're scanning
  • GitHub Action — Block merges on critical findings. Auto-comment fix suggestions.
  • SDKs — TypeScript, Python, Go. Auto-generated from OpenAPI.
# Scan and follow live
$ pentu scan https://acme.app --watch
[2/8] Reading marketing site... done (12s)
[3/8] Building app model... 47 pages mapped
[4/8] Signing up as test users... 3 personas created
[5/8] Generating tests... 312 planned, 4 high priority
[6/8] Running tests in parallel...
  ⚠ Found IDOR on /api/projects (critical)
  ⚠ Trial extension via date manipulation (high)
[7/8] Verifying findings... 2/2 reproduced
[8/8] Writing report...
✓ Done in 24m 12s · 2 findings · report at https://app.pentu.ai/scans/sc_xyz
Pricing

From $29/month.
For the price of a Netflix subscription.

Self-serve, monthly, cancel anytime. No sales calls, no demos required, no annual lock-in. Start free with a recon-only scan.

See pricing

Curious what pentu finds on your domain?

Free recon-only scan. No credit card. Results in under 5 minutes. See what your attack surface actually looks like.

Start free scan