Security testing
that actually
understands your product.
A team of AI agents that uses your SaaS like a real user, probes for security and business-logic flaws, and writes a report you would actually send to your board.
It uses your product like a person would.
Not a scanner pinging endpoints. An agent that signs up, navigates, fills forms, and reasons about what it sees.
Most security tools tell you what is
vulnerable.
Pentu tells you what is broken.
Classical scanners run a fixed checklist against every endpoint. They produce noise — long lists of theoretical issues your team cannot triage, drowning out the things that actually matter.
The bugs that hurt are not in OWASP categories. They live between features. Broken access control when team-membership changes. Coupon stacking via the referral system. A signed webhook that nobody verifies. A free user paying for nothing but using everything.
Those bugs require a tester who actually understands your product. Pentu does.
Three things every other tool gets wrong.
Understands before testing
Pentu reads your marketing site, crawls your docs, signs up, maps every page, and builds a model of how your product works. Only then does it start testing — where the model says it matters.
Plays the role of real users
Multiple personas. Real signups via real email inboxes. Real payments with test cards. Cross-tenant probes. Race conditions. Things a generic scanner cannot even attempt — because they require acting, not just scanning.
Reports that read like a pentester wrote them
Not a CVE dump. Real findings, with business impact in your context, reproducible PoCs, and remediation in your codebase's actual patterns. Send it to your board. Send it to your auditor.
What pentu actually tests for.
OWASP top categories plus the business-logic flaws that scanners miss. Every test category is open source in our test catalog so you know exactly what we run.
Less noise. More signal.
What a pentu finding actually looks like — written for humans, with the exact reproduction steps and a fix in your codebase pattern.
A free-tier account can read paid-tier customers' projects
Your GET /api/projects/:id endpoint checks that the requester is authenticated, but not that they own the project. As a free-tier user, I read the full contents of a paid customer's project simply by guessing IDs (they're sequential integers).
1. Sign up as Free User A
2. Sign up as Paid User B, create project (gets ID 8472)
3. As User A, GET /api/projects/8473
→ 200 OK, returns User C's project contents // before
const project = await db.projects.findById(id);
return c.json(project);
// after — verify ownership
const project = await db.projects.findById(id);
if (project.organization_id !== user.organization_id) {
return c.json({ error: 'Not found' }, 404);
}
return c.json(project); Pentu fits inside your agentic workflow.
Every pentu capability is exposed via MCP, REST, CLI, and CI/CD integrations from day one. Ask Claude or Cursor to scan your latest PR. Set up a GitHub Action that gates merges on critical findings. Pipe results into your existing security stack.
- → MCP server — Connect from Claude Desktop, Cursor, Continue, or your own agent. Tools include
start_scan,list_findings,suggest_fix - → CLI —
npm i -g @pentu/cliand you're scanning - → GitHub Action — Block merges on critical findings. Auto-comment fix suggestions.
- → SDKs — TypeScript, Python, Go. Auto-generated from OpenAPI.
# Scan and follow live
$ pentu scan https://acme.app --watch
[2/8] Reading marketing site... done (12s)
[3/8] Building app model... 47 pages mapped
[4/8] Signing up as test users... 3 personas created
[5/8] Generating tests... 312 planned, 4 high priority
[6/8] Running tests in parallel...
⚠ Found IDOR on /api/projects (critical)
⚠ Trial extension via date manipulation (high)
[7/8] Verifying findings... 2/2 reproduced
[8/8] Writing report...
✓ Done in 24m 12s · 2 findings · report at https://app.pentu.ai/scans/sc_xyz From $29/month.
For the price of a Netflix subscription.
Self-serve, monthly, cancel anytime. No sales calls, no demos required, no annual lock-in. Start free with a recon-only scan.
See pricing
Curious what pentu finds on your domain?
Free recon-only scan. No credit card. Results in under 5 minutes. See what your attack surface actually looks like.
Start free scan