Most SaaS security tools are built for companies that have a security team.
We're building one for the rest.
The security industry has spent the last twenty years building tools for the Fortune 500 — and pricing them accordingly. SOC 2 audits start at $30,000. A real human pentest runs $20-80k. Enterprise vulnerability scanners cost more per seat than half your dev team makes per month.
That's fine if you're Salesforce. If you're a six-person SaaS doing $1.5M ARR, it's a problem. You know you should be doing more on security. You can't justify it economically. So nothing happens — until you read about a competitor's breach and panic-buy something off LinkedIn.
Meanwhile AI has hit a point where an agent can genuinely play the role of a curious security tester. Sign up. Explore. Try things. Find what's broken. Write a report. Until 2024, automated pentest meant "fast checklist scanner". Today it means "patient, contextual investigator that thinks before it tests".
We think every SaaS — including the small ones — deserves an actual security tester. The price just had to drop by 99%.
Who pentu is for
- →Indie SaaS founders who ship features faster than their security knowledge can keep up.
- →Small engineering teams (1-20 people) that can't afford a dedicated security hire yet.
- →Pre-Series-A SaaS getting ready for SOC 2 — pentu finds the issues before the auditor does.
- →Shopify-app and Stripe-Connect developers building on platforms where one mistake leaks customer data.
- →Companies that have an annual pentest but want continuous coverage between engagements.
Who pentu is not for
We're honest about the limits.
- ·If you handle nation-state-level threats, you need a real red team, not pentu.
- ·If you need a SOC 2 / ISO 27001 certificate signed, you need a licensed human auditor. Pentu produces evidence, not the certificate.
- ·If you can't define a test scope (no staging, no test accounts, regulated production data only), pentu's not the right starting point.
What we believe
Security tools should look friendly. The skulls-and-fire aesthetic exists because security companies want to feel important. It doesn't help anyone do better security. We took the opposite approach.
Transparency over mystery. Our test catalog is open source. Our reasoning traces are exportable. You can verify exactly what pentu did during your scan. No black box.
Self-serve beats sales calls. Sign up, run a scan, see the value. If you have to be sold to, the product wasn't good enough.
EU-first. We're hosted in Frankfurt by default. Your data doesn't cross the Atlantic unless you choose the US region explicitly.