v1.1.0 · open-source · MIT

It doesn't flag.
It proves.

A finding is a claim until a machine re-runs the exploit and reproduces it, three for three. Only then does it turn green.

Get ptai See it prove
MIT-licensedruns on your machineno cloud requiredno telemetry21 machine oracles
scroll ↓
// how it runs

It runs on your machine.

ptai is a local CLI and an MCP server, not a hosted service. It scans your targets from your laptop, keeps findings in local SQLite, and phones home to nobody. Two ways to drive it:

terminalthe CLI
$ pip install ptai
$ ptai demo

  scanning bundled vuln app…
  4 findings · 4 oracle-VERIFIED ✓
  replay capsule #3 … reproduced 3/3 ✓
  re-run against the patched app …
  0 findings.
Two minutes, no API key, no target of your own. Point it at your own target with ptai start <url>.
claude codevia MCP
$ claude mcp add pentest-ai -- ptai mcp
   registered · 47 tools · no api key

> you: scan https://app.example.com

  start_engagement → running…
  get_findings → 3 VERIFIED, 5 candidate
  prove_attack_chain → chain proven 3/3 ✓
Your Claude subscription is the brain; ptai is the hands. Claude picks the moves, ptai runs and proves them.

Bring your own LLM key, or run --no-llm fully deterministic with no key at all. Local SQLite · no telemetry · nothing leaves your machine.

// live demo · in this page, right now

Don't trust us. Watch it prove one.

This is ptai's verification engine running right here in your browser, with your browser as the target — so you can watch a finding go from candidate to VERIFIED without installing a thing. The real tool runs from your terminal or Claude Code, against your targets.

ptai verify --target self live
dossier · fingerprint
oracle.log
proof-engine
session ptai://self · host-locked 0 verified · 0 FP · 00:00:00

What it just ran on your browser, it runs on your targets.
This demo lives entirely in this page — the fingerprint was computed and discarded on your own machine, and sent nowhere.

// the moat

The AI finds it.
It can't fake the proof.

The fear with an "AI pentester" is that it just makes things up. Here it structurally can't. A finding earns VERIFIED only when a named machine oracle re-runs the exploit and reproduces it N-for-N, and the code rejects any "verified" verdict that can't name the oracle that earned it. No title-based shortcut, no LLM assertion. No proof, no badge.

◦ candidate

A claim

What a normal scanner hands you: a hunch you then burn hours triaging.

  • No reproduction
  • "I think this is exploitable"
  • You verify it by hand
✓ verified

A proof you can replay

A named oracle re-ran the exploit and reproduced it three for three. The verdict is a machine's, not an assertion.

  • Reproduced 3-for-3
  • Portable proof capsule + replay
  • Ships green only on proven findings
// what it proves

Fourteen classes.
Twenty-one oracles.

Each has a machine oracle with a control that must fail on a safe target, so a clean app abstains instead of earning a badge. Fourteen of the big ones:

SQL injection
BOLA / IDOR
Stored XSS
Reflected XSS
JWT alg:none
XXE
SSRF
Mass assignment
Trusted-header
Host-header poison
Path traversal
Open redirect
Type confusion
Sequential IDOR
// what's in the box

Built to be doubted.

Every feature assumes you won't take the tool's word for it, and hands you the receipts to check.

◆ replay

Portable proof capsules

Every VERIFIED finding ships as a self-contained capsule. Hand it to a skeptic; ptai replay re-runs the exact oracle live and reproduces it N-for-N. Trust by reproduction, not a screenshot.

◆ ci

SARIF + CI gate

Verified-only SARIF straight to GitHub Code Scanning. The bundled Action's --fail-on verified breaks a build on proven findings only, never on noise.

◆ mcp

MCP-native

claude mcp add pentest-ai. Drive it from Claude Code or Cursor with 47 tools and no API key — your subscription is the brain, ptai is the hands.

◆ quarantine

Scanner noise, gated

nuclei, nikto, and any third-party scanner output stays hidden until a ptai oracle independently re-proves it. New tools fail safe toward silence.

◆ chains

Attack chains, proven

Multi-step paths are verified hop by hop — every link earns its own machine receipt. A proven chain is machine-backed, not asserted.

◆ oast

Blind vulns via OAST

Out-of-band callbacks stamp blind SSRF, SQLi and XXE as VERIFIED through an Interactsh collaborator or a self-hosted loopback.opt-in

◆ local

Local & private

CLI + MCP on your machine. Local SQLite, no telemetry, bring your own key — or run --no-llm fully deterministic with no key at all.

◆ spa

63 SPA-aware probes

Real headless-Chromium rendering for single-page apps, plus JS-bundle route mining. It logs in and follows the app like a user, not a crawler.

// the receipts

Numbers we can reproduce.

14
oracle-verified classes
3/3
re-runs before it's VERIFIED
0
false positives on a clean app · CI-gated
63
SPA-aware web probes

In our OWASP Juice Shop run, 12 findings oracle-verified in a single scan, each reproducible with ptai replay. These are individual, reproducible benchmarks, not field rates: the honeypot harness (≥11 planted vulns caught) and the clean-app zero-false-positive gate both run in CI.

// pricing

Free where it matters.

The CLI is open source and free, forever. Pay only for the hosted console, team features, or scale.

CLI
$0
Open source, MIT. The whole engine.
  • All 14 verified oracle classes
  • Local SQLite · BYO LLM key
  • Proof capsules + replay
  • SARIF · CI gate · self-host
Get it on GitHub
Pro
$29/mo
Hosted console, history, sharing.
  • Everything in CLI
  • Hosted dashboard + run history
  • Shareable verified reports
  • Priority updates
Start Pro
Team
$49/mo
Seats, orgs, managed keys.
  • Everything in Pro
  • Multi-seat + org workspaces
  • Managed API keys
  • SSO on request
Start Team
Pay-as-you-go planned
credits → key

Buy a credit pack, get an API key on the spot, spend per scan. No subscription.

Want this? →
Enterprise
$2,500/mo+

We host and run it: dedicated infra, SSO/SAML, audit logging, support SLA.

Talk to sales →
Launch Engagement
$15,000 one-off

We run your first full campaign, hand over verified findings + capsules.

Book it →