A finding is a claim until a machine re-runs the exploit and reproduces it, three for three. Only then does it turn green.
ptai is a local CLI and an MCP server, not a hosted service. It scans your targets from your laptop, keeps findings in local SQLite, and phones home to nobody. Two ways to drive it:
$ pip install ptai $ ptai demo scanning bundled vuln app… 4 findings · 4 oracle-VERIFIED ✓ replay capsule #3 … reproduced 3/3 ✓ re-run against the patched app … 0 findings.
ptai start <url>.$ claude mcp add pentest-ai -- ptai mcp ✓ registered · 47 tools · no api key > you: scan https://app.example.com start_engagement → running… get_findings → 3 VERIFIED, 5 candidate prove_attack_chain → chain proven 3/3 ✓
Bring your own LLM key, or run --no-llm fully deterministic with no key at all. Local SQLite · no telemetry · nothing leaves your machine.
This is ptai's verification engine running right here in your browser, with your browser as the target — so you can watch a finding go from candidate to VERIFIED without installing a thing. The real tool runs from your terminal or Claude Code, against your targets.
What it just ran on your browser, it runs on your targets.
This demo lives entirely in this page — the fingerprint was computed and discarded on your own machine, and sent nowhere.
The fear with an "AI pentester" is that it just makes things up. Here it structurally can't. A finding earns VERIFIED only when a named machine oracle re-runs the exploit and reproduces it N-for-N, and the code rejects any "verified" verdict that can't name the oracle that earned it. No title-based shortcut, no LLM assertion. No proof, no badge.
What a normal scanner hands you: a hunch you then burn hours triaging.
A named oracle re-ran the exploit and reproduced it three for three. The verdict is a machine's, not an assertion.
Each has a machine oracle with a control that must fail on a safe target, so a clean app abstains instead of earning a badge. Fourteen of the big ones:
Every feature assumes you won't take the tool's word for it, and hands you the receipts to check.
Every VERIFIED finding ships as a self-contained capsule. Hand it to a skeptic; ptai replay re-runs the exact oracle live and reproduces it N-for-N. Trust by reproduction, not a screenshot.
Verified-only SARIF straight to GitHub Code Scanning. The bundled Action's --fail-on verified breaks a build on proven findings only, never on noise.
claude mcp add pentest-ai. Drive it from Claude Code or Cursor with 47 tools and no API key — your subscription is the brain, ptai is the hands.
nuclei, nikto, and any third-party scanner output stays hidden until a ptai oracle independently re-proves it. New tools fail safe toward silence.
Multi-step paths are verified hop by hop — every link earns its own machine receipt. A proven chain is machine-backed, not asserted.
Out-of-band callbacks stamp blind SSRF, SQLi and XXE as VERIFIED through an Interactsh collaborator or a self-hosted loopback.opt-in
CLI + MCP on your machine. Local SQLite, no telemetry, bring your own key — or run --no-llm fully deterministic with no key at all.
Real headless-Chromium rendering for single-page apps, plus JS-bundle route mining. It logs in and follows the app like a user, not a crawler.
In our OWASP Juice Shop run, 12 findings oracle-verified in a single scan, each reproducible with ptai replay. These are individual, reproducible benchmarks, not field rates: the honeypot harness (≥11 planted vulns caught) and the clean-app zero-false-positive gate both run in CI.
The CLI is open source and free, forever. Pay only for the hosted console, team features, or scale.
Buy a credit pack, get an API key on the spot, spend per scan. No subscription.
Want this? →We host and run it: dedicated infra, SSO/SAML, audit logging, support SLA.
Talk to sales →We run your first full campaign, hand over verified findings + capsules.
Book it →