Live · v0.10.1 · Open source

Find it.
Chain it.
Prove it.

An autonomous pentesting CLI that maps your attack surface, validates every finding with a safe proof of concept, and chains the results into multi-step attack paths.

install free → see the demo →

Scroll to begin

[chain] SSRF + IMDS → cluster-admin · acme.corp [finding] /api/proxy?url= · SSRF entry · CVE-2024-3472 [chain] OAuth callback + JWT alg=none → admin RCE [finding] IMDSv1 reachable via lambda runtime · STS leak [chain] prototype pollution + open redirect → XSS→ATO [finding] mass-assignment on /users · role escalation [chain] blind SSRF + redis → RCE via FLUSHALL+CONFIG SET [finding] aws-auth ConfigMap writable · crit 9.8 [chain] open S3 bucket + CDN cache poison → widespread XSS [chain] SSRF + IMDS → cluster-admin · acme.corp [finding] /api/proxy?url= · SSRF entry · CVE-2024-3472 [chain] OAuth callback + JWT alg=none → admin RCE [finding] IMDSv1 reachable via lambda runtime · STS leak [chain] prototype pollution + open redirect → XSS→ATO [finding] mass-assignment on /users · role escalation [chain] blind SSRF + redis → RCE via FLUSHALL+CONFIG SET [finding] aws-auth ConfigMap writable · crit 9.8 [chain] open S3 bucket + CDN cache poison → widespread XSS

0tools 0specialist agents 0mcp tools SARIF+ ci/cd MITlicensed

01 / 03 · Attack surface

It maps your attack surface.

Subdomain enumeration, port discovery, fingerprinting, JS analysis. Then it stops noisy scans and decides what to chase next, guided by twelve specialist agents that share context.

The difference

Scanners flag.
We weaponize.

Burp, Nessus, and Nuclei give you a flat list of issues. We connect them into multi-step attack paths, score every chain, and validate each step with a safe proof of concept.

med/api/proxy?url= · external fetch5.4

medIMDSv1 metadata reachable6.1

lowIAM node-role over-privileged4.3

medsecrets readable in prod ns5.9

01SSRF on /api/proxy?url=entry

02→ IMDSv1 · STS credspivot

03→ assume node role · eks-nodelateral

04→ aws-auth · cluster-admin9.8

See it run

One command.
Real findings.

Paste your target, walk away. ptai spawns specialist agents, runs ~191 security tools, validates each finding with a non-destructive proof of concept, and chains the results into multi-step attack paths.

~/engagement · ptai run --target acme.corp

Inside the swarm

Twelve specialist agents.
Sharing the same context.

Each agent owns a domain. They stream findings to the shared engagement graph so no work is duplicated and nothing is lost between phases.

recon-advisor

Subdomain enumeration, port discovery, fingerprinting, JS analysis. Maps the attack surface.

web-hunter

Crawls the app surface for IDORs, SSRF entry points, prototype pollution, mass-assignment.

api-security

REST + GraphQL probe. Tests auth gaps, JWT alg-confusion, OAuth callback abuse, rate-limit bypass.

credential-tester

Password spray, hash crack, default-creds, MFA-bypass paths. Coordinates with priv-esc.

vuln-scanner

Runs Nuclei + custom templates, dedupes against known false-positives, scores each finding.

exploit-chainer

Connects findings into multi-step attack paths. SSRF → IMDS → STS → cluster-admin.

poc-validator

Writes a safe proof-of-concept for every chained finding. Marks unverifiable as false-positive.

privesc-advisor

Local enumeration on compromised hosts. SUID, kernel exploits, container escapes, IAM abuse.

ad-attacker

Active Directory: Kerberoasting, AS-REP, ACL abuse, delegation chains, BloodHound paths.

cloud-security

AWS / Azure / GCP misconfigs. IMDSv1, over-privileged roles, public S3, exposed metadata.

mobile-pentester

Android + iOS. Cert pinning bypass, deeplink hijack, insecure storage, network capture.

report-generator

Compiles every chain + PoC into executive PDF + technical report + SARIF for CI.

Pricing

Free CLI. Paid tiers when you need more.

Run everything locally for free. Add the cloud workspace when you want history, reports, or collaboration.

open_source

The CLI

Free · forever

MIT licensed · BYO Anthropic key

Full local autonomous pentesting. Run it anywhere, no auth, no telemetry.

194 security tools wrapped
17 specialist agents
41 MCP server tools
Autonomous exploit chaining
Non-destructive PoC validation
CVSS v3.1 + MITRE ATT&CK mapping
SARIF + JUnit + PDF reports
CI/CD pipeline mode + checkpoint/resume
Sigma / KQL detection rule generation
Community support · GitHub issues

view on github →

pro · for solos

Pro

$39 / mo

billed monthly

Cloud workspace AND native desktop app for solo pentesters & bug bounty hunters.

Everything in Open Source
Native desktop app · macOS, Windows, Linux
Cloud-synced engagement workspace · or stay fully local
Unlimited engagement history + search
1-click client-ready PDF reports with your branding
Scheduled scans · run while you sleep
Mobile-friendly dashboard for on-the-road review
Scan-complete notifications · Slack / Discord / email
Personal dashboard & trend analytics
Priority email support · 72h SLA
1 user seat
BYOK · your Anthropic, OpenAI, or Ollama key. Your tokens, your bill.

start pro →

team · most popular

Team

$59 / seat / mo

billed monthly · 3-seat min · $177 / mo

For consultancies, red teams, and security firms with multiple operators.

Everything in Pro · including native desktop app
Shared engagement workspace across the team
Findings triage, assignment & comments
Audit log · who ran which agent where
SSO · Google + GitHub OAuth
Jira / Linear / Slack / GitHub integrations
Per-client engagement segregation
Shared report templates
Priority email support · 48h SLA
BYOK · your team's keys, your bill. Centralized in your billing portal.
Managed API keys available on request · contact us

start team →

enterprise · sales-led

Enterprise

From $2,500 / mo

Custom annual contract · sales-led

For security teams with compliance, audit, or deployment requirements.

Everything in Team
SAML SSO · SCIM provisioning
Audit log exports · SOC 2 / ISO 27001 ready
Custom SLAs & dedicated onboarding
DPA + security questionnaire support
Custom agent development
On-prem or private-cloud deployment
Dedicated Slack channel + CSM
Custom Anthropic rate-limit pooling

contact sales →

Managed · delivered by us

Launch Engagement

A full pentest engagement delivered by our operators, powered by pentest-ai. We scope it, run it, chain the exploits, validate them with PoCs, and hand you a client-ready executive + technical report. One-off commitment, no subscription required.

Scoping & rules of engagement Autonomous pentest + PoC validation Exec + technical report 30-min findings walkthrough 90-day retest window Dedicated Slack channel

$15,000one-time

includes 3 months Team (3 seats · $531 value)

book engagement →

Find what scanners miss.

Free, open source, runs on your laptop. Findings sync to your cloud workspace. Reports in one click.

install free → pip install ptai

Find it. Chain it. Prove it.