Live · v0.10.1 · Open source

Find it.
Chain it.
Prove it.

An autonomous pentesting CLI that maps your attack surface, validates every finding with a safe proof of concept, and chains the results into multi-step attack paths.

open dashboard pip install ptai
Scroll to begin
0tools 0specialist agents 0mcp tools SARIF+ ci/cd MITlicensed
01  /  03  ·  Attack surface

It maps your attack surface.

Subdomain enumeration, port discovery, fingerprinting, JS analysis. Then it stops noisy scans and decides what to chase next, guided by twelve specialist agents that share context.

The difference

Scanners flag.
We weaponize.

Burp, Nessus, and Nuclei give you a flat list of issues. We connect them into multi-step attack paths, score every chain, and validate each step with a safe proof of concept.

Scanner output47 findings · flat
med/api/proxy?url= · external fetch5.4
medIMDSv1 metadata reachable6.1
lowIAM node-role over-privileged4.3
medsecrets readable in prod ns5.9
pentest-ai chaincritical · 9.8
01SSRF on /api/proxy?url=entry
02→ IMDSv1 · STS credspivot
03→ assume node role · eks-nodelateral
04→ aws-auth · cluster-admin9.8
See it run

One command.
Real findings.

Paste your target, walk away. ptai spawns specialist agents, runs ~191 security tools, validates each finding with a non-destructive proof of concept, and chains the results into multi-step attack paths.

~/engagement · ptai run --target acme.corp
Inside the swarm

Twelve specialist agents.
Sharing the same context.

Each agent owns a domain. They stream findings to the shared engagement graph so no work is duplicated and nothing is lost between phases.

01
recon-advisor
Subdomain enumeration, port discovery, fingerprinting, JS analysis. Maps the attack surface.
02
web-hunter
Crawls the app surface for IDORs, SSRF entry points, prototype pollution, mass-assignment.
03
api-security
REST + GraphQL probe. Tests auth gaps, JWT alg-confusion, OAuth callback abuse, rate-limit bypass.
04
credential-tester
Password spray, hash crack, default-creds, MFA-bypass paths. Coordinates with priv-esc.
05
vuln-scanner
Runs Nuclei + custom templates, dedupes against known false-positives, scores each finding.
06
exploit-chainer
Connects findings into multi-step attack paths. SSRF → IMDS → STS → cluster-admin.
07
poc-validator
Writes a safe proof-of-concept for every chained finding. Marks unverifiable as false-positive.
08
privesc-advisor
Local enumeration on compromised hosts. SUID, kernel exploits, container escapes, IAM abuse.
09
ad-attacker
Active Directory: Kerberoasting, AS-REP, ACL abuse, delegation chains, BloodHound paths.
10
cloud-security
AWS / Azure / GCP misconfigs. IMDSv1, over-privileged roles, public S3, exposed metadata.
11
mobile-pentester
Android + iOS. Cert pinning bypass, deeplink hijack, insecure storage, network capture.
12
report-generator
Compiles every chain + PoC into executive PDF + technical report + SARIF for CI.
Pricing

Free CLI. Paid tiers when you need more.

Run everything locally for free. Add the cloud workspace when you want history, reports, or collaboration.

open_source
The CLI
Free · forever
MIT licensed · BYO Anthropic key
Full local autonomous pentesting. Run it anywhere, no auth, no telemetry.
  • 191 security tools wrapped
  • 12 specialist agents
  • 33 MCP server tools
  • Autonomous exploit chaining
  • Non-destructive PoC validation
  • CVSS v3.1 + MITRE ATT&CK mapping
  • SARIF + JUnit + PDF reports
  • CI/CD pipeline mode + checkpoint/resume
  • Sigma / KQL detection rule generation
  • Community support · GitHub issues
view on github →
pro · for solos
Pro
$39 / mo
billed monthly
Cloud workspace for solo pentesters & bug bounty hunters.
  • Everything in Open Source
  • Cloud-synced engagement workspace
  • Unlimited engagement history + search
  • 1-click client-ready PDF reports with your branding
  • Scan-complete notifications · Slack / Discord / email
  • Personal dashboard & trend analytics
  • Priority email support · 72h SLA
  • 1 user seat
start pro →
team · most popular
Team
$59 / seat / mo
billed monthly · 3-seat min · $177 / mo
For consultancies, red teams, and security firms with multiple operators.
  • Everything in Pro
  • Shared engagement workspace across the team
  • Findings triage, assignment & comments
  • Audit log · who ran which agent where
  • SSO · Google + GitHub OAuth
  • Jira / Linear / Slack / GitHub integrations
  • Per-client engagement segregation
  • Shared report templates
  • Priority email support · 48h SLA
  • Optional managed Anthropic key · +$39/seat/mo
start team →
enterprise · sales-led
Enterprise
From $2,500 / mo
Custom annual contract · sales-led
For security teams with compliance, audit, or deployment requirements.
  • Everything in Team
  • SAML SSO · SCIM provisioning
  • Audit log exports · SOC 2 / ISO 27001 ready
  • Custom SLAs & dedicated onboarding
  • DPA + security questionnaire support
  • Custom agent development
  • On-prem or private-cloud deployment
  • Dedicated Slack channel + CSM
  • Custom Anthropic rate-limit pooling
contact sales →
Managed · delivered by us

Launch Engagement

A full pentest engagement delivered by our operators, powered by pentest-ai. We scope it, run it, chain the exploits, validate them with PoCs, and hand you a client-ready executive + technical report. One-off commitment, no subscription required.

Scoping & rules of engagement Autonomous pentest + PoC validation Exec + technical report 30-min findings walkthrough 90-day retest window Dedicated Slack channel
$15,000one-time
includes 3 months Team (3 seats · $531 value)
book engagement →

Find what scanners miss.

Free, open source, runs on your laptop. Findings sync to your cloud workspace. Reports in one click.

open dashboard pip install ptai