The all-in-one security platform
Pencheff is the all-in-one security platform — built around three orthogonal commitments: methodology, coverage, and reporting. Each is enforced by the engine, not the operator.
Pencheff follows an adversarial methodology modelled on manual penetration testing — reconnaissance, authenticated coverage, business-logic probing, and exploit chaining — delivered with the consistency of automation.
Read the procedureInjection, access control, authentication, cryptography, client-side, infrastructure, cloud, and API — examined with Pencheff's first-party probes. Auxiliary tools are optional and operator-managed.
See the instrumentsEvery assessment yields a formal report with executive summary, letter grade, and evidence — mapped to OWASP Top 10, SOC 2, PCI-DSS, NIST 800-53, ISO 27001, and HIPAA categories.
Inspect a dossierEach engagement traces the same adversarial path — from passive reconnaissance to multi-step exploit chaining — so that two assessments of the same target, six months apart, are directly comparable.
Passive enumeration: subdomains, DNS, certificate transparency, public artefacts, technology fingerprint.
Authenticated and unauthenticated crawls, API discovery, endpoint inventory, parameter cataloguing.
Forty-nine instruments fired against the surface — injection, access control, OAuth, cloud, business logic.
Each finding re-fired with crafted payloads. Request and response evidence captured. False positives discarded.
Single findings composed into multi-step attacks: SSRF → metadata, XSS → session theft, IDOR → privilege escalation.
Forty-nine first-party instruments cover the modern attack surface — injection, access control, authentication, cryptography, client-side, infrastructure, cloud, and API — and can be composed with repo scanning, threat models, compliance rollups, SBOM output, and LLM red team workflows. Auxiliary tools (nmap, sqlmap, nuclei, ffuf, hydra, nikto) remain optional and operator-managed.
First-party probes — exhaustively catalogued, individually verified, weighted by severity. Re-examination of any finding is unlimited on every plan.
Web DAST, code analysis, dependency intelligence, infrastructure posture, AI red team, and cloud surface checks all normalise into the same finding schema — so an engineer triaging injection and an auditor reviewing compliance are reading the same record.
Pencheff covers the full OWASP LLM Top 10 (2025) with curated payload libraries, attacker-driven loops, and judge-backed scoring. Agentic testing probes tool calls, memory, planners, and swarm workflows. The Sentry guardrail enforces policy at runtime.
Roleplay, payload splitting, obfuscation, encoding variants, jailbreak corpora, and regression suites against any OpenAI-compatible endpoint. Attacker-LLM loops and judge-backed scoring when configured.
LLM red team →Tool authorization abuse, memory and context attacks, planner hijacking, cross-session leakage, retrieval poisoning, and swarm orchestration probes for agent-based products.
Agentic tests →Sentry runtime guardrail for prompt, response, tool, and PII policy checks. Maps to OWASP LLM, MITRE ATLAS, NIST AI RMF, EU AI Act, ISO/IEC 42001, and SOC 2.
Guardrails →From registration to remediation, the same procedure governs every assessment — so that the engineer who runs it, the operator who reviews it, and the auditor who reads it are all working from the same record.
Provide a target URL and, optionally, credentials for authenticated coverage. All secrets are encrypted at rest.
Commission a quick, standard, or deep assessment. Progress streams live; stages are logged for review.
Triage findings with full request/response evidence. Re-examine any finding after remediation with a single action.
Download a formal DOCX or PDF report, dispatch to ticketing, and close out with verified evidence.
Pencheff is in open beta. Every feature is unlocked at the Free tier today — DAST, SAST, IaC, container scanning, compliance reporting, the lot. Pro adds automated remediation that doesn’t just find vulnerabilities, it fixes them with verified pull requests. Team is for organisations that need unlimited scale and dedicated support.
The full platform, metered. Sign up, paste a URL or connect a repo, and run the pipeline with a monthly allowance to see Pencheff in action.
Pencheff doesn't just find vulnerabilities — it fixes them. The Expert model, a generous monthly allowance, and verified pull requests.
When security is a shared responsibility. Unlimited workspaces, unlimited seats, dedicated support, and the full Pro feature set at general availability.
Two dossiers, issued together. Engineering receives the technical record; audit and executive readers receive the framework-mapped summary. Bound by a single grade and a single date of issue.
Pencheff normalises every finding against application security standards, audit frameworks, and AI governance requirements — so your engineers, auditors, and compliance officers work from the same report.
Every confirmed finding maps to one or more application security control frameworks.
Dossiers are issued with compliance rollup tables ready for auditor review.
AI assessment output maps to governance frameworks for LLM and agentic products.
Slack, Jira, GitHub, SARIF, webhooks, and more — findings route into your existing toolchain automatically. No new dashboard to babysit.
Dashboards, reports, multi-workspace, integrations, and schedules. Sign up and run a full assessment in under three minutes.
Get started →Native Mac client. Same workspace as the web app, plus on-device repo scanning, Downloads + macOS posture monitors, and an agentic remediation runner that keeps source on your machine.
Get started →Run deterministic checks in pipelines. Emit SARIF, trigger GitHub checks, and route findings into the platform from any CI system.
Get started →Expose scanning and security automation as tools to compatible AI agents. Invoke assessments and fetch findings inside AI workflows.
Get started →Operate the full stack inside your boundary via Docker Compose. Control data residency, tune scanning, and meet internal security policy.
Get started →| Provision | Free$0 · during beta | ProComing soon | TeamCustom |
|---|---|---|---|
| Web DAST (OWASP Top 10, exploitation-grade) | · | · | · |
| Repo scanning — Semgrep OSS + OSV advisories | · | · | · |
| IaC + container scanning (Trivy, Checkov) | · | · | · |
| Authenticated assessments (encrypted credentials) | · | · | · |
| Compliance mapping (OWASP · PCI · SOC 2 · NIST · ISO · HIPAA) | · | · | · |
| Formal DOCX & PDF reports | · | · | Branded |
| Automated remediation — fix-PR for every finding | — | · | · |
| DAST exploitation — verified PoCs | — | · | · |
| SAST Auto-Patching (semantic diffs) | — | · | · |
| Continuous scan-on-push loop | — | · | · |
| Single sign-on (SAML / OIDC) | — | — | · |
| Dedicated Slack channel & priority response | — | — | · |
| Custom data residency & deployment | — | — | · |
Direct answers — on authorisation, scope, plans, audit acceptance, self-hosting, and credential handling. For anything else, write to us.
Yes. Every shipped feature - URL scanning (DAST), repo scanning (Semgrep OSS + OSV advisories), IaC scanning (Trivy config + Checkov), SBOM generation, threat models (STRIDE/DREAD), compliance mapping, and reporting - is unlocked at $0 while we're in open beta. No card, no trial expiry, no feature gating. Pro and Team are post-beta plans for organisations that want the automated remediation pipeline and dedicated support.
Pro is centred on automated remediation that doesn't just find vulnerabilities - it fixes them. The remediation pipeline opens a single PR that resolves every triaged finding. DAST exploitation proves impact with verified PoCs. SAST auto-patching writes semantic, reviewer-friendly diffs grounded in scanner evidence. Pro is announced as coming soon; Free covers everything else today.
Pencheff is for applications you own or have been granted written permission to assess. It is an instrument of assurance, not a means of unauthorised access. Please direct it only at systems within your mandate.
One complete engagement against a target: reconnaissance, infrastructure, injection, client-side, authentication, authorisation, advanced web, API, business logic, cloud, file handling, websocket, subdomain takeover, and exploit chaining. Re-examination of individual findings is unlimited.
Quick profile: 2-5 minutes. Standard: 10-25 minutes. Deep: 30-90 minutes, contingent on application breadth.
Yes. DOCX and PDF reports include evidence-backed mapping to OWASP Top 10 (2021), PCI-DSS 4.0, NIST 800-53, SOC 2 (CC6/CC7), ISO 27001:2022, and HIPAA Security Rule - accepted by auditors as evidentiary material.
Yes. Pencheff is distributed as a Docker Compose stack under an MIT licence. Refer to the repository documentation for installation.
Credentials are encrypted at rest with Fernet (AES-128 in CBC mode with HMAC-SHA256). Removing a target removes its credentials immediately.
A complimentary assessment takes under three minutes to commission and under thirty to complete. No credit card, no sales call.