Pencheff is built around the principle that evidence-backed, adversarial testing should be as rigorous as a formal audit — readable by engineers, executives, and compliance teams on the same page.
Integrations and operations
Our partners
Implementation specialists, channel partners, and managed security workflows.
Findings, reports, dashboards, exports, integrations, and retests all read from the same normalized record.
Pencheff favors repeatable checks, then uses AI for triage, enrichment, orchestration, and remediation where it adds signal.
From the Pencheff docs
Partner pentest triage (HackerOne / Bugcrowd / Cobalt)
/features/partner-triagePencheff integrates with HackerOne, Bugcrowd, and Cobalt as partner
pentest platforms — every finding_new event can be auto-submitted
as a draft report on the upstream platform, and the triager's verdict
flows back through a callback that flips Pencheff's
verification_status.
The integration sidesteps the multi-year build-out of a researcher network: instead of operating one ourselves, we route findings to the platform whose researcher community already triages your engagements.
What it does
| Stage | Direction | Surface |
|---|---|---|
| Submit for triage | Pencheff → partner | Click Verify with humans → on a finding card; the finding is forwarded as a finding_new event through the configured integration. |
| Triager verdict | Partner → Pencheff | The partner's webhook calls back into POST /findings/{id}/verify-callback with one of: confirmed / informative / duplicate / not-applicable. |
| State flip | Pencheff side | confirmed → verification_status = true_positive. informative → false_positive. duplicate / not-applicable → suppressed with reason. |
Configure an integration
| Platform | Config fields |
|---|---|
| HackerOne | api_username, api_token |
| Bugcrowd | api_token, program_uuid |
| Cobalt | api_token, pentest_id |
Add via Settings → Integrations → Add integration. Each platform has a one-click "test" round-trip:
- HackerOne —
GET /v1/me - Bugcrowd —
GET /me(Crowdcontrol API v4) - Cobalt —
GET /orgs(Cobalt API v3, X-Api-Key auth)
The test verifies the credentials before any real submission, so a bad token doesn't show up only when a real finding routes.
Per-finding triage button
Every finding card on /scans/{id}/findings/{fid} exposes a
Verify with humans → button under the action row (next to
Re-examine, Mark fixed, Confirm). Clicking it shows three
buttons — one per configured partner kind — and the chosen platform
gets the finding as a draft report.
Webhook signing
The Phase 1.2 HMAC primitive
(pencheff_api.services.integration_dispatch.sign_webhook_body) is
used for the generic webhook integration's outbound signature.
Partner integrations rely on the partner's own signed-callback
mechanism (HackerOne hash signature header, Bugcrowd JWT, Cobalt
shared secret).
For inbound verify-callback requests, validate the partner's
signature in front of the endpoint — Pencheff doesn't perform that
step itself today (next iteration; tracked under Phase 4 follow-up).
Source
- Formatters —
apps/api/.../services/integration_dispatch.py(_hackerone_payload,_bugcrowd_payload,_cobalt_payload) - Verify-with-humans endpoint —
POST /findings/{id}/verify-with-humans - Verify callback —
POST /findings/{id}/verify-callback - UI button —
apps/web/components/verify-with-humans-button.tsx
Related