Support
Frequently Asked Questions
Everything you need to know about Pentrust. Can't find your answer? Email us.
Getting Started
What is Pentrust?
Pentrust is an automated AI-powered penetration testing platform for web applications. It uses AI agents to actively attempt to exploit your application the way a real attacker would — finding vulnerabilities like IDOR, authentication bypass, injection flaws, and misconfigurations — then generates a prioritized report with copy-paste fixes for every finding.
Who is Pentrust for?
Pentrust is built specifically for developers who ship fast — especially those using AI coding tools like Cursor, Bolt, Replit, Lovable, and v0. If you've built an app that handles user data, authentication, or any sensitive operations, Pentrust helps you understand your security exposure before your users or an attacker discovers it.
Do I need to be a security expert to use Pentrust?
No. Pentrust is designed for developers, not security specialists. You provide your app's URL and an optional test account, and Pentrust handles the rest. Findings are explained in plain English with step-by-step fixes written for your specific tech stack.
How quickly can I run my first scan?
You can have your first scan running within 5 minutes of signing up. Add your domain, verify ownership (a quick DNS TXT record or file placement), and kick off the scan. Results are typically ready within 20–40 minutes depending on your application's complexity.
How It Works
How is Pentrust different from a vulnerability scanner?
Vulnerability scanners check for known patterns — outdated dependencies, missing headers, and common misconfigurations. They're fast and useful but they miss the vulnerabilities that matter most: IDOR, broken authorization, authentication bypass, and business logic flaws.
Pentrust runs AI agents that actively attempt exploitation, not just passive detection. The agents authenticate as real users, attempt to access other users' resources, chain multiple techniques together, and confirm that vulnerabilities are actually exploitable — not just theoretically possible. This catches what scanners fundamentally cannot.
What is the difference between black-box, gray-box, and white-box testing?
Black-box testing: the scanner has no credentials and tests only what an unauthenticated attacker could reach. Good for external exposure assessment.
Gray-box testing: you provide test credentials, and the scanner tests as an authenticated user. This is the most valuable configuration — it finds IDOR, broken authorization, and privilege escalation issues that require being logged in to discover.
White-box testing: you provide full context including API keys and additional application information. The most comprehensive option for high-security applications.
What vulnerabilities does Pentrust find?
Pentrust covers all major vulnerability classes including: Insecure Direct Object Reference (IDOR), broken authentication and authorization, SQL and NoSQL injection, Server-Side Request Forgery (SSRF), sensitive data exposure, security misconfiguration, missing rate limiting and brute force protection, Cross-Site Scripting (XSS), authentication token weaknesses, and business logic flaws.
The AI agents are specifically trained on vulnerability patterns common in AI-generated code, making them particularly effective at finding issues in vibe-coded applications.
How long does a scan take?
Most scans complete in 20–40 minutes. Larger applications with many routes and endpoints may take longer. You'll get a notification when the scan is complete, and results are available immediately in your dashboard.
Can I scan applications that require authentication?
Yes — this is where Pentrust is most valuable. Gray-box testing with authenticated credentials lets the AI agents probe your application's authorization logic, test whether users can access other users' data, and attempt privilege escalation. Credentials are encrypted at rest using AES-256 and are never shared or used outside of your authorized scan.
Security and Privacy
Is my application data secure?
Yes. Pentrust uses AES-256 encryption for credentials stored at rest and TLS 1.3 for all data in transit. Row-level security policies ensure that your scan data is only accessible to your account. We never store your credentials beyond the duration needed to complete the scan.
Will the scan affect my production application?
Pentrust is designed to be production-safe. The AI agents operate as normal users, avoid destructive operations, and don't generate large-scale load. However, as with any security test, we recommend running your first scan against a staging environment to understand the scan's behavior before pointing it at production.
Can I test applications I don't own?
No. Pentrust requires domain verification before any scan can run — you must prove ownership of the target domain by adding a DNS TXT record or placing a verification file at a specific URL. Unauthorized penetration testing is illegal under the Computer Fraud and Abuse Act and equivalent laws worldwide.
How is my data used?
Your scan data (findings, requests, responses) is retained for the duration of your subscription according to your plan. We may use anonymized, de-identified aggregate data to improve our AI models. We never share your specific scan data, credentials, or application information with third parties. See our Privacy Policy for full details.
Results and Fixes
What do I get in a scan report?
Each finding includes: a description of the vulnerability and what it means in plain English, the exact HTTP requests used to confirm the exploit, proof of exploitability (the response that demonstrates the vulnerability), a severity rating (Critical, High, Medium, Low) based on CVSS score, the OWASP vulnerability category, and a step-by-step fix with code examples in your tech stack.
How do I know which findings to fix first?
Focus on Critical and High findings first, particularly those involving user data exposure (IDOR, broken authorization) and authentication bypass. These carry the highest legal and reputational risk. Medium findings should be addressed before any public launch. Low findings can be addressed on a rolling basis.
Can I export scan results?
Yes. Scan reports can be exported as PDF for sharing with your team, investors, or compliance auditors. PDF exports include all findings, evidence, and remediation recommendations in a professional format.
Can I re-scan after fixing vulnerabilities?
Yes, and we recommend it. After applying fixes, re-run the scan to verify the vulnerabilities have been resolved. This gives you a tight feedback loop and ensures your fixes actually work.
Pricing and Plans
Is there a free tier?
Yes. You can run a free pentest to see the kind of findings Pentrust surfaces. Paid plans unlock unlimited scans, deeper testing, gray-box authenticated scanning, and PDF report exports.
How does pricing work?
Pentrust is priced on a monthly or annual subscription basis. Plans are tiered by the number of domains you can scan and the depth of testing. See our Pricing page for current plans and rates.
Is Pentrust cheaper than a traditional penetration test?
Significantly. Traditional penetration tests cost $15,000–$50,000 and take weeks to schedule and complete. Pentrust provides comprehensive automated testing in minutes at a fraction of the cost, with the added benefit of being runnable continuously as your application evolves — not just once a year.
Still have questions?
Our team is happy to help. Reach out and we'll get back to you quickly.