Welcome to Pencheff

Open beta. Pencheff is in active beta — every feature is unlocked at the Free tier today. Pro (coming soon) adds automated remediation that fixes what it finds. Team is for organisations needing unlimited scale and dedicated support — contact us.

Pencheff is an autonomous penetration testing platform that blends a full DAST engine with software composition analysis, IaC misconfiguration scanning, host vulnerability assessment, continuous attack surface management, and a YAML-driven automation framework. Findings can be mapped to common compliance framework categories and wired into your chat / pager / SIEM of choice.

What Pencheff is

CategoryCovered by
AI agent swarm — parallel multi-agent scanning, 17 agents in 3 phasesswarm (default), SWARM_ENABLED=false to revert
AI runtime protection — guardrail proxy, agent firewall, runtime traces, memory scanner, provider-backed memory target registration, and local memory-file importsentry + /proxy/{target}, /v1/memory/scan, /v1/traces
Web DAST — OWASP Top 10, exploit-first manual hackingscan_injection, scan_auth, scan_authz, scan_client_side, scan_advanced, test_endpoint, test_chain
SCA + SBOM + license compliancescan_dependencies, generate_sbom, check_licenses
IaC + container scanningscan_dockerfile, scan_kubernetes, scan_terraform, scan_helm, scan_container_image
Cloud posture targets — CSPM, CIEM, DSPM, serverless, edge/CDN, managed databases, and secrets metadatacloud_account, serverless_function, cloud_storage, load_balancer_cdn, cloud_database, secrets_manager
Network VA — host CVE + service misconfig assessmentscan_host_vulns, scan_network_misconfig, scan_authenticated_host
Passive proxy + parameter fuzzer + YAML automationstart_proxy, fuzz_parameter, run_policy
Attack Surface Management — continuous discovery, cert watchasm_discover, asm_diff, asm_cert_watch
Scheduled / continuous scans/schedules API + dashboard
Integrations — Slack, Teams, PagerDuty, Splunk, Opsgenie, Discord, webhooks, Jira, GitHub/integrations API + dashboard
Compliance reports — OWASP Top 10, PCI-DSS, NIST 800-53, SOC 2, ISO 27001, HIPAAFindings mapped to framework categories

Elevator pitch

A scanner tells you “HSTS header missing.” Pencheff tells you “I stole your admin session, dumped your database, and pivoted into your AWS account via the metadata service — here is the PoC, the CVSS, and the CISA-KEV flag.”

It does both — automated breadth and elite manual depth — in one MCP + CLI tool that plugs straight into your IDE, CI/CD pipeline, or a scheduled agent.

Start here