Welcome to Pencheff
Open beta. Pencheff is in active beta — every feature is unlocked at the Free tier today. Pro (coming soon) adds automated remediation that fixes what it finds. Team is for organisations needing unlimited scale and dedicated support — contact us.
Pencheff is an autonomous penetration testing platform that blends a full DAST engine with software composition analysis, IaC misconfiguration scanning, host vulnerability assessment, continuous attack surface management, and a YAML-driven automation framework. Findings can be mapped to common compliance framework categories and wired into your chat / pager / SIEM of choice.
What Pencheff is
| Category | Covered by |
|---|---|
| AI agent swarm — parallel multi-agent scanning, 17 agents in 3 phases | swarm (default), SWARM_ENABLED=false to revert |
| AI runtime protection — guardrail proxy, agent firewall, runtime traces, memory scanner, provider-backed memory target registration, and local memory-file import | sentry + /proxy/{target}, /v1/memory/scan, /v1/traces |
| Web DAST — OWASP Top 10, exploit-first manual hacking | scan_injection, scan_auth, scan_authz, scan_client_side, scan_advanced, test_endpoint, test_chain |
| SCA + SBOM + license compliance | scan_dependencies, generate_sbom, check_licenses |
| IaC + container scanning | scan_dockerfile, scan_kubernetes, scan_terraform, scan_helm, scan_container_image |
| Cloud posture targets — CSPM, CIEM, DSPM, serverless, edge/CDN, managed databases, and secrets metadata | cloud_account, serverless_function, cloud_storage, load_balancer_cdn, cloud_database, secrets_manager |
| Network VA — host CVE + service misconfig assessment | scan_host_vulns, scan_network_misconfig, scan_authenticated_host |
| Passive proxy + parameter fuzzer + YAML automation | start_proxy, fuzz_parameter, run_policy |
| Attack Surface Management — continuous discovery, cert watch | asm_discover, asm_diff, asm_cert_watch |
| Scheduled / continuous scans | /schedules API + dashboard |
| Integrations — Slack, Teams, PagerDuty, Splunk, Opsgenie, Discord, webhooks, Jira, GitHub | /integrations API + dashboard |
| Compliance reports — OWASP Top 10, PCI-DSS, NIST 800-53, SOC 2, ISO 27001, HIPAA | Findings mapped to framework categories |
Elevator pitch
A scanner tells you “HSTS header missing.” Pencheff tells you “I stole your admin session, dumped your database, and pivoted into your AWS account via the metadata service — here is the PoC, the CVSS, and the CISA-KEV flag.”
It does both — automated breadth and elite manual depth — in one MCP + CLI tool that plugs straight into your IDE, CI/CD pipeline, or a scheduled agent.
Start here
- New to Pencheff? → Install & first scan
- Want a one-page rapid path? → Quickstart (URL · LLM · Repo · SBOM · Compliance)
- Want an end-to-end walkthrough? → Tutorials
- Registering AWS/Azure/GCP targets? → Cloud target registration
- Want a native Mac client? → Pencheff Studio (macOS) — download, sign in, scan locally
- Curious about the architecture? → Concepts
- Integrating with CI? → GitHub Actions recipe
- Mapping findings to controls? → Compliance mapping (per-scan)
- Writing a custom check? → Plugin SDK