Quickstart
The shortest path from “I just installed Pencheff” to “I have a real finding in front of me” — one page per scan kind. Pick whichever asset class matches what you’re hardening today; every page finishes in under 10 minutes.
What you need first
- The Pencheff CLI (
pip install pencheff) or an account onapp.pencheff.comor an MCP-capable IDE (Cursor, Continue, Cline, Zed). All three drive the same engine. - For URL scans — written authorization to test the target. The
CLI and API both reject scans without a
consent_payload. - For LLM scans — an API key for the model under test, plus an optional moderation key (e.g. OpenAI Moderation) for the judge step.
- For repo scans — a GitHub App install, a fine-grained PAT, or a public GitHub URL.
Three depths, one shape
Every quickstart page uses the same three profiles — quick,
standard, deep. The legacy specialised profiles (engage,
compliance, api-only, cicd, sca, iac, supply-chain,
network-va, hackme, compliance-full) still resolve at the runner
for back-compat, but the dashboard, the docs, and the new scenarios
all speak the three-tier vocabulary.
| Tier | URL scan | LLM scan | Repo scan |
|---|---|---|---|
quick | ~5 min — recon + top-severity probes | 25 payloads, ~2 min | All scanners, fast rules only |
standard | ~20-40 min — full OWASP Top 10 | 75 payloads, ~5 min | All scanners + IaC + secrets |
deep | 60+ min — auto-engagement + chains + threat model | 250 payloads, 15-60 min | All scanners + extended rule packs |
Once you have a finding, Compliance mapping is the same flow for every target kind.
Going further
When you outgrow the rapid path, switch to the Tutorials section. Each tutorial walks an end-to-end scenario (auth-gated app, SPA crawl, CI gating, model drift A/B, audit-ready compliance bundle) and finishes with a runnable artefact you can ship to a customer.