Continuous security validation, on autopilot.
PenScanner runs authorized, non-destructive security scans against your client's web assets on a schedule, deduplicates and triages findings with an LLM, and ships SOC2 / PCI / HIPAA / ISO27001-mapped reports — without a human in the loop for the common 80%.
No credit card. Free tier: 3 assets, 50 scans/month, 30-day retention.
What it does
Authorized, by design
Every asset requires a signed authorization reference before any scan runs. Scans re-verify scope, rate limits, and tenant emergency stop on every request.
Safe scanners only
DNS / SPF / DMARC, HTTP availability, TLS, security headers, robots.txt / sitemap, OWASP ZAP baseline, and Nuclei restricted to non-destructive tags.
AI triage
An LLM deduplicates, severity-classifies, maps to OWASP/CWE/ compliance frameworks, drafts remediation, and writes client-friendly executive summaries.
Continuous
Daily, weekly, or monthly cadence per asset. Diff against the previous run to surface only what's new, fixed, or regressed.
Integrate everywhere
Slack, email, and signed webhook events. API tokens for CI/CD. CSV export and shareable PDF reports.
Compliance-ready
Findings tagged with SOC2, PCI-DSS, ISO27001, HIPAA, GDPR, and NIST-CSF. Immutable audit log of every action.
Three plans, plus pay-as-you-go add-ons
Free tier covers 3 assets and 50 scans/month. Pro and Enterprise add API access, compliance dossiers, continuous attack-surface monitoring, and expert reviews.