Skip to content
Pentest Geniev0 · pre-release
Use cases

Different shapes of target. Same agent.

Pentest Genie isn't a vertical-specific tool. The same loop runs against a bug bounty program, a pre-prod release, and a SOC-2 evidence gather — the difference is mode, scope, and what artifact you ship at the end.

Request early accessSee the architecture
Who runs it

Four audiences. One toolkit.

Each audience uses a different mode, a different scope shape, and a different export format. The agent doesn't change — what you give it and what you take from it does.

01Bug bounty hunters

Find the bug. Skip the write-up.

The agent finds the vuln, reproduces it, captures the evidence, and exports a submission-ready report. You hit submit. Get paid faster.

  • Custom Python PoC scripts attached to every finding
  • Browser-confirmed XSS and OOB-confirmed blind classes
  • HackerOne + Bugcrowd format export, one click
  • Scope enforcement so you stay inside the program
Submit to your program
Pentest Genie finding detail — Database Password Exposed in Redis with severity, evidence, and remediation panels
Finding detail with evidence, payload, and remediation
02Red teams

Initial access at machine speed.

Stop spending Tuesday afternoon running subfinder. The agent handles recon, hypothesis, and first-stage exploitation autonomously — you take the wheel for the part that needs you.

  • 30-tool toolkit wielded autonomously
  • Multi-agent coordinator runs specialists in parallel
  • Chain mode pivots from SQLi to credential dump to admin
  • Knowledge corpus reuses every exploit you've ever run
Brief us on your engagement
Pentest Genie scan events log — mission events showing SQL injection to dump credentials and JWT bypass to admin access
Mission events — chain mode in flight
03AppSec & product security

Continuous coverage on apps that ship daily.

A manual pentest is a photograph. Your apps need a video. Run the agent on every release, every PR, every feature flag flip — cost-capped so it scales with you.

  • Cost cap per scan, hard-enforced — predictable bill
  • Scope enforcement on wildcards and CIDR ranges
  • Live observability via 20-event WebSocket stream
  • Diff successive scans to catch regressions on deploy
Wire it to your release pipeline
Pentest Genie active scan — running multi-agent assessment with cost budget, duration, and live status
Live scan with $25 budget cap and multi-agent runtime
04Compliance & GRC

Audit-grade evidence, on demand.

Annual pentests go stale by day 30. The agent gives you scan artifacts that auditors actually look at — payloads, evidence, timestamps, full reproducibility.

  • JSON, HTML, PDF reports — pick the format the auditor wants
  • Full audit trail: every payload, every response, every decision
  • Reproducible runs from the same inputs
  • Maps to SOC 2, ISO 27001, PCI DSS pentest evidence requirements
Show this to your auditor
Pentest Genie verified vulnerabilities list — 96 findings across critical, high, medium, low with CVSS scores
96 verified vulnerabilities, ready for audit export
CWE coverage

48 CWE patterns. Fourteen named exploit chains.

Every chain is hardcoded to a set of CWE IDs in `exploit_template_engine.py`. When the agent recognises a class, it pivots into the matching chain — not into a generic LLM probe. Exploitation is predictable, auditable, and mapped to OWASP Top-10 2021.

48

CWE IDs → 14 chains → 10 OWASP categories

A01:2021

Broken Access Control

2 chains

  • idor_to_exfil

    IDOR → cross-actor exfiltration

    • CWE-639
    • CWE-284
    • CWE-285
    • CWE-862
    • CWE-863
    • CWE-200
  • lfi_to_rce

    LFI → RCE

    • CWE-22
    • CWE-23
    • CWE-36
    • CWE-73
    • CWE-98
    • CWE-99
    • CWE-426
    • CWE-427
A02:2021

Cryptographic Failures

1 chain

  • race_condition

    Race condition

    • CWE-362
    • CWE-367
A03:2021

Injection

6 chains

  • sqli_to_creds

    SQLi → credential dump

    • CWE-89
    • CWE-564
    • CWE-943
  • cmdi_to_rce

    Command injection → RCE

    • CWE-78
    • CWE-77
    • CWE-88
  • ssti_to_rce

    SSTI → RCE

    • CWE-94
    • CWE-95
    • CWE-1336
  • xxe_to_lfi

    XXE → LFI

    • CWE-611
    • CWE-776
  • xss_to_impact

    XSS → account impact

    • CWE-79
    • CWE-80
  • nosql_injection

    NoSQL injection

    • CWE-943
A04:2021

Insecure Design

1 chain

  • upload_to_rce

    File upload → RCE

    • CWE-434
    • CWE-351
    • CWE-436
A07:2021

Identification & Authentication

2 chains

  • auth_bypass_to_admin

    Auth bypass → admin

    • CWE-287
    • CWE-288
    • CWE-290
    • CWE-294
    • CWE-306
    • CWE-798
  • jwt_bypass

    JWT bypass

    • CWE-327
    • CWE-347
    • CWE-345
    • CWE-1321
A08:2021

Software & Data Integrity

1 chain

  • deserialization_rce

    Deserialization → RCE

    • CWE-502
    • CWE-915
A10:2021

Server-Side Request Forgery

1 chain

  • ssrf_to_cloud

    SSRF → cloud metadata

    • CWE-918
    • CWE-441

Source: `exploit_template_engine.py` lines 39–114. Mapping versioned with the dispatch.

Scan modes

Pick the cadence that matches the engagement.

One agent, three operating profiles. Mode controls request rate, evasion, and concurrency — not what gets tested.

Stealth

~1 req / 5s
Quiet by design.

Low-rate, jittered, evasive. For environments where you don't want WAFs lighting up or SOC pages firing. Best for red-team engagements that simulate a careful attacker.

Best forRed team · adversary simulation

Normal

~10 req / s
Balanced and predictable.

Default profile. Moderate concurrency, standard rate limits. The right mode for bug bounty hunting and pre-production AppSec scans.

Best forBug bounty · AppSec releases

Aggressive

burst · concurrent=8
Cover the surface fast.

High concurrency, full toolkit, broad fuzzing. Use when you control the target and the goal is to surface everything quickly — internal staging, compliance evidence gather, or pre-launch.

Best forCompliance · internal staging
What you take home

Five report formats. Every artifact the agent touched.

Reports are not afterthoughts. Every scan produces multiple export formats, plus the raw evidence that backs each finding.

Report formats

JSON

.json

Structured findings, evidence refs, full telemetry

HTML

.html

Dark-themed interactive report with collapsible evidence

PDF

.pdf

Print-ready for compliance distribution

HackerOne

.h1.md

Markdown formatted for HackerOne submission

Bugcrowd

.bc.md

Markdown formatted for Bugcrowd submission

Evidence the agent persists

PoC scripts

Custom Python that reproduces each finding end-to-end

Payload log

Every payload sent, every response received, indexed by finding

OOB receipts

Interactsh callback logs proving blind classes

Browser frames

Screenshots from Browserbase confirming DOM-level execution

Event stream

20-event-type WebSocket log replayable from disk

Cost ledger

Token usage and dollar cost per agent, per step

Pick your shape

Tell us what your target looks like.

We'll match you to the right mode, scope, and export format — and get you running against your first target.

Request early access