Discovery maps your perimeter every week. Scanner pentests it monthly and revalidates open findings weekly. Shield watches the wire between scans. One model, one memory — yesterday's recon hit becomes tomorrow's chain root.
An autonomous Claude-powered agent reasons across findings (auth bypass, IDOR, SSRF, deserialisation, business logic) and stitches them into multi-step attack chains. Every chain ships with a reproducible PoC you can hand to engineering and run in CI. Runs monthly per project; weekly revalidation replays open findings on the same cadence.
$ aisec pentest --target app.aisec.tools ▸ recon.subdomain found 7 hosts (1 new: staging-2) ▸ probe.auth → JWT alg=none accepted ▸ probe.idor → /api/users/:id leaks email ▸ chain.compose 2 → 3 → privilege_escalation ▸ verify.takeover 200 OK [CRITICAL] ▸ poc.write poc-2891.curl (1.2 KB) FND-2891-014 Account takeover CVSS 9.1 · CWE-287 · auth-bypass
Memory carries between cycles: yesterday's recon hit becomes tomorrow's chain root.
No agent install. No SSO ticket. Verify ownership via a DNS TXT record and the agent goes to work — Discovery first, then Scanner against everything it found.
Passwordless. No card to start a trial scan against demo targets.
Subdomains inherit the project's authorisation. Test creds optional — improves auth coverage.
HMAC-signed token at _aisec-verify.<root>. One-shot. Subdomains inherit.
Discovery enumerates the perimeter; Scanner pentests it. First findings land in your dashboard within the hour.
"Ready to retest" reruns the exact PoC against the patch. Reproduces → reopen. Doesn't → resolve. Audit-grade evidence either way.
No black box. AISEC orchestrates a small, deliberate set of best-of-breed tools — and the agent is the one deciding what to run, when.
The model picks attack strategy from recon data, writes payloads, reads responses, and decides when a finding is real. Tool calls are typed, sandboxed, and observable. Heavy reasoning on Sonnet; cheap revalidation runs on Haiku — same agent loop, sharper unit economics.
Renders SPAs, follows fetch / XHR, captures every API call the browser made. Mines source maps for hidden endpoints, classifies links (interesting / auth / api / files), runs auth-bootstrap registration end-to-end with email-OTP solving.
CT-log harvest, passive DNS, port scans, WAF fingerprint, OpenAPI/GraphQL schema mining, JS source-map sink mining, npm vuln audit. 10K+ nuclei templates auto-selected to detected tech stack — no manual template wrangling.
The agent reaches for the right tool when its hypothesis says so — not by template, by reasoning. Plus a built-in differential-test tool that fires N request variants and compares timing / status / body diff to confirm a finding before reporting.
Continuously refreshed CVE feed for retro-scanning new vulnerabilities against your existing inventory. Credential-leak intelligence cross-references your domain against breach databases, then probes login endpoints.
Every finding gets a reproducible PoC, CVSS, CWE, OWASP 2021 + PCI DSS 4.0 + CWE Top 25 mapping, and exploitability score (0–100). Reports white-label on Pro and above.
The agent fingerprints what you ship and adapts its playbook accordingly. If we're missing something you need, ask — playbooks are added in days, not quarters.
Point it at one target. We'll show you the first chain before tomorrow's standup.