VULNOS
Vulnios PT — Penetration Testing as a Service

Authenticated active scans
with evidence the auditor will accept

OpenAPI-driven, ZAP Automation Framework under the hood, with an AI Pentester layer for the hard cases. Every finding ships with CWE, CVSS, payload, evidence, and EPSS + KEV exploitability priority. SARIF 2.1.0, 5-framework compliance mapping, and a sha256-anchored attestation certificate per run.

Or book a demo →

30 days · No card required · Authenticated full-active scans included

15 industry-standard engines, one unified schema

We don't reinvent scanners. We orchestrate them, parse their structured output, dedup with a deterministic signature, and enrich with AI + EPSS + KEV.

OWASP ZAP (AF)

DAST

Nuclei v3

Templates

Nikto

Web misconfig

Wapiti

Active scan

testssl.sh

TLS

sqlmap

SQL injection

Dastardly

CI-fast DAST

httpx

Recon

naabu

Port scan

subfinder

Subdomains

katana

Crawler

trufflehog

Secrets

jwt_tool

JWT

Trivy

SBOM/CVE

graphql-cop

GraphQL

What you get

Everything an enterprise security review demands, with the surface a developer can actually use.

Authenticated active scans

OAuth-CC, bearer, basic, JWT, session-cookie, header. Auth profiles attach to targets — credentials live in Secret Manager and are injected at job start, never typed at run time.

OpenAPI + GraphQL spec-driven

Point us at /openapi.json or your GraphQL endpoint. ZAP AF requestor → activeScan tests every endpoint as authenticated. graphql-cop probes introspection + DOS.

AI Triage + Planner + Pentester

Gemini auto-enriches every finding with confidence + remediation. Claude tool-use loop runs interactive pentests with hard caps (12 turns, 200k tokens, $5/run, kill-switch).

Compliance + attestation

SARIF 2.1.0 for GitHub Code Scanning. OWASP Top-10, PCI-DSS 4.0, NIST 800-53, ISO 27001, SOC 2 mapping. Sha256-anchored attestation certificate downloadable per run.

Findings v2 schema

Every finding ships with CWE, WASC, plugin id, CVSS vector + score, attack payload, evidence ref, instances count, deterministic dedup signature. EPSS + CISA KEV priority on top.

Server-side scope guardrails

RFC1918, link-local, loopback, cloud-metadata (AWS+GCP+Azure) blocked at create + dispatch. DNS rebinding protection re-checks all resolved IPs. No accidental SSRF/internal scans.

Verify-fix workflow

One click re-runs a finding's exact tool + endpoint to confirm a fix landed. Child finding links back to parent so the timeline survives across sprints.

Real-time governance

Atomic dispatch quotas, retention sweeper with 30d grandfather window, per-tenant audit log (365d TTL), platform-admin tenant observation with audit trail.

How Vulnios PT compares

We're honest: at the autonomous-loop depth, XBOW + RunSybil are further along. We're broader, cheaper at the trial+starter end, and ship the operator workflow + compliance pack you actually need.

CapabilityVulnios PTXBOWPenteraDetectify
Self-serve trial30 days, no cardDemo onlySales contact14 days
AI Pentester (interactive)Claude tool-useYes (proprietary)LimitedNo
OpenAPI spec-drivenYesYesYesYes
SARIF export2.1.0 + GitHub CSYesYesYes
Verify-fix workflowBuilt-inYesYesManual
Compliance mapping5 frameworks332
Attestation certificatesha256-anchoredReport onlyReport onlyReport only
Per-finding EPSS + KEV priorityBuilt-inAdd-onAdd-onNo
Public REST API + webhooksBearer + HMACYesYesYes
Tenant-isolated multi-tenantYesYesYesYes
Pricing transparencyPublic tiersSales-ledSales-ledPublic

Comparison reflects publicly-documented capabilities as of 2026-05. Send a correction to hello@vulnios.com if anything looks off.

Frequently asked questions

How does authorization / scope verification work?
You verify ownership of every target via DNS TXT record or a file at /.well-known/vulnios-verify.txt. Server-side scope validator blocks RFC1918, cloud-metadata IPs, and DNS-rebinding attempts. An audit-logged self-attest fallback exists for environments where DNS/file isn't practical (Vercel previews, Heroku review apps).
What does the AI Pentester actually do?
It's a Claude tool-use loop with a strict allowlist (run_tool, read_finding, write_finding, request_auth_token — no shell, no eval). Each tool call is re-validated against PtPolicy.scopeRules server-side; scope violations fail hard and are not fed back to the model. Every turn is audit-logged to ptRuns/{id}/agentTurns/{n}. Caps: 12 turns, 200k input tokens, 30 min wall-clock, $5/run, and a per-tenant kill-switch flag.
Can I run this in my own infrastructure?
Today it's SaaS only, hosted on Google Cloud (GKE for the scan plane, Cloud Run for the AI agent, Firestore + GCS for state + artifacts). On-prem / self-hosted is on the roadmap behind enterprise demand — get in touch.
What happens to evidence and report data?
Request/response evidence is stored in GCS at gs://vulnios-pt-artifacts/findings/{findingId}/evidence.json with sensitive values redacted (Authorization, cookies, JWTs, AWS/Stripe/GitHub tokens, JSON api_key/password fields). Reports include the same redaction pass before export. Retention follows your plan tier; downgrades get a 30-day grandfather window before any sweep.
How is this different from running ZAP / nuclei myself?
You can absolutely run them yourself. We add: a unified findings schema across 11+ engines with deterministic dedup, AI triage on every finding, an authenticated active-scan path that injects credentials safely, compliance mapping, an attestation certificate with a sha256 fingerprint, server-side scope guardrails, atomic quota enforcement, and an admin governance plane. Single product surface vs gluing scripts.
Is there a free tier?
A 30-day free trial with no card required. After that, paid tiers from $X/month. Enterprise tier with quote-driven pricing, BYO Burp Pro, on-prem agent and audit-grade logging — contact sales.

Run your first authenticated scan today

Verify ownership of a target → pick a profile → run. Findings land within minutes with CWE/CVSS/payload/evidence + AI triage + EPSS + KEV priority.