Question 1

What is Penetrify?

Accepted Answer

Penetrify is an autonomous AI penetration testing platform that automatically scans your web applications for security vulnerabilities. Using advanced AI agents, it simulates real-world attacks to identify weaknesses such as SQL injection, XSS, CSRF, IDOR, and hundreds of other vulnerability classes before malicious actors can exploit them.

Question 2

How does AI penetration testing work?

Accepted Answer

Our AI agent autonomously explores your web application, maps its attack surface, and executes a wide range of security tests - from input validation and authentication bypass to privilege escalation and business logic flaws. It operates like a skilled human tester, but runs continuously and at machine speed, delivering results in minutes rather than weeks.

Question 3

Who is Penetrify designed for?

Accepted Answer

Penetrify is built for development teams, security engineers, CTOs, and startup founders who need reliable security testing without the cost and scheduling overhead of manual pentests. It works equally well for small teams shipping fast and enterprise security programs requiring continuous assessment.

Question 4

Is Penetrify a replacement for manual penetration testing?

Accepted Answer

Penetrify complements manual pentesting by providing continuous, automated coverage between engagements. It catches the vast majority of common vulnerabilities automatically and is ideal for regular testing cycles. For complex business-logic vulnerabilities or compliance-mandated assessments, a human pentest may still be recommended.

Question 5

What types of vulnerabilities does Penetrify detect?

Accepted Answer

Penetrify detects a broad range of vulnerabilities including all OWASP Top 10 categories: SQL injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Insecure Direct Object References (IDOR), broken authentication, security misconfigurations, sensitive data exposure, XXE injection, broken access control, and many more.

Question 6

How do I get started?

Accepted Answer

Sign up for a free account at app.penetrify.cloud, add your web application by entering its domain and name, choose a subscription plan or purchase test credits, and launch your first scan. The entire setup takes less than five minutes.

Question 7

Do I need to install anything?

Accepted Answer

No installation is required. Penetrify is a fully cloud-based platform. Simply sign up, add your application URL, and start testing directly from your browser - no agents, plugins, or software to deploy.

Question 8

How do I add my application?

Accepted Answer

After signing in, navigate to the Applications section and click "Add Application". Enter your application's name, domain, and optionally its description and environment (production, staging, or development). You can manage multiple applications from a single account.

Question 9

What information do I need to provide to run a test?

Accepted Answer

To run a test you need to provide the target URL of your application. Optionally, you can supply authentication credentials so the scanner can test protected areas, and custom instructions to guide the AI agent's focus. The more context you provide, the more thorough and relevant the results.

Question 10

How long does a test take?

Accepted Answer

Test duration depends on the scan mode selected. Quick scans typically complete in 15–30 minutes covering the most critical vulnerability classes. Standard scans run for 1–2 hours with broader coverage. Deep scans can run for several hours for thorough, comprehensive assessment of complex applications.

Question 11

What does a test report include?

Accepted Answer

Each report includes an executive summary, an overall security score, a detailed list of all findings with severity classification (Critical, High, Medium, Low), step-by-step reproduction steps, technical details of each vulnerability, and concrete remediation recommendations for every issue found.

Question 12

Can I run multiple tests at the same time?

Accepted Answer

Yes. You can run tests simultaneously across multiple applications in your account. The number of concurrent tests available may depend on your subscription plan.

Question 13

What is the difference between Quick, Standard, and Deep scan modes?

Accepted Answer

Quick mode runs a focused scan of the highest-priority vulnerability classes in 15–30 minutes, perfect for rapid pre-deployment checks. Standard mode provides broader coverage across all major vulnerability categories in 1–2 hours. Deep mode performs the most thorough analysis with extended AI iterations, ideal for comprehensive security reviews.

Question 14

How are vulnerabilities classified?

Accepted Answer

Vulnerabilities are classified into four severity levels: Critical (immediate risk, direct data breach or system takeover possible), High (serious risk requiring urgent attention), Medium (moderate risk that should be addressed soon), and Low (minimal immediate risk but recommended to fix). Classification is based on impact, exploitability, and CVSS scoring guidelines.

Question 15

Can I re-test after fixing vulnerabilities?

Accepted Answer

Yes. After resolving identified vulnerabilities, you can rerun a scan at any time to verify that your fixes are effective and no regressions have been introduced. Each new scan consumes one test credit.

Question 16

Is it safe to run penetration tests on production?

Accepted Answer

Penetrify is designed to be safe for production environments. Our AI agent avoids destructive operations and focuses on detection rather than exploitation. That said, we recommend testing on a staging environment first, or scheduling production scans during low-traffic periods as a precaution.

Question 17

Will the tests affect my application's performance?

Accepted Answer

Penetrify sends controlled, targeted HTTP requests to your application during a scan. While there is some additional traffic, it is comparable to normal user load and is unlikely to noticeably impact performance. For high-traffic production systems, we recommend running scans during off-peak hours.

Question 18

Is my data secure?

Accepted Answer

Yes. All communication is encrypted using TLS. Our platform follows strict security practices including encryption at rest and in transit. Our infrastructure runs on AWS in the EU region, and we undergo regular internal security reviews.

Question 19

Do you store any sensitive data from my application?

Accepted Answer

Penetrify stores test configuration, scan results, and vulnerability reports. It does not intentionally capture or retain personal user data from your application. Any authentication credentials you provide are encrypted at rest and used solely for the duration of the scan.

Question 20

What regions are your servers located in?

Accepted Answer

Our infrastructure is hosted on AWS in the EU (Ireland and Frankfurt regions). All data is processed and stored within the EU, ensuring compliance with GDPR and European data residency requirements.

Question 21

What integrations does Penetrify support?

Accepted Answer

Penetrify currently integrates with GitHub and GitLab for source control and CI/CD workflows. We are continuously expanding our integration ecosystem. If you need a specific integration, please contact us and we will prioritize accordingly.

Question 22

How does GitHub/GitLab integration work?

Accepted Answer

By connecting your GitHub or GitLab account, you can associate repositories with applications in Penetrify and trigger security scans directly from your development workflow. This enables automated testing as part of your CI/CD pipeline whenever code is pushed or a release is deployed.

Question 23

Can I trigger tests automatically from CI/CD pipelines?

Accepted Answer

Yes. Using our API or Git integrations, you can trigger scans automatically whenever code is deployed to staging or production. This ensures every release is automatically assessed for new vulnerabilities, shifting security left in your development process.

Question 24

What plans do you offer?

Accepted Answer

We offer three subscription tiers - Starter, Professional, and Enterprise - each available with monthly or annual billing. We also offer Pay-As-You-Go credit packages for teams who prefer flexible, on-demand testing without a recurring commitment.

Question 25

What is Pay-As-You-Go?

Accepted Answer

Pay-As-You-Go allows you to purchase test credits in bundles (1, 5, 10, or 20 credits) and use them whenever you need. Credits do not expire and accumulate across multiple purchases. This is ideal for teams with infrequent or unpredictable testing schedules.

Question 26

Can I upgrade or downgrade my plan?

Accepted Answer

Yes. You can upgrade your subscription at any time and the change takes effect immediately. Downgrades take effect at the end of your current billing period. Contact our support team if you need any assistance with plan changes.

Question 27

Do unused test credits roll over?

Accepted Answer

Subscription credits reset at the start of each new billing period. Pay-As-You-Go credits never expire and accumulate with every additional purchase, so you never lose credits you have paid for.

Question 28

How do I cancel my subscription?

Accepted Answer

You can cancel your subscription at any time from the Billing section of your account dashboard. Your subscription remains active through the end of the current billing period. Pay-As-You-Go credits are non-refundable but do not expire.

Question 29

Does Penetrify comply with GDPR?

Accepted Answer

Yes. Penetrify is built with GDPR compliance in mind. Our infrastructure is hosted entirely within the EU, we process data only as necessary to deliver the service, and we do not sell or share your data with third parties. You can request data deletion at any time by contacting our support team.

Question 30

Can I get a penetration testing certificate for compliance purposes?

Accepted Answer

Yes. Upon request, we can provide a test completion certificate summarizing the scope, methodology, dates, and outcomes of your penetration test. This documentation can be used as supporting evidence for SOC 2, ISO 27001, PCI-DSS, HIPAA, and other security compliance frameworks.

Question 31

How much does AI penetration testing cost?

Accepted Answer

Penetrify offers AI-powered penetration testing starting at $50/month (Starter plan, 1 scan/month), $600/month (Professional plan, 20 scans/month), and $2,500/month (Enterprise plan, 100 scans/month). This is 95–99% cheaper than traditional manual penetration tests, which typically cost $15,000–$50,000 per engagement and require weeks of scheduling.

Question 32

What is the difference between AI penetration testing and traditional penetration testing?

Accepted Answer

Traditional penetration testing is performed by human security consultants over days or weeks and costs $15,000–$50,000 per engagement. AI penetration testing with Penetrify delivers comparable vulnerability coverage in 15 minutes to a few hours at a fraction of the cost. Penetrify runs the same methodology a senior security engineer would — mapping attack surfaces, chaining findings, and testing authentication, authorization, and business logic — but continuously and at machine speed. Human pentests are still recommended for highly complex business-logic assessments or compliance-mandated third-party certifications.

Question 33

Is AI penetration testing as accurate as manual penetration testing?

Accepted Answer

For common vulnerability classes — OWASP Top 10, authentication flaws, IDOR, API misconfigurations, secret exposure — AI penetration testing with Penetrify achieves accuracy comparable to a skilled human tester, with a false positive rate below 5%. Highly complex, application-specific business logic vulnerabilities may still benefit from human review. For most startups and growing SaaS products, Penetrify catches the vulnerabilities that are most likely to be exploited.

Question 34

Can Penetrify test REST APIs and GraphQL APIs?

Accepted Answer

Yes. Penetrify maps and tests REST API endpoints automatically, including unauthenticated routes, broken object-level authorization (BOLA/IDOR), missing rate limiting, verbose error messages, and insecure direct references. GraphQL endpoint detection and introspection-based testing is also supported.

Question 35

How often should I run penetration tests?

Accepted Answer

Security best practice recommends testing after every major release, when adding new authentication or payment flows, before launching to production, and on a recurring schedule (monthly or quarterly). With Penetrify, you can run tests continuously as part of your CI/CD workflow rather than as a one-time annual event.

Question 36

What is an IDOR vulnerability and does Penetrify detect it?

Accepted Answer

IDOR (Insecure Direct Object Reference) is a vulnerability where an attacker changes a parameter — such as a user ID in a URL or API request — to access data belonging to another user. For example, changing /api/users/123 to /api/users/124 to read someone else's profile. IDOR is one of the most common and impactful web vulnerabilities. Penetrify detects IDOR vulnerabilities by systematically testing authorization boundaries across all discovered endpoints.

Question 37

Does Penetrify help with SOC 2 compliance?

Accepted Answer

Yes. Regular penetration testing is a key requirement for SOC 2 Type II audits under the CC6 (Logical and Physical Access) and CC7 (System Operations) common criteria. Penetrify provides test completion certificates and detailed vulnerability reports that serve as supporting evidence for auditors. Enterprise plan users also get compliance-formatted reports suitable for SOC 2, ISO 27001, and PCI-DSS submissions.

Question 38

How does Penetrify handle the data discovered during a scan?

Accepted Answer

Penetrify processes only the data necessary to conduct the security assessment. Scan results — including discovered endpoints, vulnerability details, and report data — are stored securely in EU-based infrastructure and are accessible only to your account. We do not sell, share, or use your application's data for any purpose other than delivering the security report. Data retention follows your plan's history window (30 days for Starter, 90 days for Professional, unlimited for Enterprise).

Frequently Asked Questions

Still have questions?