The AI Pentesting Tool, orchestrated on tools you already trust.
SimpleSec is the AI Pentesting Tool that runs continuous, real adversarial testing and dependency analysis end-to-end — wired into your CI/CD pipeline with an audit-grade evidence trail.
Full Pro access for 7 days · no credit card · your test data stays after the trial.
days between meaningful security validation.
Most organizations test once a year, hand off a 60-page PDF, and call the box checked — while shipping code every hour. SimpleSec replaces the annual engagement with continuous adversarial testing that runs on every push, opens a change-control ticket, and produces audit-grade evidence automatically.
An adaptive planner, not a static playbook.
Every step is a decision the planner makes from the current state of the engagement — discovered hosts, fingerprinted services, harvested credentials. A judge decides continue / retry / pause after each step.
Map the surface
Port sweeps, subdomain enum, HTTP probing, TLS posture, SMB/LDAP banners.
Deep-dive services
Directory + parameter fuzzing, JS crawl, CMS probes, SMB share + user enum.
Confirm exploitable
Templated vuln testing, SQLi probing, XSS proof, misconfig sweeps — request + response inline.
Prove impact
Data extraction, authenticated execution, credential dumps. Destructive proofs gated by admin approval.
Real adversarial tooling — not a template scanner.
When SimpleSec dumps NTDS or proves SQL injection, it's the same tool a human consultant would use, run with the same flags, against the same target — orchestrated by a planner that picks the next move from real findings.
Recon & discovery
Web application
Active Directory
Persona-aligned testing
The same target gets tested differently depending on what it is. Personas constrain what the planner will attempt.
Adversarial testing in your pipeline.
Every push triggers a real test against your registered assets. Completion fans out three ways — and the same add-on runs Software Composition Analysis without ever touching your source.
HMAC-signed webhooks
SHA-256 per-trigger secret — same scheme as GitHub & Stripe. Your verify code probably works unchanged.
Severity gating
Fail on any critical, warn on high, pass otherwise. Or run async with audit-only reporting.
SCA, same pipeline
osv-scanner runs locally, POSTs only JSON findings. Source never leaves you. Lands in the Compliance Archive.
# every push runs a real adversarial test
name: SimpleSec test
on: [push]
jobs:
pentest:
runs-on: ubuntu-latest
steps:
- run: |
curl -X POST https://app.simplesec.ai/api/v1/tests \
-H "Authorization: Bearer ${{ secrets.SIMPLESEC_API_KEY }}" \
-d '{"engagement_id": 4455,
"commit": "${{ github.sha }}",
"callback_url": "${{ secrets.CALLBACK_URL }}"}' Evidence auditors actually want.
Every CI-triggered test shows up in the Compliance Archive with its commit SHA, severity counts, gating decision, and webhook status. Filter by workspace, decision, type or date — that's your quarterly evidence pack.
Scales with your engagement.
From solo evaluation to managed-service operation. No credit card for Free.
- ✓Full findings, evidence & reports
- ✓Up to 5 tests per 24h
- ✓Keep your data after day 7 — upgrade to keep testing
- ✓Unlimited tests
- ✓Full detail + remediation
- ✓PDF / JSON / CSV reports
- ✓Internal-network agent
- ✓Everything in Standard
- ✓White-label PDF cover
- ✓AttackForge export
- ✓Multi-customer workspaces
Early-access pricing locks in for your first 12 months, then renews at the regular monthly rate. Pro: first workspace included; additional workspaces $99.99/mo early access ($499.99/mo regular). CI/CD add-on $99.99/mo + $5/test beyond 50, SCA included.
Run one against your own perimeter.
Free-tier signup is two clicks and starts a 7-day full-access trial — up to five tests in any 24-hour window, with the same complete findings as the paid tiers — enough to see the planner in action and decide if continuous adversarial testing belongs in your workflow.