Getting started

From zero to your first finished scan in about ten minutes. You'll sign up, verify a domain you own, and launch a scan from the dashboard.

1. Create an account

Sign up at pwnkemon.com/sign-up. Pwnkemon uses Clerk for authentication — email, Google, or any other social provider configured at the time. You're placed on the Free plan automatically; upgrade later from the dashboard once you need a real report.

2. Verify a target you own

Pwnkemon will only scan targets you have proven ownership of. From the dashboard, go to Targets → Add target and enter the apex domain you want to scan (subdomains of a verified target are automatically authorised).

You'll be given a unique challenge token. Choose one of two ways to prove ownership:

• DNS TXT (recommended): publish a TXT record at _pwnkemon-challenge.<your-domain> containing the token.
• HTTP file: place the token in a file at https://<your-domain>/.well-known/pwnkemon-challenge.txt.

Click Check in the dashboard and Pwnkemon will verify the record is in place. Full walkthrough on the target verification page.

3. Launch a scan

Go to Scans → New scan. Pick:

• Target — must match (or be a subdomain of) a verified target.
• Scan type — full covers network + web + TLS + CVE matching. Most users want this.
• Tier — Quick, Standard, or Deep. See scan tiers for the trade-offs.
• Max cost (optional) — a hard ceiling on what the scan can spend before it aborts. Tier defaults apply automatically; you can only set a lower cap, not higher.

Click Launch and you'll land on the live scan view. Standard scans usually finish in 2–4 minutes; Deep scans take 5–10.

4. Read the report

When the scan completes, the dashboard shows three tabs:

• Findings — every confirmed vulnerability, sorted by severity, with evidence and remediation guidance.
• Summary — the agent's narrative executive summary, including overall risk rating and identified attack chains.
• Agent log — full audit trail of every tool call and decision the agent made.

Paid plans can download the report as Markdown, HTML, PDF, or CSV. Details on the reports page.

5. Hook into your workflow

Once you have one scan working, consider:

• Webhooks: add a callback_url to your scan request and we'll POST the report to you when it finishes. See webhook callbacks.
• API tokens: mint a token from Settings → API tokens for programmatic access from CI or scripts. See API tokens.
• The REST API: full endpoint reference on the API reference page.

Stuck? Email [email protected] or open the in-app help from the dashboard.