Scan tiers
Every scan picks one of three tiers, which control how thoroughly the agent investigates. Higher tiers run longer, cost more, and produce more depth in the report.
Quick
Surface-level scan. The agent runs port discovery (nmap), TLS inspection, HTTP fingerprinting (httpx), DNS recon, and the code-scan toolchain — gitleaks, trivy, osv-scanner, semgrep, npm-audit. Good for routine CI checks where you want a signal but not an essay. DAST tools (nuclei, katana) are not available on Quick — they need Standard or Deep.
- Typical duration: 30–60 seconds
- Per-scan credit ceiling: 10 credits (web/network). Code scans cost 1 credit — scan your repos freely; the limit is how many repos your plan covers.
- Tools: nmap, httpx, tls_*, http_*, dns_*, gitleaks, trivy, osv-scanner, semgrep, npm-audit
- Extended thinking: disabled
- Verification pass: no
Standard
The default — and the tier where DAST kicks in. On top of everything Quick does, Standard unlocks nuclei (~13,000 templates covering CVEs, exposures, misconfigurations, and default credentials) and katana for headless-browser crawling — which means JavaScript-rendered surfaces (SPAs, dashboards, admin panels) get properly enumerated before the agent probes them. The agent reasons across tools, chains findings into attack paths, and writes a narrative report. Equivalent in depth to most external vulnerability assessments.
- Typical duration: 4–12 minutes
- Per-scan credit ceiling: 40 credits (web/network)
- All Quick tools, plus: nuclei, katana
- Extended thinking: light (4k tokens)
- Verification pass: no
Deep
The most thorough tier. After the initial assessment the agent runs a verification pass — re-examining findings to confirm severities, surface attack chains across findings, and produce the depth of triage suitable for compliance evidence. Uses Claude Opus for the triage reasoning. Equivalent in narrative depth to a junior pentester engagement.
- Typical duration: 10–25 minutes
- Per-scan credit ceiling: 80 credits (web/network)
- All Standard tools, run with deeper iteration budget and longer crawl depth
- Extended thinking: full (8k tokens)
- Verification pass: yes
- Model: Claude Opus (Standard/Quick use Sonnet)
What the toolchain actually is
Pwnkemon's value is an LLM agent chaining these tools and reasoning about the output — but the tools matter. Industry-standard, same versions a paid DAST product would ship:
- nmap — port discovery + service/version detection (Quick+)
- httpx (ProjectDiscovery) — HTTP fingerprinting, TLS info, redirect chains (Quick+)
- nuclei (ProjectDiscovery) — 13,000+ CVE/exposure/misconfig templates, latest at scan time (Standard+)
- katana (ProjectDiscovery) — headless-browser crawler for JS-rendered surfaces (Standard+)
- trivy — multi-ecosystem dependency vulns + IaC scan
- gitleaks — full git-history secret scanning
- osv-scanner — OSV.dev offline vulnerability database lookup
- semgrep — SAST with curated rule pack
- npm-audit — Node dependency CVEs
How to choose
| Situation | Tier |
|---|---|
| CI gate on every PR | Quick |
| Weekly production check | Standard |
| Pre-release security review | Standard |
| SOC 2 / ISO 27001 evidence | Standard or Deep |
| Annual external pentest replacement | Deep |
| Incident-response root cause | Deep |
Per-scan credit ceiling
Every scan has a hard credit ceiling enforced by the orchestrator. If the scan consumes its credit budget, the agent aborts cleanly and persists whatever findings it has so far. The ceiling defaults to the tier values above. You can request a lower ceiling per scan via the max_credits request field — useful for budget-conscious CI usage. You cannot raise the ceiling above the tier default.
Plan quotas
Each plan caps how many of each tier you can run per month. Quotas reset on the 1st of the month UTC. See limits & quotas for the per-plan numbers, or the pricing page for the full breakdown.