Pwnkemon

Pricing

Real pentest deliverables, 90% cheaper than a consulting engagement.

Pick a plan that replaces what you'd otherwise spend on quarterly scans or annual consulting engagements.

Free

Kick the tyres on your own infrastructure.

$0
  • 10 credits / month (1 web scan, or ~10 code scans)
  • No banking; credits don't roll over
  • 1 verified target
  • Markdown + HTML report (in-browser only)
  • Reports auto-delete after 7 days
  • Watermarked, not valid for SOC 2 / ISO 27001
  • Community support

Evaluation only, not for compliance use

Starter

Replace your quarterly external scan.

$249/mo
  • 500 credits / month
  • Light banking: carry up to 750 (1.5×)
  • Quick + Standard scans (no Deep)
  • Full DAST toolchain on Standard (nuclei, katana, httpx, nmap)
  • 5 web targets + 1 code repo
  • All report formats (MD / HTML / PDF / CSV)
  • API tokens for on-demand scanning (curl / scripts)
  • Webhook callbacks
  • Email support

On-demand scanning for a solo developer

Most popular

Pro

Replace your annual pentest engagement.

$899/mo
  • 2,500 credits per seat / month
  • Full 3× banking
  • Team seats — invite your whole dev team
  • Deep scans unlocked (Opus reasoning + verification pass)
  • GitHub Action / CI/CD: block deploys on critical findings
  • Scheduled continuous scanning (weekly / monthly)
  • 25 web targets + 25 code repos per seat
  • Slack + email support
  • 1-business-day SLA
  • Audit log export

Security in your pipeline — teams shipping continuously

Business

A continuous pentest programme.

$2,999/mo
  • 15,000 credits / month
  • Banks up to 45,000
  • Unlimited verified targets
  • GitHub Action with custom severity gates per repo
  • SSO (Clerk Enterprise)
  • SOC 2 / ISO 27001 evidence pack
  • Custom integrations
  • Dedicated Slack channel
  • Same-day support SLA

Mid-market SaaS, regulated industries

Enterprise

Replace a full security headcount.

Custom
  • Unlimited everything
  • White-label reports
  • Custom scan modules
  • Dedicated solutions engineer
  • Custom MSA & DPA
  • On-premise / air-gapped deployment

Enterprises, financial services, healthcare

Proof, not promises

See a real Pwnkemon scan

We ran a Standard-tier scan against OWASP Juice Shop. 13 minutes, 11 confirmed findings including a critical SQL injection chain and a JWT key exposure path to admin takeover. Full report walkthrough on the blog.

Read the scan walkthrough

No subscription

Pentest Reports

One-off Deep pentest for engineering teams or compliance workstreams. Pay once, verify your target, get a polished report. No subscription, no auto-renewal.

Pentest Report

One Deep authenticated network pentest + narrative report. Roughly 1/5 the price of a human consulting engagement.

$1999one-time
  • Deep tier scan (nmap + nuclei + katana + httpx + agent reasoning)
  • Authenticated probes (BOLA, mass-assignment, IDOR)
  • Attack-chain narrative + prioritised remediation
  • PDF + CSV report, watermark-free
  • Refundable until you launch the scan

Pentest Report + Code

Network pentest plus source-code, dependency, and git-history review. Roughly 1/3 the price of a combined consulting engagement.

$3999one-time
  • Everything in Pentest Report
  • Source-code scan against your GitHub repo
  • Dependency CVEs with reachability calibration (SAST + SCA)
  • Secret-leak detection across full git history (gitleaks)
  • Combined report covering both surfaces
For auditors

SOC 2 Evidence Pack

Compliance-grade pentest deliverable for SOC 2, ISO 27001, and Series-A diligence. Anchored at ~1/4 of typical audit-prep pentest spend.

$7999one-time
  • Everything in Pentest Report + Code
  • Auditor-ready findings calibration + framing
  • Control-mapped evidence pack (CC6.1, CC7.1, etc.)
  • 12-month artefact retention
  • Priority support during your audit window

Frequently asked

How is this different from Acunetix, Burp Suite Enterprise, or Detectify?

Traditional DAST products run a fixed list of signature checks and hand you a list of CVEs. Pwnkemon runs the same industry-standard scanners under the hood (nmap, nuclei with 13,000+ templates, httpx, katana, trivy, gitleaks, semgrep, osv-scanner) and chains them with an LLM agent that reasons about what to probe next, surfaces multi-step attack chains, and writes a narrative report. The output is closer to what you'd get from a human pentest consultancy, at roughly 1/100th the price.

What tools do you actually run?

nmap for port + service discovery, httpx for HTTP/TLS fingerprinting, nuclei for ~13,000 CVE + exposure + misconfiguration templates, katana for headless-browser crawling (SPAs work), trivy + osv-scanner for dependency CVEs, gitleaks for secrets in git history, semgrep for SAST, npm-audit for Node ecosystem. The agent picks which tools to run based on what it finds, rather than running everything blindly. See the docs/scan-tiers page for the per-tier breakdown.

Can I scan any domain, or do I have to prove ownership?

You must verify ownership of every target before scanning. Verification is a one-time DNS TXT record or HTTP file challenge. This protects you legally and us from abuse. Subdomains of a verified target are auto-authorised.

What does a 'scan' actually look like?

Code scans (deps, SAST, secrets, IaC) cost 1 credit — scan your repos as often as you like; the limit is how many repos your plan covers. Web/network scans are credit-metered by depth. On Quick (10 credits, ~1 min): port discovery, TLS check, HTTP fingerprinting. On Standard (40 credits, 4–12 min): everything Quick does plus nuclei templates and katana crawling against your target. On Deep (80 credits, 10–25 min): Standard with deeper iteration, longer crawl, Claude Opus for triage, and a verification pass over every finding. Reports include attack chains, severity reasoning, evidence, and prioritised remediation.

Show me a real scan

We run Pwnkemon publicly against OWASP Juice Shop (a known intentionally-vulnerable lab). The full report walks through 11 confirmed findings including a critical SQL injection chain, exposed JWT signing key, and Prometheus metrics leak, all produced in 13 minutes. See: /blog/juice-shop-real-scan.

How are reports delivered?

Every scan produces Markdown, HTML, PDF, and CSV exports. Download from the dashboard, or POST to a webhook on completion for CI/CD pipelines. Free-tier reports auto-delete after 7 days and carry a watermark; paid tiers retain reports forever and produce clean, auditor-ready output.

What if my scan finds nothing serious?

Then your infrastructure is in better shape than most. Pwnkemon also produces a coverage report showing exactly what was tested, which is itself valuable for compliance audits as proof of due diligence.

Is Pwnkemon SOC 2 / ISO 27001 compliance ready?

For a one-off engagement: the $7,999 SOC 2 Evidence Pack is the right SKU. It's a Deep network scan plus code scan plus auditor-ready framing with control-mapped evidence (CC6.1, CC7.1, etc). That's anchored at roughly 1/4 of typical audit-prep pentest spend, and the deliverable is functionally equivalent. For continuous monitoring: Business and Enterprise subscriptions include scan history, finding remediation tracking, and the continuous-monitoring artefacts auditors expect.

Can I cancel any time?

Yes. Monthly plans cancel any time, no questions. Annual plans give you 20% off for committing upfront; cancel mid-term and you keep access until renewal.

Run your first scan free.

No credit card required. Verify a domain, launch a scan, see a report.