Pencheff combines deterministic scanners, AI-guided probes, curated payloads, external tools, and evidence normalization so every signal lands in one remediation workflow.
Risk, reporting, and compliance
AI triage
Deduplication, exploit narratives, severity reasoning, and remediation prioritization.
Findings, reports, dashboards, exports, integrations, and retests all read from the same normalized record.
Pencheff favors repeatable checks, then uses AI for triage, enrichment, orchestration, and remediation where it adds signal.
Coverage
What does AI triage test?
- Deduplication, exploit narratives, severity reasoning, and remediation prioritization.
- This page is part of Capabilities under Prioritization.
- It links back into the broader from live exploits to source-code proof experience.
- Executive dashboard, letter grade, risk trends, severity rollups, and portfolio posture.
- Technical dossier with findings, reproduction, affected components, remediation, evidence, and re-examination state.
- Compliance mapping for OWASP, PCI DSS, SOC 2, NIST, ISO 27001, HIPAA, OWASP LLM, MITRE ATLAS, NIST AI RMF, EU AI Act, and GDPR.
- Threat modeling with STRIDE, DREAD, attack trees, abuse cases, mitigations, and scan context.
- Unified findings stream, AI triage, advisory enrichment, comments, suppressions, and audit appendices.
Execution
How does Pencheff run this?
- Collect findings from runtime, repo, supply chain, infrastructure, AI, and manual sources.
- Normalize severity, confidence, category, exploitability, reachability, and owner state.
- Generate executive, engineering, compliance, or retest views from the same source record.
- Track suppression, comments, fixes, re-examinations, and residual risk across scan history.
- Export reports and feed integrations without losing the underlying evidence chain.
Evidence
What evidence does this produce?
- Executive summaries, trend charts, severity counts, grade drivers, and business impact language.
- Technical evidence, scanner provenance, reproduction steps, remediation, and references.
- Framework control mappings and audit appendix entries tied to actual findings.
- Retest and verification history for closure and residual risk decisions.
Controls
How is this kept safe to run?
- Compliance rollups are deterministic and recomputed from finding state.
- Triage output distinguishes verified facts from advisory context.
- Reports inherit the same authorization and workspace boundaries as scans.
- Executives and auditors can read summaries while engineers keep deep evidence.
Documentation
Read the full reference.
FAQ
Common questions
- How does AI triage work in Pencheff?
- Pencheff's AI triage layer reviews each finding in context — analysing the code path, request/response evidence, and application behaviour — to assess exploitability in your specific environment. It produces an AI-generated severity adjustment and remediation recommendation alongside the raw finding.
- Does AI triage replace manual security review?
- No. AI triage accelerates the review process by pre-filtering and contextualising findings so engineers spend their time on the highest-risk issues. Complex findings and chained exploits still benefit from human review of the evidence Pencheff provides.
- What is the AI advisory in Pencheff?
- The AI advisory is a conversational interface within each finding that lets you ask questions about the vulnerability, request alternative payloads, get remediation code examples, or understand the compliance impact — all grounded in the specific evidence from that finding.
Related