Pencheff

Integrations and operations · Company

Our discipline

How Pencheff thinks about methodology, evidence, and engineering.

Operational pages connect Pencheff to the rest of the security program: notifications, ticketing, SIEM, schedules, observability, API access, support, onboarding, and deployment operations.

The adversarial cycledeterministic
8coverage areas
5operator steps
4evidence fields
  1. 01Recon
  2. 02Exploit
  3. 03Evidence
  4. 04Normalize
  5. 05Deliver
ProfileScopeConsentBudget

Every engagement follows the same five phases before a finding is promoted to evidence.

ScopeFeatured
SectionCompany
MethodDeterministic-first
OutputUnified evidence
ProfileIntegrations and operations
01

Coverage

What does Our discipline test?

  • How Pencheff thinks about methodology, evidence, and engineering.
  • This page is part of Company under Featured.
  • It links back into the broader the practice behind the platform experience.
  • Slack, Teams, Google Chat, Discord, PagerDuty, Opsgenie, Splunk HEC, signed webhooks, GitHub Issues, and Jira.
  • Schedules for recurring scans, release gates, retests, continuous monitoring, and drift checks.
  • OpenTelemetry spans, logs, metrics, trace waterfalls, audit hash chain, SLO, and cost dashboards.
  • API keys, REST references, MCP tool access, webhooks, and CI/CD automation.
  • Workspace onboarding, support, trust, pricing, self-hosting, partnerships, and enterprise deployment workflows.
02

Execution

How does Pencheff run this?

  • Connect a target, workspace, integration endpoint, or automation credential.
  • Choose event routing by target, severity, status, schedule, or release workflow.
  • Deliver findings to chat, ticketing, paging, SIEM, GitHub, webhooks, or dashboards.
  • Use traces, audit logs, SLOs, and cost views to operate scans with confidence.
  • Review support, pricing, or deployment requirements when scaling the program.
03

Evidence

What evidence does this produce?

  • Integration delivery status, target mapping, event payload, severity filters, and test results.
  • Trace spans for HTTP requests, subprocesses, LLM calls, scan phases, and errors.
  • Audit log records with actor, action, IP, user agent, and hash-chain verification.
  • API and MCP references for automation, CI/CD, and internal platform workflows.
04

Controls

How is this kept safe to run?

  • Credentials are stored as integration configuration and used only for the selected destination.
  • Signed webhooks and target-specific routing reduce noisy or unauthenticated delivery.
  • Observability is opt-in and can be disabled globally by environment policy.
  • Support and pricing pages route users to the right commercial or operational next step.
01

From the Pencheff docs

API overview

Base URL:

  • Production: https://app.pencheff.com/api
  • Local dev: http://localhost:8000

Interactive API explorer: browse and test every endpoint in your browser at https://api.pencheff.com/docs (Swagger UI). Click Authorize, paste a pcf_live_… API key, and use Try it out. See API keys → Interactive API explorer for the full walkthrough, including how to find your workspace id.

All endpoints require a bearer token issued by Clerk. See Authentication.

Endpoints at a glance

NamespaceEndpointsDocs
/authLogin, signup, logoutauthentication
/targetsCRUD for scan targetstargets
/scansTrigger scans, stream progress, fetch resultsscans
/findingsList, suppress, verify, comment, assignfindings
/schedulesCron-driven recurring scansschedules
/assetsAttack surface inventoryassets
/integrationsSlack, Teams, PagerDuty, Splunk, webhookintegrations
/sboms/{scan_id}SBOM browse + downloadsboms
/dependencies/{scan_id}SCA dep inventorydependencies
/proxyIntercepting proxy sessionsproxy

MCP tools (plugin side)

When you run Pencheff as an MCP server, the following 81 MCP tools are available — see MCP tool reference for the full list.

Response conventions

  • Always JSON (Content-Type: application/json)
  • Timestamps in ISO 8601 UTC ("2026-04-21T14:23:00+00:00")
  • UUIDs for all primary keys
  • Errors: { "detail": "..." } for client errors, { "detail": "ClassName: message" } for server errors
  • Validation errors follow FastAPI's shape: { "detail": [{ "loc": [...], "msg": "..." }, ...] }

Rate limits

  • 60 requests/min per user (SaaS)
  • 30 concurrent scans per org on the Pro plan

Hit X-RateLimit-Remaining in the response headers to see how close you are.

02

From the Pencheff docs

Core concepts

Session

Every scan runs inside a PentestSession identified by a 12-char hex ID. The session holds the target, discovered state (endpoints, subdomains, tech stack, open ports, WebSocket endpoints, OAuth endpoints, WAF info, exploit chains), credentials, a FindingsDB, and a full request log.

Sessions live in memory while the scan runs; the SaaS backend persists them to Postgres so the dashboard can keep rendering long after the agent disconnected.

Finding

A Finding captures a single vulnerability with:

  • severity (critical | high | medium | low | info) and cvss_score/cvss_vector
  • category (injection, auth, authz, components, misconfiguration, …)
  • owasp_category (A01…A10) — automatically maps into PCI-DSS, NIST 800-53, SOC 2, ISO 27001, HIPAA
  • verification_statusunverified | true_positive | false_positive | true_negative | false_negative
  • evidence — list of request/response pairs proving the vuln
  • remediation and references
  • epss, kev, and risk_score = cvss × (1 + epss) × (2 if kev else 1) — see EPSS & KEV enrichment
  • sla_days and due_date — computed from severity, breached hourly by the SaaS SLA monitor

Findings are deduplicated by (endpoint, parameter, category, title).

Verification status

StatusMeaning
unverifiedScanner flagged it, not yet confirmed
true_positiveProven exploitable via test_endpoint
false_positiveScanner error — tested and safe
true_negativeConfirmed absent
false_negativeMissed by scanner, found manually

An elite Pencheff report contains only findings verified as true_positive. The agent is instructed to never report unverified findings as confirmed.

Suppression

A finding can be suppressed with one of:

  • accepted_risk — known and accepted
  • wont_fix — acknowledged but not in remediation scope
  • false_positive — confirmed noise
  • duplicate — same vuln tracked elsewhere
  • out_of_scope — outside agreed test scope

Suppressed findings are excluded from reports by default but remain in the database with timestamp, reason, and notes.

Profile

A profile is a named preset that selects which modules to run, at what depth, with what crawl settings. See the first-scan guide for the 12 built-in profiles.

Policy

A ScanPolicy (apiVersion: pencheff/v1) is a YAML file that fully specifies a scan: targets, auth, modules, assertions, thresholds, reports, schedule.

apiVersion: pencheff/v1
kind: ScanPolicy
spec:
  targets: [{ url: https://example.com }]
  modules:
    - { name: scan_injection, depth: standard }
  assertions:
    - { id: no_critical, condition: "critical == 0" }
  thresholds: { fail_on: high }

Scan profile YAML is stored alongside each schedule.

Exploit chain

A chain is a multi-step narrative attack. Pencheff's exploit_chain_suggest tool proposes chains like:

  • SSRF → cloud metadata → IAM credential theft → S3 read
  • XSS → session theft → admin impersonation → database dump
  • IDOR → user enumeration → admin → privilege escalation
  • Open redirect → OAuth token theft → account takeover

test_chain then runs each step and records the evidence end-to-end.

Compliance mapping

Every finding carries an OWASP category; Pencheff's reporting/compliance.py auto-derives:

  • OWASP Top 10 2021
  • PCI-DSS 4.0 requirement numbers
  • NIST 800-53 Rev 5 control families
  • SOC 2 Trust Services Criteria
  • ISO 27001:2022 Annex A controls
  • HIPAA Security Rule safeguards

Compliance reports are pre-rendered in Word, CSV, JSON, and SPDX/CycloneDX (for SBOM).

Credentials

Credentials live in a CredentialStore — one session can carry multiple named sets (default, admin, readonly, …) for testing authorization boundaries. Every credential is wrapped in a MaskedSecret that masks itself in repr/str to prevent accidental leakage. The SaaS backend stores them Fernet-encrypted at rest.

What's next

?

FAQ

Common questions

What is Pencheff's approach to application security?
Pencheff applies an adversarial discipline — every assessment starts with genuine attack attempts, not just automated scanner output. Findings are verified with crafted exploits before being reported, and the platform chains individual vulnerabilities into multi-step attack scenarios that demonstrate real business impact.
How does Pencheff differ from a traditional vulnerability scanner?
Traditional scanners cast a wide net and report potential issues. Pencheff verifies each finding by attempting to exploit it, discards unconfirmed candidates, and chains related findings into realistic attack paths. The output is a verified findings set with documented proof-of-concept evidence, not a noise-heavy potential-issues list.
What does 'adversarial' mean in the context of application security assessment?
Adversarial assessment means thinking and acting like a real attacker — identifying the highest-value targets, chaining low-severity findings into high-impact exploits, testing edge cases that automated tools miss, and producing evidence that demonstrates the actual consequence of each vulnerability.