import { Callout, Tabs } from "nextra/components";
Point Pencheff at a live URL and get a verified, exploit-first
assessment with OWASP Top 10 mapping in 5-40 minutes depending on the
profile. The same engine drives the SaaS dashboard, the CLI, and the
MCP tools — pick whichever surface matches your workflow.
<Callout type="warning">
**Authorization is mandatory.** Every scan API call carries a
`consent_payload`. Run only against systems you own or have written
permission to test. Pencheff will refuse to scan otherwise.
</Callout>
1. Pick a target
| Scenario | What to point at | Profile to start with |
|---|
| Public marketing site | https://acme.com | quick |
| Production web app | https://app.acme.com | standard |
| API behind a token | https://api.acme.com/v1 | standard (with auth header) |
| Stage / pre-prod, exhaustive sweep | https://stage.acme.com | deep |
| Single-page app / SPA | https://app.acme.com | standard (Playwright crawl auto-engages) |
2. Run it
<Tabs items={["SaaS Dashboard", "CLI", "MCP host"]}>
<Tabs.Tab>
- Open
app.pencheff.com, sign in,
click Register target.
- Paste the URL, optionally add credentials, scope, and exclude
paths.
- Pick a profile (
standard is the default balanced run).
- Click Start scan — you’ll be redirected to a live
progress page. Stages stream over SSE.
- When it finishes, browse findings by severity, OWASP category, or
compliance framework.
</Tabs.Tab>
<Tabs.Tab>
# 5-10 minute fast pass — fail the build on any HIGH+ finding.
pencheff scan \
--target https://example.com \
--profile quick \
--fail-on high \
--format json,docx \
--output ./reports/
# 20-40 minute balanced run — the documented default.
pencheff scan \
--target https://example.com \
--profile standard \
--output ./reports/
# 60+ minute deep run — auto-creates an engagement, persists a
# DREAD threat model, and runs the full attack-chain phase.
pencheff scan \
--target https://example.com \
--profile deep \
--save-history \
--output ./reports/
# Authenticated scan — credentials never leave the local machine.
pencheff scan \
--target https://app.example.com \
--profile standard \
--username [email protected] \
--password "$APP_PASSWORD"
</Tabs.Tab>
<Tabs.Tab>
> Pentest https://juice-shop.herokuapp.com — standard profile
I'll run a full standard scan now.
The MCP host fans the request out across the canonical tool order:
pentest_init — new session
check_dependencies — see which external tools are detected
recon_passive → recon_active → recon_api_discovery
scan_waf → payload_generate
scan_injection → test_endpoint (manual exploitation)
scan_client_side → scan_auth → scan_authz → scan_advanced
exploit_chain_suggest → test_chain
generate_report and the chosen exporter
</Tabs.Tab>
</Tabs>
3. Read the result
- Findings appear in the unified queue with severity, CVSS v3.1 +
v4.0, OWASP category, and compliance fan-out.
- Every finding flagged by a scanner is followed up by
test_endpoint
— the report contains only true_positive rows by default.
deep profiles attach a STRIDE / DREAD threat
model and a compliance
rollup to the scan.
- The DOCX report carries an executive summary, the findings register,
the compliance appendix, and (for
deep) the threat model.
Common gotchas
- Cloudflare / WAF returns 403. Add the WAF’s session cookie
via the dashboard’s Headers row on the target.
scan_waf will detect and tag the WAF; payloads adapt automatically.
- SPA returns a blank shell. Use
standard or deep — both
trigger the Playwright crawler. quick only runs the fast HTTP
crawler.
- Rate-limited target. Use the dashboard’s Throttle card
on the target to cap requests-per-second; the engine slows every
dispatcher.
- Auth flow is not OIDC. Record a login macro
once via the dashboard’s Authentication card; the macro
attaches to the target and replays on every scan.
Next