01 / Protected targets
Runs against the surfaces that matter.
LLM APIs, agent backends, MCP servers, authenticated staging apps, and production targets with explicit scope controls — not just a public demo endpoint.
PwnKit Labs · Private release
Continuous adversarial testing
for teams shipping AI agents.
`pwnkit` is the open-source wedge. `pwnkit cloud` is the managed layer: recurring scans on protected targets, exploit-backed evidence, and an operator surface that turns runs into decisions.
The public engine publishes benchmark methodology and real-world results. The cloud product adds recurring orchestration, authenticated targets, artifact bundles, and operator review on top of that wedge. Read the technical details at docs.pwnkit.com.
pwnkit.cloud/operator/acme-ai/staging
Dashboard
Adversarial reliability control plane
Protected targets, recurring scans, findings queue, and artifact bundles in one operator flow.
Open findings
9
4 high · 3 medium · 2 low
Active scans
3
1 prod · 2 staging
Protected targets
12
APIs · MCP · apps
Artifact bundles
27
evidence + context
Findings queue
The review layer between raw attacks and customer-facing artifacts
| Finding | Severity | Status | Updated |
|---|---|---|---|
| Prompt injection causes unauthorized tool call chain agent-api-staging | high | pending review | 4m ago |
| MCP file server permits path traversal outside allowed root mcp-files-prod | critical | true positive | 12m ago |
| Agent backend leaks hidden system prompt in retry path chat-gateway-prod | medium | pending review | 19m ago |
| Model response chain triggers unbounded tool recursion agent-api-staging | high | investigating | 31m ago |
Protected targets
Target class, environment, auth mode, and scoped reach
agent-api-staging
staging.example.com /api/agent
agent_backend
static_header
staging healthy
mcp-files-prod
mcp.internal.company / files, shell
mcp_server
mcp_bundle
production restricted
chat-gateway-prod
api.company.com /v1/chat
llm_api
oauth_token
production watch
Artifact bundle
The output package handed to engineering and security
Target context
- target class: agent_backend
- environment: staging
- auth mode: static_header
- allowed host: staging.example.com
- allowed path: /api/agent
Exploit evidence
- proof: tool invocation transcript attached
- request chain captured across 3 turns
- agent executed unauthorized internal tool call
- replay status: reproducible on second run
Engineering handoff
- root cause: tool authorization boundary too broad
- affected path: /api/agent/execute
- recommended owner: platform-security
- artifact bundle id: ab_01JQ8X7P
Orchestration
The loop below the console
The console is the operator surface. This is the engine underneath it: recon, exploit, verify, and triage feeding back into the orchestrator.
What this is not
Four things you
will not get here.
The easier failure mode here is to drift into generic AI-security SaaS language. These are the four category traps we should explicitly avoid.
✕
Not a generic eval dashboard.
This is not a score-only control plane with judge-model charts and weak claims about quality. The product is built around attacks, evidence, and operator review.
01
✕
Not a wrapper around the OSS wedge.
The cloud is not there to cripple the open-source engine or hide it behind a paywall. `pwnkit` stays the public wedge; cloud adds recurring orchestration, target management, and evidence handling.
02
✕
Not another annual pentest PDF.
The value is not a one-shot report that goes stale immediately. The value is repeated adversarial pressure on the systems that matter, with a historical record of what changed.
03
✕
Not a black-box vendor.
The engine is open source. Your team can inspect the wedge, the methodology, and the benchmark posture before trusting the managed layer that sits on top of it.
04How we run
We do not ship
what we cannot defend.
One engagement at a time, reviewed by the person who wrote the engine. No demo deck, no public price list, no shared queues.
01
The operator built the engine.
The person running your scan wrote the code, signs your contract, and answers your team’s follow-up questions in the same thread.
02
Audit trail, not a PDF.
Every action logged with timestamp, prompt, tool call, model version, and outcome — exported in a shape your SOC 2 auditor will actually accept.
03
Safe-mode by default.
Signed scope, action allowlist, and a kill switch you pull from your side. The agent will not issue a destructive call unless your scope explicitly authorises it.
04
The engine is open source.
Your security team reads the prompts, tool list, and scoring harness before the first finding lands — not after an incident review.
05
We catch our own false positives.
The triage gate caught a decoy flag (FLAG{I’m_a_Script_Kiddie}) that the model fell for on an XBOW challenge. The methodology stops the engine’s mistakes before they reach your queue — not the other way around.
06
Improvements ship as measurements.
The engine moves on overnight A/B sweeps with public deltas, not vibes. The last sweep added one new flag and one actionable failure mode — both recorded against the run that produced them.
What it does
Four layers.
One managed surface.
The company does not need five separate SKUs. The job of the cloud product is to turn the public wedge into a real operating layer for teams shipping high-stakes AI systems.
02 / Recurring pressure
Runs on a schedule you control.
Nightly, weekly, on-deploy, or before a release. The point is not one scorecard — it is seeing whether the system is getting safer over time.
03 / Artifact bundle
Turns attacks into evidence.
Each run should end in an artifact bundle: target context, exploit transcript, evidence, review status, and handoff material engineering can actually use.
04 / Operator review
Keeps a human in the loop.
The managed product is not a black-box score feed. Findings move through a real operator surface with triage, evidence review, and explicit decisions.
FAQ
Questions we answer
before you ask.
The seven questions every CTO and CISO evaluation call ends up at by minute eight. Answered up front so the first call can be about your estate, not ours.
Tell us what you
need to defend.
If your next pentest is six months out and you cannot tell your board why, the form is below. We read every inquiry by hand and reply within one business day — usually with a no, sometimes with a calendar link.