Continuous offensive security testing,in your workflow.
Push to deploy and it scans. Query findings from Claude Code or Cursor. SARIF lands in GitHub Code Scanning. An autonomous 18-phase pentest that runs where your code already lives — not a PDF you wait a year for.
It runs where you already work.
MCP server
mcp.arkensec.com — trigger scans and query findings from Claude Code, Cursor, or any MCP client. Security answers without leaving the editor.
Deploy webhook
Wire the GitHub webhook and every push to deploy fires a fresh scan. New code, new attack surface, same coverage.
SARIF export
Every engagement exports SARIF 2.1.0 — findings land in GitHub Code Scanning next to your other alerts, not in a separate inbox.
CLI
arkensec scan from your terminal and CI. The device-flow auth backend is already live; the CLI ships next.
18 phases. 9 AI decisions. One scan.
Recon → exploitation-validation → reporting → retest. Nine AI decisions per scan adapt the attack plan to what each phase finds — this is not a fixed checklist.
Map the attack surface
Subdomains, open ports, exposed services, tech stack — a full inventory of what an attacker can see before any test fires.
Test every endpoint
Security headers, CORS, API auth, JWT handling, SQL injection, XSS. When Phase 5 turns up working credentials, the pipeline logs in and keeps testing from inside.
Find what scanners miss
Business-logic flaws, race conditions, workflow bypasses, and AI/LLM prompt injection — bug classes that require reasoning about your app, not pattern-matching it.
Cloud, supply chain & modern vectors
S3 exposure, dependency audit, subdomain takeover, HTTP request smuggling, WebSocket hijacking, cache poisoning.
Map findings to 8 frameworks
Every finding tagged to the controls it affects — PCI DSS 4.0, SOC 2, HIPAA, ISO 27001, NIST CSF 2.0, OWASP Top 10 / API / LLM — at the control level.
Prove, report, retest
Proof-of-concept validation, breach-scope calculation, PDF + SARIF reports with an executive summary, and a one-click retest once you've patched.
When it finds working credentials, it logs in and keeps going.
Phase 5 discovers live credentials and forwards them as auth context, so the injection and business-logic phases test from inside your app — not just poking the front door.
Between a CI scanner and a $15K pentest.
- Coverage:
- Known CVEs + templates
- Cadence:
- Every push (shallow)
- Auth depth:
- Mostly unauthenticated
- Findings:
- Raw alerts — you triage
- Remediation:
- You research the fix
- Workflow:
- A separate tool to wire up
- Cost:
- Free tool + your eng time
- Coverage:
- 18 phases incl. business logic + AI/LLM
- Cadence:
- Push-triggered + weekly / monthly / quarterly
- Auth depth:
- Self-escalating — finds creds, logs in, keeps going
- Findings:
- Validated + severity-calibrated, with PoC
- Remediation:
- AI fix code in your language + one-click retest
- Workflow:
- MCP · SARIF → Code Scanning · deploy webhook
- Cost:
- $199/mo or $1,999/yr
- Coverage:
- Deep, human-driven, scoped
- Cadence:
- Once a year, point-in-time
- Auth depth:
- Authenticated, manual
- Findings:
- Validated by a human
- Remediation:
- Recommendations in a PDF
- Workflow:
- Email a PDF, schedule a readout
- Cost:
- $10–20K per engagement
Pro doesn't replace a great human on a deep, scoped engagement — it gives you continuous coverage between them, and catches the bug classes a CI scanner can't reason about.
Walk into audit prep with the mapping done.
Every finding maps to the exact controls it affects across 8 frameworks. Posture and prep: know which controls you're failing before anyone else asks.
$199/mo. Or $1,999 a year.
Annual saves ~16%. 10 scans a month with a 6-hour per-domain cooldown — schedule them weekly, monthly, or quarterly, or fire them on demand.
Start here. Always free.
- ›Surface-level scan (Phases 0–2)
- ›17 automated security checks
- ›Security grade (A–F)
- ›3 detailed findings shown
- ›No signup. No credit card.
Replace your annual pentest with a continuous one.
- ›Full 18-phase autonomous pipeline
- ›1,300+ security tests · 150+ offensive tools
- ›10 scans a month — scheduled or on demand
- ›8-framework compliance mapping
- ›AI remediation chatbot
- ›SARIF + PDF reports · executive summary
- ›MCP server access · CLI coming soon
- ›One-click retest after you patch
Or $1,999/yr (~16% off) · Cancel anytime
Point it at your domain.
Free scan in two minutes, no signup. Subscribe when you want the other 16 phases.