Audit-ready pentests in hours, not weeks.
Sentinel runs ten specialised AI agents across your code, APIs, and infrastructure - chaining vulnerabilities like a real attacker, then re-running each one to confirm exploitation before it lands in the report. Every finding ships with a working exploit, lands as a GitHub issue, and is pre-mapped to SOC 2, ISO 27001, DORA Article 24 and NIS2 Article 21. The same engine we use to pentest matproof.com every quarter.
No signup for the 3-min scan — your first findings in your inbox. Full Sentinel pentest from €299/mo, cancel anytime.
How Sentinel works
Three steps to a complete pentest
Install the GitHub App, set your scope
One-click install of the Matproof Sentinel GitHub App - read-only, scoped to the repos you select. No third-party OAuth approvals, no PATs sitting in env files. Bitbucket, GitLab and plain target URLs are supported too. A single scan can cover one primary target plus up to 50 additional URLs. Domain ownership is verified via DNS TXT or HTTP file challenge before any traffic is sent.
Ten AI agents scan in coordinated stages
Recon (nmap, amass, httpx) maps the surface. Web, API, Infra, Cloud and Mobile agents probe in parallel (nuclei, sqlmap, OWASP ZAP, testssl.sh, Prowler, MobSF). Source-code and supply-chain agents read your repos (Semgrep, Gitleaks, Trivy). A ValidatorAgent re-runs every finding to confirm exploitation. Median scan: 25 minutes. Full agent registry and methodology at docs.matproof.com.
Report, SARIF, GitHub issues, remediation diff
Every confirmed vulnerability ships three ways: an audit-ready PDF for your SOC 2 / ISO / DORA file, SARIF for GitHub Advanced Security, and auto-created GitHub issues routed to the right team. Re-tests dedupe via stable fingerprints and surface a hero metric: "N findings remediated since your last scan" - the receipt your auditor and your board actually want.
Platform
Full-stack security coverage
AI agents test every layer of your application - from frontend to infrastructure.
Web, API & DAST
WebApp + Browser + API agents
Crawls every endpoint, form, and route. Tools include nuclei, sqlmap, ffuf, jwt_tool, OWASP ZAP and OpenAPI/GraphQL fuzzing. Covers OWASP Top 10 + API Top 10, auth bypass, IDOR, DOM XSS, JWT flaws and session-management issues. Authenticated scans supported via session cookies or bearer tokens.
Source Code & Supply Chain
Semgrep + Gitleaks + Trivy
SourceCode and SupplyChain agents read the repos you connect via the GitHub App. Semgrep for SAST, Gitleaks for hardcoded secrets, Trivy for vulnerable dependencies, containers and IaC. Findings cross-reference CVE feeds and ship with fix-patch suggestions.
Infrastructure, Cloud & Mobile
nmap + testssl.sh + Prowler + MobSF
Recon (nmap, subfinder, amass, dnsx, httpx), TLS/DNS hardening (testssl.sh), AWS auditing via Prowler when you grant a read-only STS role, and MobSF for Android / iOS binaries. Covers exposed ports, IAM misconfigurations and privilege-escalation paths.
Remediation
From issue to fix in minutes
Discover
Ten AI agents systematically work your attack surface in coordinated stages - one primary target plus up to 50 additional URLs per scan. SQL injection in your API, misconfigured S3 buckets, leaked secrets in your repo, vulnerable container images.
Auto-validate
A dedicated ValidatorAgent re-runs every finding before it ships. Anything it can't reproduce is dropped. Your customer-facing report only contains confirmed exploits with evidence your auditor can re-run.
SARIF export to GitHub Advanced Security
Every scan ships as a SARIF 2.1.0 report — upload directly into GitHub Advanced Security, GitLab, or Azure DevOps security dashboards. Findings land in your existing PR review workflow with stable fingerprints so retests deduplicate automatically.
Why teams trust Sentinel
Every finding is validated. Nothing in the report is theoretical.
No false positives, no AI hallucinations. If it lands in the report, an agent already exploited it - and your auditor can re-run the proof.
Proof of Exploit
Every vulnerability ships with a working exploit demonstration and reproduction steps - not a theoretical CVSS guess. Your auditor can re-run it.
Auto-Triage
AI classifies severity using CVSS and business context, so your team fixes what matters first - and skips noise that scanners normally promote.
GitHub-native workflow
Findings land as auto-assigned GitHub issues, labelled by severity, with repro steps and a suggested fix patch. Stable fingerprints dedupe across re-tests and surface a remediation-diff metric: "N findings remediated since your last scan" - the receipt your board actually wants. SARIF export for GitHub Advanced Security included.
Open methodology, honest scope
Full Sentinel methodology - every agent, every tool, every check - public at docs.matproof.com/features/sentinel-methodology. We also publish what Sentinel does NOT do: no social engineering, no zero-day discovery, no human verification. Buying honesty, not vapour.
Audit-Ready Report
Findings auto-tagged to SOC 2 (CC7.1), ISO 27001 (A.8.8 / A.8.29), DORA (Art. 24-27), NIS2 (Art. 21), PCI DSS (Req. 11.4), HIPAA (§164.308(a)(8)), BaFin MaRisk/BAIT and NEN 7510. PDF, JSON and SARIF - drop straight into your auditor's evidence room.
We pentest ourselves
Sentinel runs against matproof.com every quarter. We do not ship security tooling we are not willing to point at our own production. All findings from the most recent self-scan are remediated.
Testing modes
Choose your approach
Black-box Testing
External-only testing with no source code access. AI agents attack your application the same way a real attacker would - through your public-facing endpoints, APIs, and infrastructure.
- No source code needed
- Tests external attack surface
- Faster scan times
- Simulates real-world attacks
White-box Testing
Full source code review combined with dynamic testing. AI agents analyze your codebase line by line, then verify findings with live exploitation - the most comprehensive approach.
- Full source code analysis
- Finds hidden vulnerabilities
- Deeper coverage
- Merge-ready fix PRs
Pricing
Simple, predictable pricing
Available as an add-on to any Matproof plan. Cancel anytime, no procurement loop. The same engine we run against matproof.com every quarter - now pointed at your stack.
Need unlimited targets, Cloud + Mobile + SupplyChain agents, SSO or a dedicated CSM? Talk to sales →
Frequently asked questions
What is AI penetration testing?
AI penetration testing uses autonomous AI agents to probe your applications, APIs, source code, and infrastructure for security vulnerabilities. Unlike traditional pentests that rely on manual effort over weeks, AI agents can test thousands of attack vectors in hours - delivering audit-ready reports with proof of exploit for every finding.
How long does a scan take?
Median scan finishes in 25 minutes thanks to parallel agent execution (Recon runs first, then Web/API/Infra/Cloud/Mobile in parallel, then Source-Code/Supply-Chain, then the Validator re-runs each finding). Larger surfaces with many subdomains or large codebases can run longer, up to a few hours. You receive results as findings are confirmed - no need to wait for the full scan to finish.
Is this compatible with SOC 2 and ISO 27001 audits?
Yes. Reports are formatted to satisfy SOC 2 Type II penetration testing requirements and ISO 27001 Annex A.12.6 (Technical vulnerability management). Each finding includes CVSS scoring, reproduction steps, evidence screenshots, and remediation guidance - exactly what your auditor needs.
Is it safe to run against production?
Yes. Exploitation is performed in a controlled manner - SQL injection is confirmed by extracting a single benign record, not by dumping your database; XSS by reflecting a harmless marker. Before any traffic is sent, Sentinel requires you to prove domain ownership via a DNS TXT record or HTTP file challenge, so it can't be pointed at a target you don't actually control. You can run scans against staging instead if you prefer.
How does Sentinel compare to a traditional pentest?
Sentinel is not a replacement for human red-team engagements with social engineering, zero-day discovery, or deep bespoke business-logic abuse. We say that plainly on the methodology page. It IS a replacement for the routine vulnerability discovery work that consultancies spend 70-80% of their time on - at 5-10% of the cost (€299/mo vs. €15,000-50,000 per engagement) and with the ability to run continuously instead of once a year before audit.
What types of vulnerabilities do you find?
The full OWASP Top 10, plus business logic flaws, authentication bypasses, API abuse, hardcoded secrets, insecure dependencies, cloud misconfigurations, privilege escalation, and more. Each finding is validated with a working proof of exploit - no theoretical risks or false positives.
Do I need to give you source code access?
No. You can run black-box scans against any URL or IP without source code - one primary target plus up to 50 additional URLs per scan. For deeper coverage, install the Matproof Sentinel GitHub App (recommended), or connect GitLab / Bitbucket via OAuth, or paste a GitHub PAT. The App is read-only and scoped to the specific repos you select - no third-party OAuth approval friction.
Can I use this for DORA TLPT requirements?
AI penetration testing can supplement your DORA Article 24 threat-led penetration testing (TLPT) program. While TLPT for systemically important institutions may require additional human-led red team exercises, Matproof's automated scanning provides continuous coverage between formal TLPT engagements and satisfies ongoing resilience testing requirements.
Get started
Stop guessing. Start testing.
Install the Sentinel GitHub App, point it at your repos, and have a confirmed-exploit report on your auditor's desk before the kettle boils. €299/mo, 3 scans included. No setup calls, no procurement loop.