Autonomous Pentests With Proof - apviso [APVISO](/)Product Resources Developers Company [Pricing](/#pricing)[Partners](/partners)[Enterprise](/enterprise) [Login](/login)[Start free pentest](/register?intent=free-local-pentest) [Login](/login)[Start free](/register?intent=free-local-pentest) Autonomous pentesting platform for security evidence Autonomous pentests with proof your team can ship ================================================= APVISO runs scoped, runner-controlled tests, validates exploitability, and returns evidence, remediation guidance, and retest status. Scoped pentestsEvidence reportsRetest workflows [Start free pilot](/register?intent=free-local-pentest)[Watch report demo](/demo-replay) [Review free-local rules](/free-local-pentest)[Compare paid plans](/pricing)[Book a 20-minute scoping call](/contact?intent=scoping-call) apviso.com/dashboard Pentest in progresslocalhost:3000 Live PentestFindingsReport [Founders Get launch evidence before customer reviews. Compare plans](/pricing)[Security teams Validate findings, assign fixes, and retest. Book scoping](/contact?intent=scoping-call)[Partners Add repeatable pentests to client delivery. See partners](/partners) How APVISO works From scoped pentest to accepted security evidence. -------------------------------------------------- APVISO coordinates the pentest engine end to end: scoped recon, authenticated exploration, specialist testing, safe exploit proof, report delivery, and targeted retests. Before Authorize Scope, credentials, guardrails, and runner readiness. During Pentest Recon, specialist agents, browser exploration, exploit proof. After Close Reviewed findings, report delivery, remediation, and retests. 01 Runner Job-scoped execution 02 Context Auth, roles, flows 03 Testing App, API, logic 04 Exploit proof Safe impact evidence 05 Evidence Proof and fix guidance 06 Handoff Owner and retest Proof gate Unproven leads stay out of the report. Rules of engagement Auth map Exploit proof Report Retest proof Scope authorizedFindings proven, fixes assigned, retests tracked. Scanner vs pentestSignals are internal. Proof is what ships. ------------------------------------------ Traditional DAST hands your team an alert queue. APVISO runs a pentest workflow and keeps unproven leads out of the report, which is how shipped findings stay at 0% false positives. APVISO report gate 0% false-positive rate Not 0% noise in the engine. 0% false positives in findings that make it into the report. The rule is simple If APVISO cannot reproduce impact and attach evidence, the lead stays internal. Traditional DAST Potential alerts ValidationYour team confirms which alerts are real FP outcomeFalse-positive cleanup is part of the workflow APVISO pentest Verified findings ValidationThe engine proves exploitability before reporting FP outcome0% false-positive rate in shipped findings Signal Tool output, agent observations, and suspicious behavior stay internal. Reproduce The pentest engine tries to recreate the issue in scope. Prove Exploitability, impact, and safe evidence are captured. Ship Only confirmed findings become customer-facing report items. APVISO can use scanner signals as inputs, but customer-facing findings require reproduction, exploit proof, and report-ready evidence. Traditional DAST handoff Review the alert list, remove false positives, then ask developers to reproduce what remains. APVISO handoff Open the report with proof, remediation guidance, owner handoff, and retest status already attached. [Compare](/compare) IntegrationsFindings land where work happens. --------------------------------- Route validated findings, retest status, and review evidence into the systems your engineering and security teams already use. ![Slack](/integrations/slack.svg)Slack ![Jira](/integrations/jira.svg)Jira ![GitHub](/integrations/github.svg)GitHub ![Linear](/integrations/linear.svg)Linear ![Datadog](/integrations/datadog.svg)Datadog ![Jenkins](/integrations/jenkins.svg)Jenkins ![Grafana](/integrations/grafana.svg)Grafana ![PagerDuty](/integrations/pagerduty.svg)PagerDuty ![Vanta](/integrations/vanta.svg)Vanta ![Snyk](/integrations/snyk.svg)Snyk ![Splunk](/integrations/splunk.svg)Splunk ![Zapier](/integrations/zapier.svg)Zapier [+35 more](/integrations) Trust evidenceBuilt for security evidence that can be reviewed. ------------------------------------------------- APVISO keeps the chain from scope to finding to retest visible, so teams can show what was tested, what was confirmed, and what changed after the fix. ### Scoped authorization Every run starts from explicit target scope, test intensity, and ownership confirmation. ### Evidence trail Findings carry reproduction steps, affected assets, screenshots, and retest history. ### Customer-ready output Reports are structured for engineering triage, security review, and audit requests. ComplianceEvidence your reviewers can follow. ----------------------------------- APVISO turns verified penetration testing into evidence your team can use for vulnerability management, customer security reviews, procurement, and compliance conversations. NIS2 Directive EU 2022/2555 NIS2 requires essential and important entities to manage vulnerability handling, disclosure, and security risk. APVISO supports that program with repeatable technical testing, retest records, and evidence trails. - Vulnerability handling and disclosure evidence (Art. 21.2e) - On-demand security assessments with review-ready reports - Evidence trails for risk and regulatory documentation Review-Ready Reports Every finding includes evidence, CWE mappings, reproduction steps, and remediation guidance for auditor, customer, and internal security review. EU Data Residency EU-hosted infrastructure and Enterprise deployment options help teams plan around data residency and procurement requirements. comply $ apviso comply --map-frameworks Mapping findings to 7 frameworks... ✓ OWASP APTS conformance documented per engagement ✓ NIS2 Directive risk evidence support ✓ SOC 2 vulnerability-management evidence support ✓ ISO 27001 technical testing evidence support ✓ PCI DSS v4.0 Req. 11.3 evidence support ✓ NIST CSF 2.0 mapping support ✓ GDPR security testing documentation support 7/7 frameworks mapped — evidence pack ready [OWASP APTS Conformance v0.1.0 · self-assessed Self-assessed conformance with the Autonomous Penetration Testing Standard — the governance standard for autonomous pentest platforms — at the tier you pick per engagement. **Tier 1 Foundation** by default; **Tier 2 Verified** and **Tier 3 Comprehensive** available via the Supervised and Advisory governance presets. Read conformance claim](/trust/apts) PricingSelf-serve for teams. Custom for partners. ------------------------------------------ License your self-hosted runners, targets, and concurrency. BYOK keeps model spend in your account; Partner and Enterprise handle wholesale, embedded, and custom deployment terms. Billing cadence Switch between monthly and annual plan pricing. MonthlyAnnualMonthly pricing Free Local Web App Pentest Run one localhost-only Launch Review through your runner, or watch the demo replay before installing anything. Start free localhost pentestWatch demo replay Solo For indie hackers and solo founders who want serious AI pentesting. $29/moBilled monthly Includes - 1 user organization - 1 runner and 1 concurrent pentest - 3 active targets - 5 pentest starts per month - BYOK model keys - Markdown and branded PDF reports Start Solo Launch Most Popular For early teams ready for teammates, automation, and no start cap. $199/moBilled monthly Includes - Team members in one organization - 3 runners and 3 concurrent pentests - 10 active targets - Scheduled recurring pentests - Limited integrations - No monthly pentest start cap Start Launch Team For growing teams that need more capacity and every integration. $499/moBilled monthly Includes - 10 runners and 10 concurrent pentests - 25 active targets - Scheduled recurring pentests - All integrations enabled - APTS Tier 2 governance - Priority email support Start Team Need more than Team? Partner and Enterprise are sales-managed for agencies, platforms, larger security teams, and custom volume. Partners →Enterprise → FAQQuestions teams ask before the first review. -------------------------------------------- Short answers on how APVISO runs pentests, validates findings, prices usage, and handles evidence. Built around proof The answers below focus on what buyers need to trust an autonomous pentest workflow. 20 Confirmed findings only Runner-controlled execution Evidence and retest history General ### What is APVISO? APVISO is a self-hosted autonomous penetration testing platform. Your runner executes the pentest in your own environment while APVISO coordinates jobs, streams findings, and produces reports through the dashboard. ### Why is APVISO self-hosted instead of fully managed? Self-hosted runners keep raw traffic, private URLs, target credentials, model credentials, and network access under your control. You can test localhost, staging, private apps, and customer environments without routing sensitive pentest execution through APVISO-managed infrastructure or paying APVISO-hosted pentest infrastructure markup. ### What is the advantage over managed pentest infrastructure? Managed platforms make you pay for their compute, networking, idle capacity, and operating margin. APVISO lets you run the pentest on infrastructure you already control, including a local machine, CI runner, cloud VM, Kubernetes node, or customer-side environment, while APVISO provides the control plane, licensing, dashboard, reporting, and workflow. ### How is this different from a vulnerability scanner? Traditional vulnerability scanners match signatures against known patterns and leave validation to your team. APVISO's agents reason about application logic, adapt their testing strategy, and verify exploitability with evidence before a finding is treated as confirmed. ### Is it safe to run against production? Yes. APVISO enforces 30+ mandatory safety rules: no destructive actions, no data exfiltration, and no denial of service. Each pentest runs through your self-hosted runner and the target visibility you configure. ### How long does a pentest take? It depends on the pentest package and target complexity. A Launch Review typically takes 20-40 minutes. Quick Checks are faster, while Full Pentest and Compliance Evidence engagements run longer for deeper authenticated, API, and business-logic testing. Pricing ### How much does a pentest cost in AI usage? Self-hosted plans run through your own runners. The variable cost is your model-provider usage: Quick Check is estimated at $3-7, Launch Review at $5-15, Full Pentest at $15–25, and Compliance Evidence at $20–50. ### Can I use Codex for high-volume pentesting? Yes. APVISO runners can use Codex through your OpenAI plan, and the Full Pentest estimate makes the math clear: teams with enough Codex allowance can run up to about 300 Full Pentests per month, subject to OpenAI usage limits, runner concurrency, and target scope. ### Can I use APVISO without a subscription? Open registration remains available for demo output, target preparation, and the free localhost-only pilot. Public, staging, private-network, scheduled, and recurring testing require paid, admin-funded, or sales-managed access. ### What's the difference between presets? Packages map to buyer outcomes. Quick Check is a fast first pass, Launch Review is the default business pentest, Full Pentest adds deeper authenticated/API testing, and Compliance Evidence is the highest-depth option for audit and customer-security review support. ### Do you support partner and enterprise buying paths? Yes. Solo, Launch, and Team are self-serve. Partners use custom wholesale, reseller, or embedded terms, and Enterprise is contact-sales for procurement, SSO, DPA, deployment, support, and custom volume. Security & Trust ### Do I need to verify domain ownership? No. Self-hosted deployments use your configured target visibility and runner readiness instead of DNS, file, or meta-tag ownership verification. ### Do you have false positives? APVISO is built around confirmed findings, not tool-style possibilities. We check every finding before it reaches the report: the agents must demonstrate exploitability with evidence and reproduction steps, and unproven leads stay out of the confirmed findings list. ### What types of vulnerabilities do you find? APVISO tests for OWASP Top 10 vulnerabilities and beyond: SQL injection, XSS, broken authentication, security misconfigurations, information disclosure, and more. In head-to-head benchmarks, APVISO detected 45 out of 52 vulnerability types. ### Can I retest after fixing a vulnerability? Yes. Retests are targeted checks that re-examine specific findings to verify that vulnerabilities have been fixed. ### Does APVISO help with NIS2 compliance? APVISO supports NIS2 readiness by providing repeatable application security testing, retest records, and evidence packages for vulnerability handling, disclosure, and risk-management review. APVISO does not certify NIS2 compliance or promise auditor acceptance. Technical ### Can I use it with Claude Code or Codex? Yes. APVISO supports Claude Code, Codex, OpenAI API, Anthropic API, and AWS Bedrock so each runner can use the model path that fits your environment. ### What integrations are supported? APVISO supports 40+ integrations including Slack, Discord, Jira, GitHub, Linear, Jenkins, Datadog, Grafana, and more. Launch includes limited webhook, chat, and automation integrations; Team unlocks the full integration catalog. ### Do you provide an API? Yes. A REST API is available on all plans for programmatic access to targets, pentests, findings, and reports. Launch and higher plans can schedule recurring pentests, while Team unlocks the full workflow integration catalog. ### Do you have an MCP server? Yes. You can use the APVISO MCP server to add targets, run pentests, inspect findings, and move verified issues into your remediation workflow. Free Local Pentest pilot Run your first localhost Launch Review from your own machine. ------------------------------------------------------------- Start with the constrained free local flow, then upgrade when you need public, staging, private/internal, partner, retest, or scheduled testing. [Start free localhost pentest](/register?intent=free-local-pentest)[Review boundaries](/free-local-pentest)[Talk to sales](/contact?intent=scoping-call) Free Local Clean entry point, clear upgrade path. 1 localhost-only Launch Review every 30 days Self-hosted runner keeps access and BYOK credentials local Paid plans unlock public, staging, private, schedules, and retests APVISO orchestrates the job; execution happens on your runner. [APVISO](/)Autonomous AI-powered penetration testing for modern web applications. Subscribe [](https://github.com/apviso)[](https://x.com/Apviso_com)[](https://www.linkedin.com/company/apviso/) [![Featured on Good AI Tools](https://goodaitools.com/assets/images/badge.png)](https://goodaitools.com/ai/apviso) Product - [Features](/#features) - [Pricing](/pricing) - [Integrations](/integrations) - [Benchmarks](/#compare) - [Affiliate Program](/affiliate) - [Partners](/partners) - [Enterprise](/enterprise) Resources - [Blog](/blog) - [Use Cases](/use-cases) - [Glossary](/glossary) - [Comparisons](/comparisons) - [Alternatives](/alternatives) - [Compliance](/compliance) - [Vulnerabilities](/vulnerabilities) - [Industries](/industries) - [OWASP APTS](/trust/apts) Developers - [Knowledge Base](/docs) - [API Reference](/docs/api) - [MCP Server](/docs/mcp) Company - [About](/about) - [Contact](/contact) - [Status](https://status.apviso.com) - [Privacy Policy](/legal/privacy) - [Terms of Service](/legal/terms) © 2026 APVISO. All rights reserved.