P-02 — Network Pentesting

Your perimeter, priced per asset.

Autonomous agents take your external perimeter the way an outsider would: enumerate the surface, find the soft edge, and prove the path in — per asset, on repeat. Internal network testing is coming next.

Get early access See pricing
// Capabilities

Discovery and exploitation, on a loop

Most external assessments are a snapshot. Rift keeps watching the edge as it moves.

External perimeter, agent-driven

Subdomains, exposed services, open ports, TLS posture, and forgotten hosts — enumerated from a single seed and pressure-tested for real exploitability.

Priced per asset

Pay per subdomain or IP in scope, with unit costs that fall as your surface grows. No bundles you don't need, no surprise true-ups mid-contract.

Continuous drift detection

A new asset appears at 2am — a marketing subdomain, an acquired company's range, a shadow-IT box. It's discovered, scoped, and tested before your standup.

Attack-path proof

Agents pivot from a low-severity exposure to demonstrated impact, then hand you the chain. Proof that this is pentesting, not a port scan with a PDF.

38
Assets mapped from one seed
24/7
Drift detection on new assets
0%
False-positive SLA
100%
Findings backed by an exploit
// What we test

The whole external edge

From one domain to a full, living inventory — then continuous testing of everything in it.

  • Subdomain & DNS enumeration, including wildcards
  • Port and exposed-service discovery
  • TLS / certificate posture and expiry
  • Default credentials & exposed admin interfaces
  • Cloud-edge misconfigurations and forgotten hosts
external surface · 38 assetsprobing
vpn.acme-corp.com:443TLS 1.0 — weak
mail.acme-corp.com:25open relay test
legacy.acme-corp.com:8080exposed admin
38
assets
1
critical
2
high
$90
/ asset
// How it works

Three steps to a tested perimeter

01

Seed the scope

Give Rift a root domain or IP range and authorize it. The agent expands it into a full asset inventory.

02

Enumerate & exploit

Each asset is fingerprinted and pressure-tested. Agents chain exposures into demonstrated attack paths.

03

Watch the drift

Leave it armed. New assets are caught and tested automatically; findings route into your tickets.

Roadmap

Internal network testing

External coverage is what Rift launches with; agent-driven internal/lateral-movement testing comes next. Tell us about your attack surface to get early access.

// Pricing

What counts as an asset

Clear, countable units — so you can budget without a sales call. Unit price drops at volume.

Subdomain
Each unique hostname in scope counts as one asset.
IP address
Each external IP counts as one asset; ranges priced by live host.
Volume tiers
Per-asset price steps down as the inventory grows — small surfaces ~$90, large ~$55.
Surface growth
New assets discovered mid-contract are added at your tier rate, never a penalty rate.
Estimate your price →

Know your perimeter before they do.

Point Rift at one seed domain and watch it map — and test — everything attached to it.

Get early access See pricing