P-01 — Web Application Pentesting

Every route. Every flow. Every deploy.

Point Rift at a URL for black-box pressure, or hand it source for full white-box reach. Agents map every route, walk every auth flow, and chain bugs the way a real attacker would — then hand you a verified exploit, not a maybe.

Get early access See pricing
// Capabilities

Built to think, not just scan

Four things a signature scanner can't do — and that a once-a-year pentest can't keep pace with.

White-box, grey-box, or black-box

Give it code for taint-aware depth, credentials for authenticated reach, or just a URL. The agent adapts its strategy to whatever you share — sharing more never changes the bar: every finding is still proven.

Business logic, not just signatures

Reasons about checkout, RBAC, tenancy, and multi-step flows to surface IDOR, auth bypass, privilege escalation, and abuse a pattern-matcher will never see.

SAST + DAST, fused

Code-level suspicion meets runtime behaviour in one loop. The agent uses your source to find the soft spot, then drives the live app to confirm it's actually reachable.

Every bug comes with a receipt

A working request, payload, and impact note — captured and replayable. Near-zero false positives, so triage time goes to fixing, not verifying.

214
Routes walked per run
9 min
Median time-to-first-finding
0%
False-positive SLA
100%
Findings backed by an exploit
// Coverage

Modern apps, fully walked

SPAs, REST and GraphQL APIs, server-rendered apps, and the messy auth in between — crawled, authenticated, and exercised the way a user (and an attacker) actually would.

  • Single-page apps & API-only backends
  • OAuth, SSO, and multi-step authentication flows
  • Role- and tenant-based access control testing
  • Staging or production, with safe-by-default exploitation
  • Re-tests automatically on every deploy
OWASP Top 10OWASP API Top 10Business logicAuth & sessionSSRF / XXEInjection
route coverage · acme-app214 mapped
GET/clean
POST/api/auth/loginhigh
GET/api/orders/{id}high
POST/api/checkoutclean
GET/admin/userscrit
PUT/api/profilemed
POST/trackcrit
GET/api/searchclean
2
critical
2
high
0
false pos.
// How it works

From connect to confirmed in three steps

01

Connect & scope

Add a domain or a repo, set authorized scope and guardrails. OAuth into GitHub/GitLab or hand over a URL — nothing to install.

02

Agents go to work

Recon, reasoning, exploitation, and verification run autonomously. The agent only reports what it could actually prove.

03

Route, fix, re-arm

Verified findings flow to Jira, GitHub, or Slack with reproduction steps. On the next deploy, the loop re-tests the fix.

// Pricing

Priced by application size

No per-seat tax. You pay for the surface being tested — measured by routes and auth complexity during onboarding, not self-reported. Run it once, yearly for compliance, or continuously.

Brochure / marketing
~25 routes, single auth flow — the lightest band.
Standard SaaS app
~120 routes, a handful of auth flows — the typical product.
Complex platform
~400 routes, rich roles and tenancy.
Enterprise suite
1,000+ routes across multiple apps — custom scoping.
Estimate your price →

Test your app like an attacker would.

Be first in line. Tell us about your app and we'll bring you on the moment Rift is ready.

Get early access See pricing