What pentes.io is, and why it exists
pentes.io is an attack-surface monitoring platform built around one rule: a scan never runs until the customer has cryptographically proven they own the target. Everything else in the architecture — the worker, the audit log, the LLM triage pipeline — exists to enforce that rule and produce evidence that it held.
The problem we're solving
The security-tooling market has two shapes that don't fit small and mid-size teams:
- Heavyweight platforms (Qualys, Tenable, Rapid7) — expensive, designed for enterprise teams with dedicated security headcount, slow to onboard, and overkill for organizations that just need to know "what changed on our external surface this week."
- Pentesting agencies — high-quality, but point-in-time and expensive enough that most teams run one engagement per year. The 51 weeks between engagements are blind.
Between them sits the team that ships a couple of services, has a couple of subdomains, owns a handful of IPs, and wants continuous coverage without committing to an enterprise SKU or a $30k engagement. That's who we're building for.
The non-negotiable rule
We do not run a scan until you have proven you own the target, and our worker re-verifies that proof at the moment of the scan. No "fire-and-forget" pentest mode, no exploitation modules, no auth brute-forcing, no intrusive nuclei templates. The non-destructive posture is architectural, not policy: the worker enforces it, the audit log records it, and we built the product around the constraint from day one.
If you want a tool that can be turned into an exploitation framework, pentes.io is not it — by design.
The operator
pentes.io is currently operated by Adnan Bassem as a sole proprietor, working with design partners ahead of GA. The legal entity will be formed pre-GA; this page and the Terms will be updated when that happens.
- Founder / engineer: Adnan Bassem · adnan@pentes.io
- Security and disclosure: security@pentes.io · see policy
- Privacy: privacy@pentes.io
- General: hello@pentes.io
How we make money
Subscriptions, billed monthly via Stripe. Three tiers: Free (5 scans / mo), Vibe Coder ($14.99 / 100 scans / mo), Pro ($99 / 1000 scans / mo). No long contracts, no enterprise sales motion at this stage. See the pricing section for current details.
We don't sell data, we don't monetize findings, we don't run ads. If we ever change that, you'll hear about it loudly and have a clean exit path.
Where we are today
Early-stage. The platform is operational on dedicated infrastructure in Falkenstein (Hetzner), the MVP scanner set (nuclei, OWASP ZAP, testssl.sh) is in production, and we're actively onboarding design partners. If you operate infrastructure and want continuous, attested security coverage without the heavyweight platform footprint, we'd like to talk: hello@pentes.io.
Why "pentes.io"?
Short for pentesting, which is what people search when they think about the problem we adjacency-solve. We are not a pentesting agency and we are not a Pente.io board-game site (which exists at a different domain) — we're an attack-surface monitoring platform, and the .io TLD anchors us in the security-tooling category visually and semantically.