MANIFESTOOffense, Finally Automated
Kosuke
Talk to usFree Pentest
Kosuke for Pentesting

Free pentest. Pay only to unlock the report.

8 out of 10 startups have critical or high vulnerabilities exposed. We run a real authorized pentest against your web app at no cost and share how many critical, high, and medium issues we found. If you want the full details and fix instructions, you can unlock the report. You see the counts for free and only pay if you choose to unlock the details. No surprise invoice.

Request a free pentestSee how it works

State of the art. Not a claim, a benchmark.

On xbow, the public web-CTF suite, Kosuke Pentest tops the leaderboard, ahead of every frontier lab's own reported score. Each bar is the share of buildable challenges solved; third-party numbers are self-reported on their own runs. Figures stream live from our benchmark harness.

Kosuke Pentest Bare model Third-party (self-reported)External numbers are vendor-reported on their own challenge set; methodologies differ.

Teams who sleep at night

Four steps. No procurement. No quarterly waits.

From the moment you request a pentest to a written report in your inbox: roughly 7 to 14 days, end to end.

step / 0130 seconds
Work email
jane@acme.com
Company URL
https://acme.com
Request scan

Request a pentest

Work email and company URL. Takes 30 seconds.

step / 02instant
Authorizedacme.com
In-scopeapp.acme.com
×Out-of-scopebilling/*
Test window14 days

Accept the terms

Tick the Terms of Service and submit your domain. Scope is set, no call needed.

step / 03~1 min
Verify emailjane@acme.com

Confirm you control this inbox and authorize the scan.

Confirm & start the scan
Email verified· authorized

Confirm your email

Click the link we email you. It authorizes the scan. No DNS record, no call.

step / 04Free + unlock
Severity countsFree
Critical0
High2
Medium3
Full report
unlock · priced by severity

Free counts. Optional unlock.

You see the severity counts for free. Unlock the report only if you want the details.

Free pentest. Paid report.

The pentest is free. You always see how many critical, high, and medium issues we found. The full report, with what they are, where they are, and how to fix them, is paid. You see the counts for free and only pay if you want the details, at the prices published below. No surprise invoice, no renegotiation after we find vulnerabilities.

What you seeFree

Severity counts

Critical0
High2
Medium3

Total findings by severity, plus an attestation letter and embeddable security badge. Always free. No catch, no upsell pressure.

What you unlockPaid

Full report

  • Vulnerability name & location
  • Proof of concept + reproduction steps
  • CVSS 4.0 score and CWE tagging
  • Concrete fix instructions
  • SOC 2 CC7.x evidence

You see the severity counts for free. Unlock the vulnerabilities you want, priced per severity and capped per company size. Full pricing is published below.

Per-vulnerability pricing, capped

Prices in EUR
Company sizeCriticalHighMediumYou never pay more than
Small(up to €2M revenue)
€600€150€50€1,000
Medium(up to €10M revenue)
€1,800€400€150€3,000
Large(over €10M revenue)
€3,000€700€250€5,000

The pentest and the severity counts are always free. You only pay to unlock the vulnerabilities you choose to see, priced by severity. The cap is the most you can pay per engagement. Every detail beyond it is free. Low and informational findings are always free. Custom pricing is available for specific engagements.

When you unlock, a report your team can act on.

Not a 60-page consulting deliverable. Every row is scored, reproducible, and ships with a concrete fix. Audit-ready for SOC 2 CC7.x. Routes into Linear, Jira, or GitHub Issues without rewriting. If you want to check the full report, download a sample (PDF).

High
Stored XSS in user profile bio
8.1
Endpoint
PATCH /api/users/me
CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L
CWE
CWE-79
Description

The bio field on /api/users/me persists user-supplied HTML without sanitisation. The markup renders raw on the public profile route at /u/:handle.

Impact

Any authenticated attacker can plant a payload in their own bio that fires on every visit, including unauthenticated visitors. With a shareable profile URL, this enables one-click session theft and account takeover.

Evidence · proof of concept
# reproduce
$ curl -X PATCH https://app.acme.com/api/users/me \
-H 'Authorization: Bearer $TOKEN' \
-d '{"bio": "<img src=x onerror=fetch(/leak?c=${document.cookie})>"}'
→ HTTP 200 · bio updated
→ payload fires on /u/jane · verified 14:08 UTC
Remediation
app/api/users/route.ts
- bio: body.bio,
+ bio: sanitizeHtml(body.bio, {
+  allowedTags: ['b', 'i', 'a'],
+ }),

We can be your SOC 2 pentest auditor.

Auditors don't accept “we ran a scanner” as evidence. The Kosuke deliverable drops straight into your SOC 2 Type II workpapers. Mapped to CC4.1, CC7.1, and CC7.4, scored under CVSS 4.0, framework-anchored to OWASP WSTG v4.2, and re-tested by us after you patch. Want to see the exact format your auditor will receive? Download the SOC 2 sample report (PDF).

Section 7
Finding F-04CVSS 6.4
MedStored XSS in support comments
EndpointPOST /api/tickets/:id/comments
CC4.1CC7.1CC7.4CWE-79WSTG-INPV-02

Mapped to SOC 2 controls

Every finding tagged with the control it supports: CC4.1, CC7.1, CC7.4. Your auditor reads across the row, not back and forth.

Section 4
OWASP WSTG v4.2 · coverage82 / 96
INPV
15/1883%
ATHN
9/1182%
ATHZ
5/5100%
CONF
8/1080%
SESS
6/875%

OWASP WSTG v4.2, anchored

Per-category coverage matrix plus a per-test-case appendix listing the pipeline step that satisfied each WSTG ID.

Re-test workflow
Finding F-01 · lifecycleSQLi · /api/orders
Opencustomer ships patchMay 23
Fixed?Kosuke re-runs PoCMay 28
✓ VerifiedPoC no longer reproducesJun 01

Re-tested by us, not by you

We re-run the original PoC after you patch. The verified-date is written only when the exploit no longer reproduces.

Section 9
Attestation · § 9Confidential
Report IDKOS-2026-0523-001SHA-2568f3a2b1c·d4e5f6a7·9b0c1d2e·3f4a5b6cSignedKosuke · v1.0 · 2026-05-23
kosuke.ai/verify/KOS-2026-0523-001

Signed, hashed, retained

Unique report ID, Statement of Independence, SHA-256 hash, and a public verify URL. Raw evidence retained for 12 months, available to your auditor on written request.

Tell your customers you have been assessed.

Every engagement ships with a formal attestation letter and an embeddable security badge, both at no cost. The letter confirms scope, methodology, and severity counts without disclosing finding details. The badge is hosted by Kosuke and verified against our records.

Attestation letter
Free
Assessment Attestation LetterPDF
Scopeacme.com, api.acme.comMethodOWASP WSTG v4.2 (99 tests)Findings0 Critical, 2 High, 3 MediumReport IDKOS-2026-0523-001
No finding details, evidence, or PoCs disclosed.

A formal PDF for your customers, partners, and auditors. Confirms the assessment was performed. Severity counts only.

Security badge
Free
Security Assessed by KosukeJun 8, 2026 · KOS-2026-0608-002

Embed on your website. Hosted by Kosuke and verified against our records. Unknown IDs return nothing.

<a href="https://kosuke.ai/pentest"> <img src="https://kosuke.ai/api/badge ?id=KOS-2026-0523-001" alt="Security Assessed by Kosuke" height="48" /> </a>

You own the asset. You authorize the testing.

Same legal posture every pentest firm uses, from Bishop Fox to Cobalt. Well-precedented for 20+ years. We run as your authorized agent, against assets you control, under Terms you accept that name exactly what is in scope.

Email-verified authorization

Before any active testing, you accept Terms warranting you own or are authorized to test the target, and confirm control of your inbox by clicking the link we email you. We do not run the agent until that authorization is on record.

verification email
To: jane@acme.com
Confirm & authorize the scan →
email verified · authorized
≤10 rps

Rate-limited and non-destructive

≤10 requests per second per host unless you authorize higher in writing. No mass account creation, no payment-flow exploitation, no data deletion, no DoS.

Encrypted, then deleted

PoCs use synthetic payloads wherever possible. Engagement artifacts encrypted at rest (AES-256) and deleted within 30 days of report delivery.

Request a free pentest.

Accept the Terms and confirm your email, and we start. We reply within 24h with your results, and if you want the details you unlock them at the published price. No scoping call. No procurement. No NDA. No pricing pressure.

  • Pentest is free. Severity counts are free. Full report is paid, only if you want the details.
  • Email verification before any active testing.
  • Report ready for SOC 2 CC7.x evidence.

Anyone can register, so we'll create our own test account.

Extra service · add-on
$ kosuke osint --domain acme.com8 emails · 14 breach hits · 2 active stealer-logs

We can also map what the internet already knows about your team: harvested employee emails, historical breach correlation, active session leaks. Standalone engagement, priced separately, not part of the pentest report.

Our experts validate the AI output. Before anything ships.

The agent runs the engagement and surfaces candidate findings. Our pentesting team reviews each one, reproduces the exploit, and signs off before the report reaches your inbox.

Reviewed by our pentesting team

  • False positives die in triage
  • Every PoC reproduced by hand
  • Senior pentester sign-off before delivery
tail -f kosuke://engagement/KOS-2026-0523/review.log
14:02:17 agent flagged F-01 SQLi /api/orders
14:08:44 J. Doe OSCP picked up F-01
14:21:09 J. Doe reproduced F-01 · CVSS 9.1
14:24:51 A. Karim OSCE³ signed F-01
14:38:02 agent flagged F-02 IDOR /users/:id
14:45:30 M. Chen OSWE picked up F-02
14:58:11 M. Chen reproduced F-02 · CVSS 7.4
15:02:46 J. Doe signed F-02
15:14:20 agent flagged F-03 Stored XSS bio
15:22:08 J. Doe OSCP picked up F-03
15:33:51 J. Doe reproduced F-03 · CVSS 8.1
15:41:02 A. Karim signed F-03
15:48:39 candidate cluster · agent flagged
15:55:14 M. Chen rejected candidate · no exploitability
14:02:17 agent flagged F-01 SQLi /api/orders
14:08:44 J. Doe OSCP picked up F-01
14:21:09 J. Doe reproduced F-01 · CVSS 9.1
14:24:51 A. Karim OSCE³ signed F-01
14:38:02 agent flagged F-02 IDOR /users/:id
14:45:30 M. Chen OSWE picked up F-02
14:58:11 M. Chen reproduced F-02 · CVSS 7.4
15:02:46 J. Doe signed F-02
15:14:20 agent flagged F-03 Stored XSS bio
15:22:08 J. Doe OSCP picked up F-03
15:33:51 J. Doe reproduced F-03 · CVSS 8.1
15:41:02 A. Karim signed F-03
15:48:39 candidate cluster · agent flagged
15:55:14 M. Chen rejected candidate · no exploitability

Common Questions

01

How long does the engagement take?

02

What if you don't find anything?

03

What if you do find something?

04

How is the unlock price set?

05

Is this actually legal?

06

Do you store our data?

Sister project

Strike. The startup security posture directory.

A public, searchable, neutral directory of startup security posture. Browse by industry, country, stage, investor, or tech stack.

Visit Strike