Not a scanner — an autonomous AI agent that probes your site like a real pentester. It reasons about what it finds, chains discoveries, and adapts its attack strategy in real time.
⚠️ You must own or be explicitly authorized to test any domain you submit.
$ secaitest agent --target=https://acme-corp.com --model=claude-sonnet
$ Initializing autonomous pentesting agent...
THINK: Starting with reconnaissance. Fetching homepage to identify tech stack, headers, and interesting endpoints before deciding attack strategy.
→ GET https://acme-corp.com/
← HTTP 200 · Server: nginx/1.18.0 · X-Powered-By: PHP/8.1 · Set-Cookie: session=... (no HttpOnly)
THINK: nginx version disclosed — note for later. PHP exposed. Session cookie missing HttpOnly flag — confirmed. No CSP header. Let me probe for .env and .git before testing injection points.
→ GET https://acme-corp.com/.env
← HTTP 200 · body: DB_PASSWORD=supersecret123 APP_KEY=base64:...
THINK: Critical — live .env file with database credentials and app key. Logging immediately. This is the highest-severity finding. Let me also check .git.
[CRITICAL] .env file exposed — database credentials and secret keys publicly readable
→ GET https://acme-corp.com/.git/config
← HTTP 200 · [remote "origin"] url = https://github-token:ghp_xxx@github.com/acme/api
[CRITICAL] .git directory exposed — GitHub token in remote URL, full source code extractable
──────────────────────────────────────────────────────
Risk Score: 12/100 · 4 critical · 3 high · 2 medium
Trusted by engineering teams at
Every test is performed externally. The agent adapts what it tests next based on what it finds — no fixed scripts, no static payloads.
The agent builds a mental model of your app as it works — early findings shape later attacks. It chains vulnerabilities the way a real attacker would.
SQL injection, XSS, SSTI, command injection, path traversal — the agent crafts payloads based on what it discovers, not a fixed list.
Tests for server-side request forgery including cloud metadata endpoints (AWS/GCP), internal network probes, and open redirect chains.
.env, .git/config, backup.sql, phpinfo.php, wp-config.php, web.config, adminer — the agent probes 16+ dangerous paths automatically.
Tests arbitrary origin reflection, null origin bypass, and wildcard CORS with credentials — the exact attacks real attackers use.
SPF, DMARC, CAA records. Detects +all misconfiguration, p=none policies, and missing CAA — maps findings to exploitability.
HTTP→HTTPS redirect enforcement, HSTS presence and max-age, includeSubDomains — with specific fix recommendations per finding.
CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy — graded against OWASP standards with concrete remediations.
Every Set-Cookie header audited for HttpOnly, Secure, SameSite flags — identifies session cookies at risk of theft or CSRF.
Tests for default credentials, authentication bypass techniques, and missing authorization on admin paths.
Server, X-Powered-By, X-Generator headers — version disclosure that enables targeted CVE exploitation.
Every finding documented with severity, evidence, and specific remediation steps. Executive summary explaining the attack chain and business risk.
No setup. No installation. No security expertise required.
Enter the URL of a website you own or are explicitly authorized to test.
Prove you control the domain by adding a DNS TXT record or uploading a verification file — the same way Google Search Console works.
Claude autonomously probes your site — it sees a response, reasons about what it means, picks the next attack, and chains findings together the way a human pentester would.
A prioritized PDF with your Risk Score, every finding, severity ratings, and AI-generated fix recommendations.
Why we verify ownership: Scanning a website you don't own without permission may violate the Computer Fraud and Abuse Act (US), the Computer Misuse Act (UK), and equivalent laws in other jurisdictions. Ownership verification protects you and us — and ensures every scan is fully authorized.
A real-world example of what a SecAI Test report looks like for a typical production website.
Scanned April 5, 2026 · 52 checks completed in 47s
Full report includes AI-generated fix recommendations, compliance mapping, and executive summary.
Run Your First AI Scan Free →Start free, no card needed. Upgrade to Pro when you need deeper coverage and more scans.
Full AI agent on your site — free forever, no card required.
The full autonomous pentester — deeper coverage, more scans, priority support.
Create your free account in 30 seconds. Verify your domain, then run your first scan immediately.
Continue with GoogleFree plan: 10 scans/month. No credit card required.
Everything you need to know before you scan.