Find your vulnerabilities
before attackers do.
An autonomous pentest engine, powered by the latest Claude model. Runs continuously against your infrastructure — every finding validated with a working exploit, every report ready for engineering.
No installation. No agents in your network. Runs in our cloud against your authorized scope.
Battle-tested
Real findings. Named companies. Shipped in production.
We ran Redhunter against real HackerOne programs before we ever sold it. Here's what the engine found.
23andMe
CVSS 6.5
CORS + credentials
WP admin session data silently exfiltrated from any attacker-controlled page.
Reported · under embargo
Playtika
CVSS 9.3
OAuth open redirect
Critical OAuth open redirect → account takeover of any Playtika employee; plus a High CORS misconfig on the same host.
Reported · under embargo
Whatnot
CVSS 8.1
Subdomain takeover chain
Dangling CNAME + wildcard CORS trust → authenticated data theft for all users.
Reported · under embargo
The problem
Quarterly pentests. Monthly breaches.
Attackers don't wait for your annual engagement. They find the bug you shipped on Tuesday.
Stale pentests
Your last pentest covered code that shipped 11 months ago. Everything since is untested.
Deployment velocity
You ship daily. Human pentesters review quarterly. The gap is where attackers live.
Surface sprawl
Every new endpoint, subdomain, and API key expands the blast radius. You can't audit what you don't know exists.
The brain
Claude hunts your stack
like a human attacker.
Every other automated scanner runs signatures. Redhunter runs a reasoning loop. Claude reads your responses, picks the next hypothesis, refines payloads, chains findings together, and writes the report in plain English.
That's why it finds bugs scanners miss. That's why its reports read like they came from a senior pentester.
Features
Built for security teams, not script kiddies.
Everything you'd expect from a senior offensive engineer. Running every day.
Continuous attack surface mapping
Subdomain enum, endpoint discovery, JS analysis, tech fingerprinting. Your attack surface, monitored every tick.
26 vulnerability classes
XSS, SQLi, SSRF, IDOR, auth bypass, SSTI, race conditions, HTTP smuggling, cache poisoning, prototype pollution, and more.
5-gate validation
No noisy scanner reports. Every finding passes detect, verify, exploit, impact, and report stages with a working proof of concept.
Attack chains
The brain links low-severity findings into real-world exploit chains. A reflected XSS plus a permissive cookie turns into an account takeover.
Engineering-ready reports
Markdown reports with reproduction steps, impact analysis, and remediation guidance. Drop into Jira. Hand to engineering. Done.
Scoped to what you authorize
DNS-verified ownership. Per-asset scope rules. Rate limits. Kill switch. Your security team stays in control.
How it works
From signup to first finding in a day.
Prove ownership
Verify your scope via DNS TXT record or a file at /.well-known/redhunter-verify.txt. Or connect a read-only cloud role for AWS, GCP, or Azure.
Pick your cadence
Daily for production. Weekly for staging. On-deploy for CI. The brain respects per-asset rate limits and backoff rules.
Review the findings
Validated vulnerabilities arrive in the Console within 24 hours. Weekly digest to Slack or email. Monthly executive report for the board.
Pricing
Simple pricing.
Annual billing available. Cancel anytime.
Growth
Multiple environments. Daily cadence. Engineering in the loop.
- Up to 5 assets across production, staging, and internal
- Daily scans with optional on-deploy triggers from CI
- Slack channel with per-severity routing + email digests
- Unlimited finding history, searchable and exportable
- REST API with webhooks for Jira, GitHub, Linear
- 4-hour priority support, 9-to-5 in your timezone
- Managed Anthropic key included — no setup
Enterprise
Unlimited scope. Your own VPC. Direct line to the team.
- Unlimited assets, zones, and environments
- Continuous mode: every commit, every deploy, every change
- Custom hunter modules tuned to your stack
- SAML SSO with SCIM provisioning and role-based access
- SOC 2 Type II report and signed DPA
- Self-hosted in your own VPC — traffic never leaves
- Dedicated Slack channel with the founders
FAQ
Common questions.
Human pentests are a point-in-time snapshot. Redhunter runs continuously — every new endpoint, every deploy, every subdomain change gets tested within 24 hours. A human pentester costs $50k for two weeks of work. Redhunter costs less per month and never stops.
Most automated scanners run rule-based signature checks. Redhunter runs a reasoning loop — Claude decides what to hunt next, refines its strategy based on what it finds, and chains findings together the way a human attacker would. We find bugs signature scanners miss.
You have two deployment options. Hosted: we run the engine in our cloud against your authorized scope. Self-hosted: we give you a container to run in your own VPC, and your traffic never touches our network. The Console is a thin web interface that reads from your local engine state.
SOC 2 Type II is in progress and expected before the end of the quarter. We sign DPAs, BAAs, and custom MSAs. If you need on-prem today, the self-hosted option gives you full control.
DNS TXT record, file upload at /.well-known/redhunter-verify.txt, or read-only cloud IAM role for AWS, GCP, Azure. We will not run a hunt against any target you can't prove ownership of. Ever.
Hard rate limits per asset. Kill switches per hunt. Iteration caps on the reasoning loop. Scope guards that refuse to touch anything outside verified ownership. Complete audit log of every request the brain sends. You can pause any hunt in one click.
SOC 2 Type II in progress·Self-hosted option·DNS ownership verification·Hard rate limits per asset
See a scan of your stack in 24 hours.
Book a 15-minute call. We'll run a free first scan on one asset and walk you through the findings.