Automated pentesting that lives in your CI/CD pipeline.
Automated pentesting on every deploy, not once a year. SimpleSec's CI/CD integration triggers a full AI-orchestrated penetration test from your pipeline, fails the build on critical findings, and stores the evidence chain alongside your release artifacts. Shift-left without lying to yourself about what scanners catch.
What automated pentesting actually means
Automated pentesting is software-driven penetration testing — the recon, enumeration, exploitation, and reporting phases of a pentest, executed without a human operator pressing keys for each action. It's not a scanner. A scanner runs a template list. Automated pentesting validates findings, demonstrates impact, and chains discoveries together where the planner can prove a real attack path.
SimpleSec is an automated pentesting platform: an AI planner sequences 35+ industry-standard offensive tools (nmap, nuclei, sqlmap, ffuf, netexec, kerberoast, and the rest), deterministic adapters call the tools and parse output, and an evidence record is attached to every finding so the report is reproducible and defensible. The end product looks like a human-led pentest report, not a vulnerability test PDF.
The two most common deployment patterns for automated pentesting: on a schedule (weekly external, monthly internal) and inside a CI/CD pipeline (on every deploy). Most customers run both.
Automated pentesting on every code deploy
The CI/CD pipeline integration is a Pro-tier add-on at $99.99/month. It includes 50 automated pentests each month; tests 51+ are billed at $5 each. You get an API key your pipeline uses to trigger an end-to-end automated pentest against your deploy target, with findings flowing back into the same dashboard, evidence chain, and report exports as your manual engagements.
- ▸ Webhook-triggered or CLI-invoked. Both work.
- ▸ Configurable severity gates —
--fail-on critical,--fail-on high. - ▸ Targets a deploy delta rather than the full attack surface, so it fits a CI time budget.
- ▸ Findings posted back to the engagement record; PDFs available as build artifacts.
- ▸ Audit log captures which commit triggered which test and which findings.
Automated pentesting integration examples
Drop one of these stages into your existing pipeline. The CLI is a single binary; the HTTP API is straight JSON.
GitHub Actions
Trigger an automated pentest on every push to main, or on every PR before merge. Use repository secrets to store the SimpleSec API key.
# .github/workflows/automated-pentest.yml
- name: SimpleSec automated pentest
run: |
curl -X POST https://app.simplesec.ai/api/v1/scans \
-H "Authorization: Bearer ${{ secrets.SIMPLESEC_API_KEY }}" \
-d '{"target":"${{ env.STAGING_URL }}"}' GitLab CI
Add an automated pentest stage that runs after deploy. CI variables hold the API key; the job fails the pipeline if a critical-severity finding lands.
# .gitlab-ci.yml
automated-pentest:
stage: post-deploy
script:
- simplesec scan --target $STAGING_URL --fail-on critical
variables:
SIMPLESEC_API_KEY: $SIMPLESEC_API_KEY Jenkins
Pipeline-as-code Jenkinsfile stage. Use the Credentials plugin to inject the API key. Block promotion to production on critical findings.
// Jenkinsfile
stage('Automated pentest') {
steps {
withCredentials([string(credentialsId: 'simplesec', variable: 'KEY')]) {
sh 'simplesec scan --target $STAGING --fail-on critical'
}
}
} CircleCI
Drop the SimpleSec CLI into a job that runs after the deploy job. Use context-scoped environment variables for the API key.
# .circleci/config.yml
- run:
name: Automated pentest
command: |
simplesec scan --target "$DEPLOY_URL" \
--fail-on critical --report ./pentest.pdf Automated pentesting vs SAST, DAST, and SCA
Automated pentesting doesn't replace your other application-security tooling — it fills the gap between them. Here's how the four categories actually overlap.
Code-level analysis
Reads source code looking for unsafe patterns (eval on tainted input, hardcoded secrets, missing parameterization). Catches issues before they ship.
Black-box web app testing
Spider the app, fire payloads, log responses. Useful for catching the lowest-hanging fruit on a web target.
Dependency testing
Compares package versions to CVE databases and flags vulnerable dependencies in your manifest.
Full attack-chain validation
Runs the same workflow a human pentester would: recon, enumeration, exploitation validation, and (with the WireGuard agent) internal/AD attacks. Findings come with evidence, not just suspicion.
Shift-left, honestly
Most "shift-left security" stories stop at SAST and dependency testing, because those are the controls that can run pre-commit. Automated pentesting moves further left than people realize: not pre-commit, but post-deploy-to-staging. Every PR that produces a deploy gets a full attack-surface validation before merge.
The honest tradeoff: an automated pentest is slower than a SAST test and more expensive per run. That's why SimpleSec sizes the CI/CD add-on the way it does — 50 tests/month for $99.99, $5 each after. Teams shipping 10 deploys a day per service should target their high-traffic services and let SAST/SCA cover the rest.
Automated pentesting — frequently asked
What is automated pentesting?
Automated pentesting is the practice of using software to perform the steps of a penetration test — reconnaissance, enumeration, exploitation validation, and reporting — without a human operator driving each action. SimpleSec is an automated pentesting platform that sequences 35+ industry-standard offensive-security tools through an AI planner, producing the same kind of evidence-backed report a human-led engagement would.
Can automated pentesting run inside a CI/CD pipeline?
Yes. SimpleSec's CI/CD pipeline integration add-on ($99.99/month, Pro tier) provides an API key your pipeline calls to trigger an automated pentest on every code deploy. The first 50 tests each month are included; additional tests are $5 each. Findings flow back into the same dashboard and reports as your manual engagements, and the job can be configured to fail the pipeline on critical-severity findings.
How is automated pentesting different from SAST or DAST?
SAST reads source code; DAST fires payloads at a running web app; SCA checks dependencies against CVE lists. Automated pentesting goes further: it runs the same workflow a human pentester would — recon, enumeration, exploitation validation, post-exploitation — and produces an evidence chain (raw tool output, command, parsed record) for each finding. The categories complement each other; automated pentesting catches what the others miss, particularly internal/AD attacks and multi-step exploitation chains.
Will automated pentesting break my CI/CD build?
Only if you configure it to. The default behavior is to report findings without blocking; the CLI accepts a --fail-on flag (--fail-on critical, --fail-on high) so teams can gate deploys on severity thresholds when they're ready. Most customers start in report-only mode for 2–4 weeks, tune the noise floor, then graduate to gating on critical findings.
How fast is automated pentesting in CI/CD?
An external automated pentest against a typical web target completes in 8–20 minutes. The planner runs phases in parallel where possible: nuclei templates fan out across hosts while ffuf fuzzes paths. For CI/CD use, most teams target a 10-minute budget and let SimpleSec run a shaped test focused on the deploy delta rather than the full attack surface every time.
Can automated pentesting test authenticated routes?
Yes. SimpleSec supports authenticated tests via configured credential profiles per engagement. The CLI takes --auth-profile to point at a stored profile (basic, bearer token, OAuth2, session-cookie). Credentials are encrypted at rest with Fernet and never returned through the API.
Related reading
Start automated pentesting in your pipeline this week.
Free tier shows opportunities. Pro tier unlocks the CI/CD integration add-on at $99.99/mo for the first 50 tests, $5 each after. Self-serve signup; the API key is in your dashboard in minutes.