SimpleSec
Request access
Features

A pentest pipeline, not a scanner.

SimpleSec runs the same workflow a senior pentester would — but at machine speed, with every step recorded. The AI planner decides what to do next; deterministic adapters do the work; a judge decides whether to advance, retry, or pause.

01

Recon

Passive subdomain discovery, port scanning, HTTP service enumeration, and content crawling. The planner builds the asset graph before it touches anything intrusive.

subfinder naabu httpx dnsx katana
02

Enumeration

Web vulnerability scanning with nuclei (4,000+ templates), directory and parameter fuzzing, framework detection, SSL/TLS posture, WordPress, and API surface mapping.

nuclei ffuf nikto testssl whatweb wpscan kiterunner arjun
03

Validation

SQL injection confirmation, parameter exploitation, credential verification, and database schema enumeration. Findings are only promoted once they're proven, not just suspected.

sqlmap dalfox postgres_enum mssql_exec netexec
04

Internal & AD

Once the WireGuard agent is connected, SimpleSec runs Active Directory enumeration, Kerberoasting, AS-REP roasting, SMB checks, and lateral movement validation on the inside.

netexec kerberoast asreproast secretsdump ssh_audit winrm_exec
Reporting

Deliverables your client's auditor will accept

A finding without evidence is a guess. SimpleSec keeps the chain.

AttackForge export

Auto-mapped to AttackForge's vulnerability schema with CVSS:3.1 lookup from NVD, remediation templates, and attack scenarios.

Structured PDF reports

Branded executive summary plus per-finding evidence, reproduction steps, and remediation guidance.

CSV exports

Findings, credentials, and DB enumeration as flat CSVs for your own pipelines.

Evidence chain

Every finding ties back to raw tool output, the exact command run, and the parsed record. Defensible under audit.

Governance

Built for accountable testing

Pentest tools that don't track who did what get banned by procurement. SimpleSec was built the other way around.

Approval gates

Destructive actions and credential spray require admin approval before they ever leave the orchestrator.

Audit log

Every CRUD operation, approval decision, and config change is timestamped and attributed to a user and IP.

Encrypted at rest

Captured passwords, MFA secrets, and WireGuard private keys stored with Fernet symmetric encryption.

Per-engagement isolation

Auth configs, network profiles, and evidence stores are scoped to the engagement — never bleed across clients.

Under the hood

The AI is the planner, not the pentester.

SimpleSec uses an LLM to decide what to scan next, but every action is sanitized against discovered services and known URLs before execution — no hallucinated tools, no scans against targets that don't exist. A rule-based judge decides whether each step advances, retries, or pauses for review. Resumes cleanly across server restarts. Closes the browser? The scan keeps running.

PLANNER
LLM + deterministic fallback
JUDGE
Rule-based, with retries
EXECUTOR
35+ tool adapters, sandboxed

Ready to run your first scan?

Onboarding is manual today. We make sure your scope is right before you spend a credit.

Request access See pricing