Adversarial security testing, automated.
Continuous, AI-driven pentesting and dependency scanning that run the same tools an attacker — and your engineers — would, wired into your CI/CD pipeline with an audit-grade evidence trail.
A product of SUMMIT Cyber Group · Simplifying Offensive Security
The annual-pentest problem.
Modern engineering organizations ship code every hour. Security testing that happens once a year — or even once a quarter — leaves a vulnerability window measured in months, not minutes.
SimpleSec replaces the annual-engagement model with continuous adversarial testing that runs every code push, opens a change-control ticket, and produces an audit-grade evidence trail. It automates the work a senior offensive-security consultant would do during an engagement — reconnaissance, enumeration, vulnerability validation, and exploitation — using the same real-world toolchain the consultant would.
Operators define a scope, pick the matching engagement persona, and the platform's planner decides which tool to run next based on what's been discovered. Findings stream into a dashboard with full per-step evidence; results export to PDF, JSON, AttackForge, and — new in 2026 — to your CI/CD pipeline with HMAC-signed completion webhooks, an audit-ready Compliance Archive, and integrated Software Composition Analysis (SCA) that never touches your source code.
Who it's for
Pentest Consultancies
Deliver 3–5× more engagements with the same team. White-label the PDF cover. Export structured findings to AttackForge or your own pipeline.
Engineering Teams
Wire SimpleSec into GitHub Actions or GitLab CI. Every push runs a real adversarial test and an SCA sweep. Fail builds on critical findings, or run async.
Compliance & Audit
SOC 2 / PCI / HIPAA / ISO 27001 all require evidence of pre-deploy security testing. The Compliance Archive produces it automatically, per code change.
MSSPs & Managed Detection
Operate offensive testing as a service. Per-customer workspaces, engagement-scoped agents, and structured exports keep operational burden low.
The differentiator: most "automated pentest" platforms are repackaged SAST or template scanners. SimpleSec runs the actual offensive-security toolchain — orchestrated by a planner that decides what to run next from real findings. When it dumps NTDS or proves SQL injection, it's the same tool a human consultant would have used, with the same flags, against the same target.
An adaptive planner, not a static playbook.
A SimpleSec test isn't a fixed sequence of tools. Every step is a decision the planner makes from the current state of the engagement — discovered hosts, fingerprinted services, harvested credentials, and the persona's policy on what's in-scope at this phase. A judge decides continue / retry / pause after each step.
The four-phase model
Recon — discover the attack surface
Port sweeps via naabu, subdomain enumeration, HTTP probing with httpx, TLS posture with testssl, SMB and LDAP banner pulls. Advances as soon as enough surface is mapped to act on.
Enumeration — deep-dive each service
Directory and parameter fuzzing with ffuf and arjun, web crawl + JS scrape with katana, CMS probes via WPScan, SMB share + user enumeration via NetExec and enum4linux-ng, anonymous LDAP for AD posture.
Validation — confirm exploitable vulnerabilities
nuclei runs its template library scoped to the discovered stack; sqlmap probes identified parameters; dalfox tests for XSS; nikto sweeps for misconfigurations. Every finding includes the matched request and response inline.
Exploitation — prove impact
Extract data via SQL injection, attempt authenticated command execution via WinRM or MSSQL, dump credentials with secretsdump and NTDS roasting, chain credentials into lateral moves. Destructive proofs are opt-in per engagement and gated by admin approval.
Persona-aligned testing
The same target gets tested very differently depending on what it is. Personas constrain what the planner will attempt.
| Persona | What gets tested | Representative toolchain |
|---|---|---|
| External Web | Public web apps + APIs — discovery, content fuzzing, CMS probes, OWASP Top 10 validation. | naabuhttpxffufkatananucleisqlmapdalfox |
| External Network | Internet-facing infra — exposed services, banner vulns, weak TLS, exposed admin panels. | naabunmaptestsslssh-auditnuclei |
| Internal Network | Post-perimeter — LAN sweep, SMB/SSH enum, weak configs, lateral-move opportunities. | naabuNetExecenum4linux-ngssh-audit |
| Internal AD | Active Directory — anonymous LDAP, kerberoasting + AS-REP roasting, NTLM relay, DC dumps when creds land. | NetExecGetUserSPNsGetNPUserssecretsdump |
| API | REST + GraphQL — schema discovery, parameter fuzzing, auth bypass, injection. | httpxkatanaarjunffufnuclei |
| Discovery | Lightweight inventory — live-host + service map across subnets. Produces a CSV for scoping. | naabunmaphttpx |
Internal testing — the WireGuard agent
A customer-deployable agent (Docker container or native WireGuard config) establishes an outbound tunnel to the platform. Tests run in the cloud, traffic routes through the agent, and the customer's network only needs to allow a single outbound UDP flow — no inbound firewall changes, no VPN appliance, no jump hosts. Each engagement gets its own agent and keypair; compromise of one customer's agent never gives access to another's network.
Adversarial testing in your pipeline.
The CI/CD add-on turns SimpleSec into a build gate. Every push triggers a real adversarial test against the engagement's registered assets; results flow back as a signed webhook, an email-with-PDF, and a row in the Compliance Archive. The same add-on includes Software Composition Analysis — one pipeline integration gets you both runtime adversarial coverage and dependency-vulnerability coverage at once.
The integration loop
- Operator enables CI/CD on a Pro workspace. A flat monthly add-on plus a metered overage line attach to the subscription. The API Keys card unlocks immediately.
- Generate an API key per CI environment. Each key is shown once, pbkdf2-hashed at rest, and independently revocable.
- Pipeline POSTs to /api/v1/tests. Body carries the engagement id, commit SHA, ref, and callback URL. SimpleSec returns a run id and a one-time HMAC signing secret (HTTP 202).
- Completion fans out three ways. A signed webhook (3 retries, exponential backoff); an email with the full PDF; and a Compliance Archive row for the auditor's review.
- Pipeline gates on the result, or proceeds async. A promote-to-prod job consults /api/v1/tests/{id} and fails on a fail decision. Sync mode blocks the build until the test completes.
HMAC-signed webhooks
SHA-256 signature with a per-trigger secret — same scheme as GitHub and Stripe. Retry policy with persisted delivery history.
Severity gating
Per-engagement threshold — fail on critical, warn on high, pass otherwise. Default: warn-don't-block.
Per-workspace quota
50 triggered tests per workspace per month included; $5 per test beyond. Concurrent-scan cap protects shared infra.
Pipeline-native recipes
Drop-in GitHub Actions workflow, GitLab CI snippet, and a generic shell function for Jenkins, CircleCI, or anything with curl.
The change-control angle. SOC 2, PCI-DSS, HIPAA, and ISO 27001 all require evidence of security testing for production changes. A SimpleSec-triggered test that opens a Jira / Zendesk ticket with the PDF report attached is the change-control evidence — not a supplement to it.
Dependency vulnerabilities, same pipeline.
Modern applications inherit most of their attack surface from open-source dependencies. SimpleSec's SCA mode catches the vulnerable package before it ships — using the OSV.dev advisory database that powers Google's own internal scanning — and lands the findings in the same Compliance Archive your auditor already reviews. No second portal, no second integration, no second invoice.
- Your CI runs osv-scanner on every push. The official Google-maintained binary walks your repo recursively, parses every lockfile and SBOM (npm, pip, poetry, NuGet, Maven, Go, Cargo, Composer, RubyGems), and emits JSON.
- The JSON is POSTed to SimpleSec. Same endpoint, same API key — only scan_type: "sca" differs. We never see your source code, only the parsed findings.
- SimpleSec normalizes and persists every finding. CVE id, GHSA / advisory id, severity, affected package + version, fixed version, manifest path, transitive flag, and a deep link — de-duplicated per (vulnerability, package, version).
- Findings land in the Compliance Archive. Filter Type → SCA for dependency findings, or leave it off for the full pre-deploy picture — DAST and SCA side by side, sorted by commit.
- Severity gating uses the same policy as DAST. One threshold, one decision, one gate, regardless of coverage mode.
Source code never leaves you. Your CI runs the scanner locally; SimpleSec receives only the JSON findings. No source mirroring, no cloud build hosts. The architecture can't see your source, by design. SCA is included in the existing CI/CD add-on — same price, same key, same archive.
Roadmap: the same ingest pathway will accept Semgrep / CodeQL (SAST) and gitleaks / trufflehog (secrets) via additional findings_format discriminators — one integration, one Compliance Archive, one set of severity gates for your entire pipeline-security story.
What's in the toolbox.
Every adapter is a real offensive-security tool, run with real flags against real targets. The planner picks which to run based on what the prior step discovered — and what the persona permits.
Reconnaissance & discovery
| Capability | What it does | Adapter |
|---|---|---|
| Port scanning | Top-150 port sweep over SYN or CONNECT; tunable rate. | naabu |
| Service fingerprinting | Banner + version detection on discovered ports. | nmap -sV |
| HTTP probing | HTTP/HTTPS detection with tech stack + CDN + IP detection. | httpx |
| Subdomain enumeration | Passive subdomain discovery for external-web engagements. | subfinder |
| TLS posture | Cipher suites, certificate chain, protocol-version checks. | testssl.sh |
| SSH posture | Algorithm strength, weak-cipher detection, host-key audit. | ssh-audit |
Web application testing
| Capability | What it does | Adapter |
|---|---|---|
| Template vuln scanning | YAML-template detection — request/response captured inline. | nuclei |
| Directory + file fuzzing | Wordlist path discovery with smart status/size filtering. | ffuf |
| Parameter discovery | HTTP parameter mining against URL endpoints. | arjun |
| JS + endpoint crawling | Headless-browser crawl with JS endpoint scraping. | katana |
| SQL injection | Automatic injection detection, exploitation, and data extraction. | sqlmap |
| XSS validation | Reflected, DOM, and stored XSS proof via real browser execution. | dalfox |
| Misconfiguration sweep | Broad web-server config audit against 6500+ checks. | nikto |
| WordPress / CMS | Plugin + theme + core-version vulnerability detection. | wpscan |
Active Directory + Windows
| Capability | What it does | Adapter |
|---|---|---|
| SMB enumeration | Null sessions, share enum, password policy, user lists, signing posture. | NetExec, enum4linux-ng |
| LDAP enumeration | Anonymous bind for DC discovery + signing posture; authenticated full enum. | ldap_enum |
| Kerberoasting | SPN enumeration + ticket extraction for offline cracking. | GetUserSPNs |
| AS-REP roasting | Pre-auth-disabled account enum — works without credentials. | GetNPUsers |
| Credential spraying | Low-and-slow password validation against discovered users. | NetExec --pass |
| NTDS / SAM extraction | Authenticated DC dump — destructive, gated by admin approval. | secretsdump |
| Lateral execution | Authenticated command execution via WinRM or MSSQL xp_cmdshell. | NetExec winrm |
Evidence auditors actually want.
SimpleSec captures the full request/response of every confirmed finding inline, so the proof lives next to the finding instead of "see step 47." Reports export to PDF, JSON, AttackForge, and CSV — each format optimized for its audience.
| Format | For whom | What's in it |
|---|---|---|
| PDF (branded) | Executive + Audit | Optional org-logo cover (Pro white-labeling), executive summary, severity-bucketed findings, per-finding evidence pane, remediation, scope appendix. |
| JSON | Engineering | Full structured run state — findings, credentials, evidence rows, step trace. Direct ingest into your dashboards or SIEM. |
| AttackForge | MSSPs + Consultancies | Native AttackForge JSON for managed-service delivery. |
| CSV findings | Vuln management | One row per finding — ID, severity, target, title, CVSS, status. Imports into Jira, ServiceNow, any tracker. |
| Host inventory CSV | Discovery engagements | Live-host + service inventory — the scoping artifact before a full engagement. |
Compliance Archive
Every CI-triggered test shows up with its commit SHA, engagement name, severity counts, decision (pass / warn / fail), webhook delivery status, scan type (DAST or SCA), and a one-click PDF for DAST runs. Filter by workspace, engagement, decision, type, or date range — that's your quarterly evidence pack. Commit SHAs line up to change tickets, decision badges line up to your gating policy, and PDF reports capture the actual test execution. No more "we did testing, promise."
The audit log
Every consequential action — login, API key creation, scan trigger, webhook resend, plan change, asset registration — writes to a tamper-evident audit log with the originating user, IP, timestamp, and resource id. Retention 365 days by default.
Built by people who break things for a living.
SimpleSec is built by SUMMIT Cyber Group, a working pentest practice. Every adapter and workflow exists because a real engagement demanded it. We hold our own platform to the same security bar we hold our clients' to.
Multi-tenant by design
Org-scoped isolation enforced at the query layer. Cross-tenant lookups return 404, not 403 — refusing to confirm another tenant's resources by status code.
Encrypted at rest
Customer credentials, agent configs, and ticket-provider tokens encrypted with per-deployment vault keys. Backups are useless without the key.
MFA + verified email
TOTP MFA available; admin accounts can require enrollment. Email verification gates scan creation for new self-service signups.
Scope enforcement
Every CI-triggered test runs against the engagement's registered assets — never an operator-supplied per-trigger scope.
Destructive proofs gated
NTDS dumps, RCE proofs, credential validation require per-engagement opt-in plus admin approval at runtime. CI tests can never opt in on their own.
Audit-grade logging
Every privileged action persisted with originating IP + user. Retention 365 days, configurable per deployment.
Deployment model. SimpleSec runs as a fully managed SaaS at app.simplesec.ai. Customer agents deploy as Docker containers or native WireGuard configs on customer infrastructure and only talk outbound — no inbound firewall changes needed.
Pricing that scales with your engagement.
Three tiers cover the path from solo evaluation through managed-service operation, with an optional CI/CD add-on that layers onto Pro workspaces.
- ✓Full Pro access for 7 days
- ✓Up to 5 scans per 24h
- ✓Read-only after day 7 — data retained
- ✓Unlimited tests
- ✓Full detail + remediation
- ✓PDF / JSON / CSV reports
- ✓Internal-network agent
- ✓Destructive proofs (opt-in)
- ✓Everything in Standard
- ✓White-label PDF cover
- ✓AttackForge export
- ✓CI/CD add-on eligible
- ✓SCA + Compliance Archive
Standard and Pro are 80% off during early access — $99.99 and $199.99/mo for your first year, then $499.99 and $999.99/mo. Pro is the first-workspace price; each additional workspace bills $99.99/mo (regularly $499.99). The CI/CD add-on is $99.99/mo flat + $5 per triggered test beyond 50 included per month — SCA dependency scanning included, no second invoice.
Run one against your own perimeter.
The fastest way to evaluate SimpleSec is to run one. Free-tier signup is two clicks and starts a 7-day full-access trial — up to five scans in any 24-hour window, with the same complete findings and reports as the paid tiers — enough to see the planner in action and decide whether continuous adversarial testing belongs in your workflow.
- Sign up at app.simplesec.ai — email verification, optional MFA, ready in two minutes.
- Create an engagement against a target you own and register the host assets.
- Launch a test — watch the planner pick adapters in real time over a streaming WebSocket attack log.
- Try the CI/CD trigger — mint an API key, curl /api/v1/tests, watch it run from outside the dashboard.
- Add SCA in one snippet — run osv-scanner, POST the JSON, watch findings land beside your DAST runs.
White-glove onboarding for the first cohort. Early Pro + CI/CD customers get direct integration support from the SimpleSec team — pipeline wiring, engagement setup, ticketing walkthroughs.