Third-party pen testing
without the $20,000 bill.

Our AI attack engine goes beyond basic scanning - it chains vulnerabilities, tests business logic, and adapts its approach like an experienced human pen tester. Compliance-ready reports at a fraction of the cost of a traditional engagement.

Start Your First Scan View Sample Report

Findings classified using industry standards

OWASP Top 10
CVSS CVSS v4.0
CWE CWE
NIST800-53 NIST 800-53
ATT&CK MITRE ATT&CK

What You Get

AI Attack Engine

Our AI doesn't just run a scanner - it reasons about your application, chains findings together, tests business logic flaws, and adapts its attack strategy based on what it discovers. The kind of creative testing you'd expect from an experienced pen tester.

Deep DAST + OWASP Coverage

Full OWASP Top 10 coverage is just the baseline. The AI layer goes further - probing for access control gaps, privilege escalation, and multi-step attack chains that off-the-shelf scanners can't find.

Authenticated Testing

We test behind your login pages using securely stored credentials - because that's where critical vulnerabilities actually live. The AI navigates your app like a real user, finding flaws in protected workflows.

Compliance-Ready Reports

Professional PDF reports with CVSS scores, CWE references, NIST 800-53 control mappings, and MITRE ATT&CK techniques - with compliance summaries and remediation guidance formatted for SOC 2, PCI-DSS, and auditor handoff.

CISA KEV Alerts

Every scan cross-references your tech stack against the CISA Known Exploited Vulnerabilities catalog. If your infrastructure runs software with actively exploited CVEs - especially those tied to ransomware campaigns - you'll know immediately.

Black-Box, Zero Friction

No agents to install, no code changes required. We attack your application from the outside - exactly as a real attacker would. The AI maps your attack surface automatically and tests every angle.

How It Works

1

Register Your Target

Enter your application URL and a verification email at your domain to define the authorized test scope.

2

Verify Domain Ownership

Click the link in your verification email to confirm authorization - a required step in any professional pen test engagement.

3

Activate Your Subscription

$500/year per site. Testing begins automatically - weekly full scans and daily baseline regression scans start immediately.

4

Review Findings & Export Reports

Triage vulnerabilities on your dashboard, track remediation progress, and download compliance-ready PDF reports on demand.

Fix It Once. We Verify It Automatically.

With a traditional pen test, you get a report, fix the issues, and then pay thousands more to schedule a rescan to prove remediation. That cycle can take months.

Smoke Test's AI runs every week. When you fix a vulnerability, the next test picks it up automatically - no rescan request, no additional cost, no waiting. Your dashboard shows exactly when each finding was resolved, giving you a clear audit trail of continuous improvement.

Your clients and auditors don't want a point-in-time snapshot from six months ago. They want proof that your security posture is current. That's what continuous AI-driven pen testing delivers.

Simple Pricing

Traditional penetration tests cost $5,000–$50,000 per engagement. Smoke Test delivers AI-driven testing that rivals manual pen tests - continuously, at a fraction of the cost.

Per Site
$500/year
  • Weekly AI-driven penetration test
  • Daily baseline regression scans
  • Business logic & access control testing
  • Authenticated testing behind login
  • Compliance-ready PDF reports (CVSS, CWE)
  • NIST 800-53 + MITRE ATT&CK mappings
  • CISA KEV alerts with ransomware flags
  • OWASP Top 10 + beyond
  • Continuous monitoring dashboard
  • Email alerts for new findings
Start Your First Scan

FAQ

Will this satisfy our compliance requirements?

Our reports are built for auditor handoff. Every finding maps to NIST 800-53 controls and MITRE ATT&CK techniques, with CVSS scores, CWE references, and remediation guidance. Reports include a compliance summary showing which NIST control families are affected and the top ATT&CK techniques observed - formatted for SOC 2 Type II, PCI-DSS, and similar frameworks.

Is this a real penetration test?

Yes - and it goes further than most. Smoke Test uses an AI attack engine that orchestrates industry-standard tools (including OWASP ZAP), but adds an intelligent layer on top: it reasons about your application's behavior, chains vulnerabilities together, tests business logic, and adapts its approach based on what it discovers. It's not a scanner with a UI - it's AI-managed pen testing.

How does this compare to a manual pen test?

Traditional manual pen tests cost $5,000–$50,000 and happen once or twice a year. Our AI engine performs the same creative, adaptive testing that experienced pen testers do - probing for logic flaws, access control gaps, and multi-step attack chains - but continuously. When you fix something, the next weekly test verifies it automatically. No rescan fees, no scheduling delays.

How is this different from running OWASP ZAP ourselves?

ZAP is one tool in our arsenal, not the whole product. Our AI engine orchestrates ZAP alongside custom attack modules, then reasons about the results - chaining findings, testing business logic, and pursuing attack paths that a standalone scanner would never attempt. Think of it as the difference between owning a stethoscope and having a doctor.

Can we use these reports for client audits?

Yes. Reports are professional-grade PDFs with vulnerability details, CVSS severity scores, CWE classifications, NIST 800-53 control mappings, MITRE ATT&CK techniques, and remediation recommendations. They also include a compliance summary and CISA KEV alerts flagging any known exploited vulnerabilities in your stack. Designed to be handed directly to clients, auditors, or compliance reviewers.

Can I cancel anytime?

Yes. Manage your subscription through the Stripe customer portal. No contracts, no lock-in.

Built by Security Professionals

We've spent 20+ years working with security-conscious clients - organizations where a data breach isn't just a bad day, it's an existential event. In that time, one problem came up again and again: clients needed a third-party penetration test to satisfy a compliance requirement or close a deal, but the quotes from pen test firms were absurd.

Smoke Test exists because we got tired of telling clients their only option was a $15,000 engagement. So we built what we wished existed - an AI attack engine that thinks like the pen testers we've worked with for decades, running continuously, at a price that makes sense. Not a scanner with a dashboard. Not a startup experiment. AI-managed penetration testing, born from two decades of real-world security work.