Tool · One-Time Purchase

Pentester — Enterprise

AI security code review, organization-wide license

$999$499one-time · yours to keep

Worth $999 — you pay $499 today.

Buy now — $499

Instant delivery — download from your in-app library right after checkout. Linked to your account; sign in any time to re-download. All sales final.

Overview

Pentester is a 100%-local, command-line AI security code-review tool. It reads your source code, config files, and dependency manifests on your own machine and writes a prioritized security report mapped to the OWASP Top 10 (2021) and CWE. It runs entirely offline by default, has zero third-party dependencies (pure Node.js 18+, nothing to npm install), and never uploads, transmits, or phones home with your code. That local-first privacy guarantee is the entire point: you can run it on an air-gapped box if you want.

It is a defensive, read-only static-analysis (SAST) and secret/config scanner. It catches whole classes of mistakes early — hardcoded credentials, injection-prone patterns, weak crypto, insecure config, IaC/container misconfiguration, and risky dependencies — right in your editor, a pre-commit hook, or your CI pipeline. Detection is deterministic: every finding comes from a real rule matched against real file content at a real line number, so runs are reproducible. The optional --ai layer points at a LOCAL Ollama model that only explains the findings the rules already produced; it can never invent a vulnerability, and with AI off the tool does zero network work.

Be clear on what it is not: this is not a replacement for a professional penetration test or a manual audit, and it is not a security certification. Static analysis is heuristic — it produces false positives and misses issues that only appear under dynamic, authenticated, or context-dependent conditions. Treat the output as a prioritized to-do list for a human reviewer, and always have a qualified person verify findings before acting on them. This product removes the build barrier and gives you a repeatable scanning engine; the security judgement is still yours.

What's included

  • The full Pentester CLI source (pure Node.js 18+, zero third-party runtime dependencies — npm link to put the `pentester` command on your PATH)
  • 71 core detection rules across 4 packs: Secrets, Injection, Cryptography, and Generic hygiene (counts as of v1.0.0 — run `pentester rules` for live counts)
  • 58 additional Pro-pack rules across 5 packs: insecure deserialization, broken auth/session/cookie, access-control & SSRF, web misconfiguration, and IaC/container scanning (Dockerfile, docker-compose, Kubernetes, Terraform)
  • Secret detection via provider signatures (AWS, GCP, GitHub, Stripe, OpenAI, Anthropic, Slack, JWTs, PEM private keys, generic .env assignments) plus a Shannon-entropy scan for unknown-shape secrets, with lockfile/placeholder/test-fixture filtering to cut noise
  • Dependency-risk scanning against a bundled, dated advisory snapshot (fully offline), with an opt-in --online flag to also query OSV.dev
  • Three report formats from one run: JSON, Markdown, and a self-contained HTML dashboard (--format all) — the HTML report is the client-facing deliverable
  • Optional local-AI triage (--ai) that points at a local Ollama model (default qwen2.5-coder:7b) to explain findings in plain English; snippets are redacted before they reach the model, and it falls back to built-in templated explanations if no model is present
  • CI gate support: --fail-on <level>, --min-severity, --quiet, and documented exit codes (0 clean, 1 finding at/above threshold, 2 usage error, 3 scope not acknowledged, 5 internal error)
  • Authorization workflow: scope acknowledgment (--scope-ack or a .pentester-scope.json Rules-of-Engagement file) plus an append-only .audit.log that records timestamps and hashes only — never your code
  • Finding suppression: inline `// pentester-disable <rule.id>` comments and a --baseline JSON file so only NEW findings surface on later runs
  • Helper commands: `init` (scaffold config + scope file), `rules` (list/explain packs), `doctor` (environment readiness check), plus --only/--skip pack filters and --no-snippets redaction
  • Commercial per-tier EULA (Personal / Pro / Team), example config files (.pentester.json, .pentester-scope.json, .pentester-ai.json), a vulnerable-sample app for testing, and the test suite (node --test, no extra runner)

Who it's for

  • Solo developers and indie hackers who want to catch leaked secrets and obvious vulns before they ship, without paying for an enterprise SAST seat
  • Freelancers and consultants who want to add paid security code review / pre-ship audits to their service menu
  • Dev agencies and studios that hand off client codebases and need a fast, repeatable security pass before delivery
  • Startup/early-stage teams prepping for a security questionnaire, enterprise sales review, or SOC 2 conversation
  • Privacy-sensitive and regulated teams (fintech, health, NDA-bound work) who cannot upload source code to a cloud scanner

Use cases

  • Pre-commit / pre-push hook that blocks hardcoded credentials and weak crypto before they reach the repo
  • CI pipeline gate that fails the build (--fail-on high) when a high-or-above finding is introduced
  • Pre-ship audit of a feature branch or release candidate, exported as an HTML report for the team or a client
  • Scanning IaC and container config (Dockerfile, docker-compose, Kubernetes, Terraform) for misconfiguration before deploy
  • Offline dependency-risk check on an air-gapped or NDA-bound codebase where cloud scanners are not allowed
  • Generating a redacted, client-facing findings report with --no-snippets when you cannot share raw code
Turn it into income

Sell pre-ship security audits and code reviews — without ever uploading client code to the cloud

The service

Offer paid security code review / pre-ship audits to dev teams, agencies, and startups. You run Pentester against a client's repo (on your machine or theirs), then deliver the HTML/Markdown report plus a human-verified findings summary, severity triage, and a remediation to-do list. Package it as a one-off repo audit, a 'pre-launch security pass', or a recurring monthly retainer that re-scans every release. The 100%-local guarantee is your closer: privacy-sensitive and NDA-bound clients can say yes without a cloud-upload or legal objection. Sell it honestly as fast, repeatable, pre-ship hygiene — not as a full manual penetration test.

What to charge

One-off repo audit (verified report + remediation list): $300–$1,500 depending on repo size and how much manual verification you add. Startup pre-launch security pass: $750–$2,500. Recurring monthly re-scan + report retainer: $150–$600/mo per client. Agency white-label per-project add-on: $200–$500. State plainly these are static-review rates — a real manual pentest runs $5k–$20k+ — so you set expectations and stay credible.

How to find clients

  • Offer it to dev shops and agencies you already work with — they hand off client code constantly and rarely budget a dedicated security pass, so a cheap pre-handoff audit is an easy yes that protects their reputation
  • Post a redacted sample report (from your own repo or the bundled vulnerable-sample app) on LinkedIn/X with the real findings and fix list — let the artifact sell the service instead of you cold-pitching
  • List a fixed-scope 'Pre-Ship Security Audit' as a productized gig on Upwork/Contra/your own site with a clear deliverable and turnaround so buyers self-select
  • Target founders prepping for a SOC 2 review or an enterprise customer's security questionnaire — a clean static-scan report is a concrete, affordable first step they can show procurement
  • Lead with the privacy angle to regulated and NDA-bound clients (fintech, health, legal) who literally cannot use a cloud scanner — that constraint is your differentiator

The delivery steps

  1. Run `pentester doctor` and `pentester init`, then scan the bundled vulnerable-sample app so you know the tool, the rule packs, and the report output cold before you sell
  2. Define one fixed-scope offer with a written deliverable: scan + human-verified findings + severity triage + remediation to-do list, with a stated turnaround
  3. Get authorization in writing every time — fill out the .pentester-scope.json Rules-of-Engagement file and keep the .audit.log; never scan code you are not explicitly authorized to review
  4. Run the scan with --format all, then manually verify each high/critical finding before it goes in the report (this is the value — never hand over raw tool output as-is)
  5. Deliver the HTML report plus a short plain-English executive summary; use --no-snippets if the client cannot share raw code externally
  6. Offer a follow-up: a recurring monthly re-scan retainer using --baseline so only NEW findings surface, turning a one-off into recurring income

How to market it

  • Publish a redacted sample HTML report as your hero asset — buyers want to see exactly what they get, and a real findings list converts far better than a feature pitch
  • Write a short case-study or teardown post: 'I scanned an open-source project and found X hardcoded secrets and Y weak-crypto issues in 3 minutes' (use a project you own or the bundled sample) — concrete numbers travel
  • Lean hard on the 100%-local / your-code-never-leaves-your-machine message in every channel; it is the one thing cloud SAST tools (Snyk, SonarCloud) can’t match for NDA/regulated buyers
  • Make a short screen-recording of a scan end to end — init, analyze, HTML dashboard opening — and post it as a demo on YouTube/LinkedIn/X; a 60-second 'watch it find a leaked AWS key' clip sells itself
  • Position the price honestly against alternatives: one-time license vs per-seat SaaS subscriptions, and "one caught secret pays for it" framed against the real cost of a credential leak — anchor on the $99/$399/$999 reference prices
  • Bundle it with your existing dev/consulting services as a value-add ('every project ships with a security pass') rather than selling it cold as a standalone tool

Frequently asked questions

Does my code get uploaded anywhere?

No. Detection runs 100% locally and offline by default — no accounts, no cloud, no telemetry, no source upload. The only optional network paths are a LOCAL Ollama model (--ai, on your own machine) and an opt-in OSV.dev dependency lookup (--online); both are off by default and clearly flagged. You can run it on an air-gapped box.

Is this a replacement for a real penetration test?

No, and we won’t pretend it is. Pentester is static analysis — it reasons about code patterns, not runtime behavior. It catches whole classes of mistakes early, but it produces false positives and misses issues that need dynamic, authenticated, or manual review. It is a prioritized to-do list for a human, not a security certification. Always have a qualified person verify findings.

What does the AI actually do — can it invent vulnerabilities?

No. With --ai, a local model only explains and triages findings the deterministic rules already produced. The finding count is identical with AI on or off — the model can never add a vulnerability the rules didn’t detect. Snippets are redacted before they reach the model, and if no local model is present the tool falls back to built-in templated explanations.

What do I need to install?

Just Node.js 18 or newer. There are zero third-party runtime dependencies — nothing to npm install. Run `node src/cli.js analyze <path> --scope-ack`, or `npm link` to get the `pentester` command on your PATH. Run `pentester doctor` to confirm your environment is ready.

What’s the difference between Solo, Team, and Enterprise?

Same tool, same 100%-local privacy guarantee at every tier — the license gates which rule packs unlock and how many people are covered. Solo ($49) is one developer with core packs; Pro/Team ($199) adds all Pro packs (deserialization, broken auth, access-control/SSRF, web misconfig, IaC/container, dependency-advisory scanning) and multi-seat commercial use; Enterprise ($499) licenses it org-wide with priority support.

Can I use it on client code to charge for audits?

Yes — that's exactly what the Pro/Team commercial license is for. Get authorization in writing first (use the built-in .pentester-scope.json Rules-of-Engagement file and the append-only .audit.log), only scan code you're authorized to review, and verify findings manually before delivering. Sell it as a fast static-review pass, not as a full manual pentest.

Ready to get started?

One-time purchase · instant download · yours to keep.

Buy now — $499

After you buy

Purchases are linked to your account — sign in and head to your product library to download anytime. Bought without an account? Check your email for the download link and a one-click way to set a password.

← Back to all kits, tools & codebases
Free Tools & Calculators