Pentest-Tools.com REST API: automate vulnerability scanning & reporting
APIs shouldn’t be extras - they should be the baseline.
The Pentest-Tools.com REST API for vulnerability scanning lets you launch and stop scans on your chosen assets, pull results programmatically, and generate the same evidence-rich reports you see in the UI. Plug it into CI/CD pipelines, dashboards, or ticketing.
Included in all paid plans, no upsells - just faster remediation and scalable scan automation.
.webp)
Why most APIs limit automation and drive up costs
Read-only APIs stall real automation
When APIs only deliver static results, engineers must carry out scans manually – logging into dashboards, clicking through forms, and exporting results – instead of embedding vulnerability scanning APIs directly into DevSecOps pipelines.
Our REST API allows you to launch and stop scans on your chosen assets, removing repetitive manual work and helping teams build effective security automation.
Restricted access creates workflow bottlenecks
Gated endpoints or enterprise-only tiers add delays and need workarounds, preventing security teams from running smooth, repeatable checks.
The Pentest-Tools.com API is fully available in every paid plan, so teams can build security automation from day one without waiting for approvals or upgrading.
Partial data reduces visibility
APIs that don’t return full vulnerability scan results or reports make it harder to unify vulnerability data, leading to blind spots and inconsistent dashboards.
With our vulnerability scanning API, you receive CVE, CVSS, CWE, and EPSS scores, remediation steps, raw evidence, plus PDF, CSV, JSON, or DOCX reports - the same detail you see in the UI.
Extra charges inflate testing costs
When vendors treat API access as a premium add-on, teams either overspend or settle for partial coverage – hurting both budgets and security outcomes.
We include full REST API access with generous rate limits in all paid plans – no extra charges per call, so you can scale vulnerability scanning automation without worrying about surcharges.
How our vulnerability scanning API removes barriers to automation
The Pentest-Tools.com REST API gives you everything you need to automate vulnerability detection, scanning, and reporting - not just static data.
Instead of juggling manual exports or paying extra for enterprise-only features, integrate vulnerability testing automation directly into the way your team already works.
Automate scans end-to-end
Use /scans to launch, monitor, and stop vulnerability scans across your chosen assets. Whether it’s a quick validation scan or ongoing checks for production systems, you can run them all without touching the UI.
Keep assets organized and costs predictable
From day one, every paid plan includes access to /targets and /workspaces, so you can register new assets, group them into projects, and scale coverage as your environment grows - all within your plan’s limits.
Stay organized while maintaining predictable vulnerability scanning costs.
Retrieve evidence-rich results
Findings come back with the same depth as the web interface. The /findings and /reports endpoints return vulnerability data with CVE, CVSS, CWE, and EPSS scores, remediation steps, and payloads.
You can export results in JSON, CSV, or PDF, or generate DOCX reports, automatically pushing them into tools like Jira or your CI/CD dashboards.
Scale predictably and cost-effectively
Instead of manually configuring each scan, automate your workflow across all assets in a workspace using our REST API. You can easily initiate scans for every target by making a simple API call for each one, eliminating the need to launch them manually.
Our REST API automatically handles all targets grouped under your selected workspace, supporting scalable penetration testing workflows for large environments.
Your workflow in practice
From asset onboarding to remediation reporting, the API covers every step with endpoints that fit into your workflows, not the other way around.
Add targets with /targets to register assets by hostname, IP, or URL.
Run scans with /scans, selecting the right tool and parameters
Pull findings via /findings and /reports for CVEs, severity scores, and evidence.
Push results into your existing stack – JSON to dashboards, CSV to asset managers, and PDF to stakeholders.
From scan to fix, without the manual steps
By embedding scans directly into your workflows, you cut time to remediation and deliver consistent, evidence-backed reports that teams and clients can trust.
Turn findings into fixes instantly
Integrate vulnerability data via API into ticketing tools like Jira, closing exposure gaps faster.
Scale scans without adding staff
One consistent workflow handles a handful of assets or large environments, without needing to add staff.
Use results in your existing tools
Export scan results via API in the formats your team already uses, reducing errors and wasted time.
Prove coverage with evidence-rich reports
Every finding includes proof, payload, and remediation details, so engineers trust the data and managers see the proof.
Free analysts for high-value testing
Automation clears repetitive work, leaving analysts to focus on deeper, more accurate testing and remediation guidance.
Who our REST API is built for
Security consultants
Run repeatable scans across client environments in minutes, not days. Use the API to standardize testing, launch validation scans after exploitation, and pull JSON/CSV outputs directly into deliverables.
Every report is consistent and backed with evidence, freeing consultants to spend time validating critical findings and advising clients instead of re-running manual checks.
Internal security teams
Catch vulnerabilities earlier by embedding scans into CI/CD pipelines. Engineers and DevSecOps specialists can trigger scans automatically with each build, pull CVE data and severity scores into Jira, and generate actionable tickets for developers.
That means fewer last-minute surprises, shorter remediation cycles, and production systems that ship with far fewer exploitable flaws.
MSPs
Run automated scans per client, feed results into multi-tenant dashboards, and deliver branded remediation reports directly to client portals.
Analysts save hours of manual reporting per client per week, while managers track SLA compliance with clear metrics on remediation timelines.
Discover how our REST API helps you automate scanning at scale
REST API FAQs
Do API scans return the same results as the web interface?
Yes. Our REST API for vulnerability scanning returns the same data-rich results you see in the UI, including CVEs, CVSS, CWE, and EPSS scores, remediation steps, evidence logs, and full reports.
Who is the REST API designed for?
Our vulnerability scanning API is built for both technical practitioners and security leaders. Pentesters, security engineers, DevSecOps specialists, and SOC analysts use it daily to run scans and pipe results into their tools. Security leaders rely on consistent, evidence-backed reports to track remediation timelines and prove compliance.
How quickly can I start using the API?
You can be up and running in minutes. Generate an API key under My Account – API, test with our ready-to-use Python client and explore the auto-generated REST reference based on our public OpenAPI schema.
What output formats does the API support?
Results are available in JSON, CSV, and PDF, making it easy to integrate into dashboards, SIEMs, ticketing systems, or client deliverables.
Which pricing plans include API access?
All paid plans include full REST API access. Unlike competitors that gate automation behind enterprise pricing tiers, every subscription comes with the ability to launch, stop, and manage scans programmatically.
Are there any API limits I should know about?
Yes. By default, the API enforces:
250 API requests per minute per user
A lower limit of 60 requests per minute for /scans/{id}/output
125 API requests per minute for POST requests
Is the vulnerability scanning API secure?
Yes. Access is authenticated via API key, which you can create or revoke anytime from your account. The API delivers data securely and only scans scoped targets, keeping your infrastructure and client data protected.
Can I manage workspaces and reports through the API?
Yes. You can create or query workspaces programmatically and generate and download reports directly from the API. That means you can automate report delivery or integrate scan data into client portals without manual exports.
Does the API support internal and authenticated scans?
Yes. You can run authenticated web app scans as a logged-in user and perform internal network scans via VPN. This ensures comprehensive coverage across both public and private environments.