Trust and assurance at Pentest-Tools.com

Security teams don't take a vendor's word for it. Neither would we.

This page explains how we build, host, audit, and operate Pentest-Tools.com. Every claim here is something we can show you in a contract, an audit report, or a configuration.

Compliance and certifications: the proof we can hand to your auditor

ISO/IEC 27001:2023

PentestTools SA, the company that owns and operates Pentest-Tools.com, is certified to ISO/IEC 27001:2023. The certificate covers the information security management system (ISMS) we run across product development, infrastructure, support, and corporate operations.

GDPR

Pentest-Tools.com is an EU-based company. We process customer data under GDPR regulations.

Continuous self-testing with our own product

We run Pentest-Tools.com against Pentest-Tools.com. The vulnerability scanners, the exploitation modules, and the attack surface monitoring our customers use are the same ones we point at our own production and staging environments.

When our offensive security research team or our product team operationalizes a new CVE, our own infrastructure is among the first targets we test.

It’s simple: if we don't trust the product on our own perimeter, we don't ship it.

Infrastructure and cloud: where your data lives, and what runs around it

You can't fully separate "is this product secure?" from "where is it hosted, and who can touch it?".

Here are the specifics.

  • Hosting providers and regions

    Production runs on Hetzner and Linode data centers located in the European Union, United Kingdom and Iceland. 

    Both providers are independently audited (ISO 27001 and SOC 2 Type II respectively) and we layer our own controls on top.

  • Data residency

    Customer data currently resides on secure servers in Europe. 

    We're currently building regional data residency options so customers can choose their specific data residency region. 

    If data residency is a hard requirement for your procurement process, please get in touch.

  • System status

    status.pentest-tools.com shows real-time and historical uptime for each major component: web app, scanner workers, API, reporting engine, and integrations. Everything is live: we post incidents as we identify them, not just after they're resolved.

  • Network segmentation and access control

    Our production network is segmented from corporate using separate VPCs and private networks, with continuous monitoring on production traffic and firewalls to whitelist only required IPs and hosts. Scanner workers run in isolation from the platform tier and reach middleware only through the specific interfaces required to deliver scan results. Access to production servers requires private keys with mandatory passphrases, and every session is logged on the production hosts. Access to our internal admin interface is gated by two-factor authentication, with administrative actions captured in the application audit log.

Data protection and privacy: what we keep, what we delete, and what we never store

Offensive security work generates sensitive output. Scan results, credentials, screenshots, request and response bodies accurately describe how to attack a real system. 


We treat that data with the proper responsibility it requires.

Encryption

All customer data including scan results, targets, and credentials is encrypted as follows:


At rest: AES-256

In transit: TLS 1.2+

Data retention

We default to keeping the minimum amount of data needed for the work you're paying us to do. You stay in control of how long scan results live:

Scan results are deleted based on your retention settings: after 7, 14, 30, 90, 180, or 365 days, or once your total exceeds 100, 500, 1,500, 5,000, or 10,000 scans. You configure this in your account settings.

Reports are deleted automatically 30 days after generation.

Free accounts with no activity for 12 months have their scans and findings removed automatically. Targets and assets are kept.

Personal account data is retained while your account is active and for up to 24 months after it closes. Financial records are kept for 10 years as required by law.

You can delete targets and scan results at any time from the product. For full account and personal data deletion, contact data.privacy@pentest-tools.com.

AI and ML policy: where it runs, what it touches

We use AI in specific product capabilities:


→ for noise reduction in the Website Scanner and URL Fuzzer

→ for crawling and web app security testing accuracy in the Website Scanner

→ for vulnerability scan orchestration via natural-language through our MCP Server

→ to enrich vulnerability descriptions from authoritative public sources (NVD, vendor advisories, EUVD) with accurate, relevant context for security teams in our Network Scanner.

  • The ML Classifier is built on a fine-tuned LLaMA v3 model. It triages scan outputs to filter false positives and significantly reduces noise.

  • Customer scan data never leaves Pentest-Tools.com infrastructure and is never used to train public models.

  • Validation and exploitation remain deterministic. The AI improves signal; it doesn't decide what's exploitable. Every exploit module runs the same checks every time and produces the same forensic artifacts.

  • AI-orchestrated actions require human approval. The MCP Server can be driven from Claude, Codex, Copilot, or Cursor, but no exploit, scan, or other action runs without explicit confirmation from a person who has the right to authorize it.

This is the architectural distinction we don't compromise on: AI where it reduces noise, deterministic systems where it matters.

Payment data

We don't store credit card information. Subscriptions are processed through FastSpring, our payment provider and merchant of record. They handle card data, PCI-DSS scope, and the invoice your finance team needs.

Product security and the secure development lifecycle: controls you can actually configure

Trust isn't only about the perimeter. It also touches whether the controls you need to enforce your own security policy are present and usable.

Role-based access control (RBAC)

You get three roles by default: Admin, Tester, Viewer.

Permissions are scoped at the workspace level, so an MSP can keep one client's data invisible to another client's teammates.

Multi-factor authentication

2FA is available on every Pentest-Tools.com account and required for all users on every plan we offer, including our Free Edition.

We support TOTP apps like Google Authenticator, 1Password, Authy, LastPass, Microsoft Authenticator, 1Password.

SMS-based 2FA is not supported: it's been outpaced by SIM-swap attacks, so we don't offer it as an option.

Enterprise SSO with SAML

To make secure login easier, single sign-on (SSO) is available for enterprise-level teams via SAML.

Safe exploitation by design

This one matters more than the others, because it's the question our product specifically forces. Sniper Auto-Exploiter is an active exploitation tool: it gains remote command execution and extracts evidence directly from compromised systems. What makes it safe to point at production is the way we wrapped it.

Before any exploit module runs, Sniper executes non-destructive checks to confirm a target is actually exploitable. From there, you decide how far it goes:

Safe exploits only mode excludes modules that may crash the target. EternalBlue, for example, sits in the unsafe set and only runs when you explicitly allow it.

Targeted CVE selection lets you scope a run to up to 10 specific CVEs from Sniper's exploit database, so you're never running the full arsenal blind.

Authenticated mode uses credentials you provide to extract artifacts without exploiting anything.

Cleanup runs after every successful exploitation: Sniper removes any files or processes it created, leaving the system unaltered.

You also control which artifacts get extracted: system info, users, processes, network data, screenshots, filesystem listings. Nothing is collected by default that you didn't ask for.

Corporate and people security: the humans behind the product

People are still at the heart of software. Their access, their training, and their habits matter as much as any security control.

Vulnerability disclosure

We maintain a vulnerability research manifesto that sets out how we treat security research, internally and externally. Anyone finding a security issue in Pentest-Tools.com is encouraged to report it through our official disclosure channels.

The same Offensive Security Research team that publishes external CVEs and vulnerability research is the team responsible for hardening the platform itself, so the discipline we apply to other people's software gets applied to ours first. Everything we publish stays transparent, evidence-backed, and focused on what matters to practitioners.

Security training, on both sides of the desk

Pentest-Tools.com is staffed by working offensive security practitioners. Our research team publishes original CVE discoveries (such as CVE-PTT-2025-021 in cPanel) and our offensive security services team and other colleagues deliver writeups of high-impact vulnerability classes (Log4Shell, SessionReaper). 

The same people who write our detections and exploits also train our clients and the rest of the company on what they're seeing in the wild.

Employee vetting

Confidentiality agreements are signed at hire. Access is reviewed quarterly and revoked the day someone leaves.

Trust and transparency: documents you can pull right now

Here's what you can take with you right now, without a contract or an NDA.

  • reporting

    Sample reports

    Download sample pentest reports to see what evidence we attach, how findings are prioritized, and what an editable export looks like. The samples show the actual format your team will work with, they aren't marketing renders.

  • Documentation

    The technical documentation is updated as the product changes. It covers the whole product, from scanning setup, authenticated workflows, the API, to integrations, the MCP server, reporting and the rest. No login required.

  • assets icon

    Benchmarks

    Our Network vulnerability scanners benchmark and Web application scanners benchmark compare our detection accuracy against commercial and open-source alternatives - methodology and raw results included.

  • Research

    The offensive security research hub and our blog collects in-house vulnerability writeups, exploit methodology, CVE operationalization notes, and our public stance on responsible disclosure. Good research is rare these days, go check it out.

Trust and assurance FAQ’s

Is Pentest-Tools.com ISO 27001 certified?

Yes. Pentest-Tools.com holds an ISO/IEC 27001:2022 certificate covering the information security management system (ISMS) we run across product development, infrastructure, support, and corporate operations. The certificate is renewed annually and validated through the Global Accreditation Cooperation Incorporated (formerly IAF).

Are you GDPR compliant?

Pentest-Tools.com is an EU-based company and processes customer data under GDPR. We offer a data processing agreement (DPA) for customers acting as controllers. To request access to, correction of, or deletion of your personal data, contact data.privacy@pentest-tools.com.

How long do you keep my reports?

Reports are deleted automatically 30 days after generation. Download them or push them via the API to your own archive if you need longer retention.

Do you store credit card information?

No. Subscriptions are processed through FastSpring, our payment provider. FastSpring handles card data and PCI-DSS scope. We receive subscription status, not card numbers.

Which features use AI?

Three features: the ML Classifier (for noise reduction and false-positive filtering), Flowmapper and AI-assisted authentication (for reconnaissance and crawling), and the MCP Server (for natural-language orchestration from AI assistants like Claude, Codex, Copilot, and Cursor).

Where do the AI models run?

The ML Classifier is built on a fine-tuned LLaMA v3 model. Customer scan data never leaves Pentest-Tools.com infrastructure and is never used to train public models.

Does AI decide what's exploitable?

No. Validation and exploitation remain deterministic. AI improves signal - it filters noise and helps with reconnaissance - but it doesn't decide what's exploitable. Every exploit module runs the same checks every time and produces the same forensic artifacts.

Do AI-orchestrated actions run automatically?

No. The MCP Server can be driven from Claude, Codex, Copilot, or Cursor, but no exploit, scan, or other action runs without explicit confirmation from a person who has the right to authorize it.

What roles and permissions does Pentest-Tools.com support?

You get three roles by default: Admin, Tester, and Viewer. Permissions are scoped at the workspace level, so an MSP can give an analyst access to Client A's workspace and keep Client B's data invisible to that same analyst.

Do you support two-factor authentication?

Yes. 2FA is available on every Pentest-Tools.com account and required for admins on paid plans. We support TOTP-compatible authenticator apps including Google Authenticator, Authy, LastPass Authenticator, Microsoft Authenticator, and 1Password. SMS-based 2FA is not supported.

Do you support SSO?

Yes. SAML-based single sign-on is available for enterprise-level teams.

How does Sniper validate vulnerabilities safely?

Before any exploit module runs, Sniper performs non-destructive checks to confirm a target is actually exploitable. A "Safe exploits only" mode excludes modules that may crash the target - EternalBlue, for example, only runs when you explicitly allow it. You can also scope a run to up to 10 specific CVEs, choose authenticated mode (which extracts artifacts via legitimate sessions without exploitation), and select which artifacts get collected. After every successful exploitation, Sniper removes any files or processes it created.

Who can access my data inside Pentest-Tools.com?

A small number of employees, limited to what their role requires. All access is logged. Access is revoked the day someone leaves.

How do I report a security issue in your product?

Contact us with a description and steps to reproduce. We follow responsible disclosure practices and will keep you updated on the fix.

Does Pentest-Tools.com have a secure development process?

Yes. Code and configuration are peer-reviewed continuously. Security reviews follow OWASP, STIG, and CIS frameworks, applied based on the scope of each change.