signups: OPEN
vlkn:~$ pentest --report=compliance-ready

The first human-grade AI penetration test that's free.

Good security and effective pentesting have always sat behind the biggest budgets. What we built is too useful, and security matters too much, to leave it there. So now any organization can run a real, human-grade pentest, free, on a web app, API, or network range, with a report auditors recognize. Attackers feed on the orgs that never get tested, and a stronger ecosystem is better for everyone in it, yours included.

Get your free pentest →

# delivery starts mid-august. need it sooner? reach out.

## built, not wrapped

Most AI security tools are a thin layer of prompts around someone else's frontier model, metered by the API call. And frontier bills only move one direction lately: up. A real autonomous pentest burns a mountain of tokens, so every run costs them real money, and that gets passed straight to you.

We went the other way. Our own model, tuned for offensive security, running on hardware we own. Nothing rented, nothing metered per call.

We built something genuinely effective, and because we own the model and the machines, we control our costs in ways nobody renting an API can. We are using that to put a real pentest in your hands, not a stripped-down version of one.

## the job is the whole surface, not a benchmark

Most autonomous tools optimize for a narrow web-CTF slice, because that is what the popular benchmarks measure.

That is not the job. Any LLM can find a single vulnerability, and that part is easy. The hard part, and the real difference, is comprehensive coverage: the whole attack surface, and every finding that matters, not just the first one a model trips over.

attack surface discovery
Far more than a spider. Vision-driven agents read rendered pages the way a person does, clicking through the modals, dashboards, and SPA state crawlers never reach. You can only test what you can see, so mapping the real attack surface is where we start.
comprehensive coverage
Any tool can surface one bug. Every vulnerability class gets its own frame of focus, so nothing loses context and nothing gets skipped. Coverage is the design, not a side effect.
authorization and business logic
VLKN logs in as multiple users across roles and tests what each one can actually reach: IDOR and BOLA, cross-account access, race conditions, password reset and OAuth flows. Signature matching cannot find these. Understanding the application can.
validated findings
Every finding is checked for real exploitability, so you get signal, not scanner noise.
a report a pentester recognizes
Findings with severity and evidence, remediation, methodology, and scope. Plus an executive summary and a shareable attestation letter with no findings in it, also free.

## free vs paid

We gate the free tier by test type, never by security. MFA, SSO, and every protection stay on.

free

  • one target: a single webapp, API, or network range
  • single point-in-time test
  • queued, non-rush delivery
  • report only

## how it works

01

sign up

Name, work email, and company. That is the entire signup, and it commits you to nothing.

02

we get in touch

We reach out to work out the logistics of your test. Nothing runs until it is set up with you.

03

we test

Your target enters the queue and our engine runs the assessment on hardware we own.

04

report

You receive a compliance-ready report. Delivery starts mid-august. Need it sooner? Reach out and we will see what we can do.

## get your free pentest

No credit card. No sales pitch. No limits on company size or revenue. Free pentests are for organizations testing systems they own, and there is no cap on signups. We deliver in the order they clear setup, starting mid-august.

Something went wrong. Email info@vlkn.ai and we will add you manually.

Signing up commits you to nothing. We follow up by email to set up your test.

You're on the list.

We will email you to work out the logistics of your test. Nothing runs until it is set up with you.

Delivery starts mid-august. Need it sooner? Reply and we will see what we can do.

And if the report earns it, a review or testimonial would mean a lot.