The proof-first platform for external attack surface and network pentesting. Findings are attack-proven, not AI-guessed — every one demonstrated, with the evidence attached. For teams done triaging scanner noise.
// Silence means tested-and-clean, not silently-broken.
// Our silence is as trustworthy as our findings.
Hard-scoped, fail-closed, fully logged — every probe inside your authorization, every decision on the record.
Four independent evidence gates, then an authenticity check on the evidence itself. Fail one and it's held back — no exceptions, no judgment calls.
Actually reachable from outside. Theoretical risk doesn't make the cut.
gate 1 of 4 · pass requiredThe response genuinely indicates the weakness. Coincidental pattern-matches die here.
gate 2 of 4 · pass requiredCan actually be acted on, not merely observed. If it can't be leveraged, it fails.
gate 3 of 4 · pass requiredA concrete consequence — data exposed, access gained, integrity violated. No stakes, no report.
gate 4 of 4 · pass requiredIs this evidence real, or did the harness fool itself? Pass the gates but not authenticity, and it's Tier 3 — caveat shown, not hidden. Tier 4 is fully proven. Below Tier 3, nothing is reported as proven.
Each finding ships a self-contained bundle — raw request, raw response, per-gate decisions, authenticity verdict. The raw data is in your hands; verify every finding yourself.
EASM tells you what might be wrong. Pentest proves it. Run either as a one-time engagement, keep the proof always-on, or combine both into Continuous Coverage — one autonomous system that watches for change and re-proves what matters.
Discovery and verification of everything you expose to the internet — subdomains, services, APIs, forgotten staging. Every asset confirmed, not guessed from stale records.
Active, gate-verified exploitation against your authorized network — turning "you have this exposure" into "here's exactly what an attacker does with it." Authenticated testing probes behind the login when credentials are provided. SSO & vault rolling out
Event-triggered re-proving: when your surface changes, GhostTrace re-runs the relevant checks and reports only what's new, resolved, or reopened — deltas, not data dumps.
EASM and Pentest as one autonomous system: a change on your surface auto-triggers a governed assessment, and only the newly proven exposure surfaces — so the gap between "something changed" and "here's the proof" collapses to near zero.
A deterministic core you can audit line by line, and an AI brain that reasons like an attacker — together, not in sequence. Whichever surfaces a candidate, it faces the same gates.
Fixed detectors, same input to same output, every time. Reproducible, auditable, zero AI cost — the layer you can trust even if you distrust AI.
The attacker mind of the platform. It reasons from what the scan has seen — proposing endpoints fixed rules would never guess, and chaining scattered weak findings into a single proven attack path.
We publish what we don't do yet — a proof-first company shouldn't market what it can't prove. In priority order:
Proof isn't one number — it's the whole story around a finding. The heart of it is the differential: the same endpoint behaving correctly, then leaking. That contrast is what turns "suspicious" into "proven."
403 vs 200 on the same endpoint — that's the proof it's a real authorization flaw, not a broken service. Already captured today; surfacing into the dashboard now.
Individual findings are one thing. The picture that changes a boardroom conversation is the chain — from the public internet to a business impact, every hop a proven finding you can open.
Sample attack path from a proof-first assessment (fictional demo data).
A self-contained request you replay yourself. If it doesn't reproduce on your side, you shouldn't have to trust it.
A concrete fix path written for the engineer who owns the code — not a generic CWE paste.
How the target was reached and what surrounds it — the discovery trail behind every finding.
Where a proven finding lines up with known-exploited vulnerabilities, so priority is obvious.
CWE, OWASP, and MITRE ATT&CK references attached to each finding for audit and reporting.
How individual findings chain into a single path — the picture a human pentester would draw.
Every item above is collected with proof attached — the differentiator competitors can't cheaply copy. Every card here is tagged in your bundle: it ships with every finding today.
Threat actors don't ask permission; your surface is already being probed. GhostTrace runs the same offense — autonomously — but inside an authorization you define, enforced in code and recorded in a ledger. Not a single packet leaves for a target outside your scope, and probing is paced to spare production.
Your engagement becomes a hard allowlist. The scope governor enforces it fail-closed at the API, the worker, and every outbound request — tightened mid-run, never widened.
Before real probing, the dry-run shows exactly what will happen — which checks, which surface, what scope. Fully transparent, nothing hidden, all of it logged.
The engine maps your surface and attacks what it finds. Every candidate faces the gates. The cost governor caps each run, so the AI can't run away — no endless loops against your systems.
Findings are autonomously gate-verified, adjudicated, and reported — no human bottleneck in the loop. You get the evidence bundles, audit ledgers, and structured exports your ticketing and SIEM can consume — plus a one-click executive report rolling out.
Enforced in code and entitlement, visible in the ledgers — not by a human watching over it.
The honest comparison — including where each alternative is the right call, and where it structurally cannot get you to proven.
| Legacy scannersQualys, Tenable, DAST tools | Manual pentestconsultancy engagement | AI-pentest entrantsautonomous black-box platforms | GhostTraceproof-first, auditable | |
|---|---|---|---|---|
| What gets reported | Pattern matches — 10–100× more findings than are actionable | What a human verified — quality varies with the team you got | AI-generated findings with varying validation | Only gate-verified findings — four gates plus authenticity, evidence attached |
| Can you audit it? | Rules are opaque; "clean" and "broken" look identical | You can ask the consultant — until the engagement ends | Black-box reasoning; can't explain how a finding was derived | Every capability tested in CI, every decision in a ledger, every finding traceable to evidence |
| Triage burden | Yours — full-time staff closing tickets that should never have opened | Low, but findings arrive as a PDF snapshot | Lower volume, but you still verify the AI's claims | Near zero — if it's reported, it passed the gates |
| Trusting the quiet | Zero findings might mean the scanner silently broke | Silence between engagements means nothing at all | No structural way to prove the AI actually looked | CI gates prove every claimed capability runs — silence means tested-and-clean |
| Cost shape | Cheap per scan, expensive in triage headcount | $30K–$200K per engagement, weeks to schedule | Platform pricing, opaque AI spend | Automated cadence at mid-market price; AI spend hard-capped per run |
| The right tool when | You need checkbox breadth at minimal cost | Stakes demand bespoke human adversaries | You want maximum autonomy and accept the opacity | You want findings you can verify and silence you can trust |
You're inviting a tool to attack your systems and store the proof. Here's where that data lives and how it's isolated — the questions your security team will ask first.
Every organization's data is separated at the database layer with row-level security and accessed through a non-privileged role. One tenant's queries can never read another's rows — isolation is a database guarantee, not an application promise.
Findings and evidence bundles are encrypted at rest with per-record keys managed in KMS. The raw request/response that proves a finding is protected the moment it's captured.
The scope governor bounds every outbound request to your allowlist, fail-closed. Nothing is tested, stored, or reported outside the engagement you defined — and the scope ledger lets you audit every decision after the fact.
SOC 2 in progress · DPA available on request · data-residency options for regulated environments. The full posture lives in the Trust Center.
Every security tool decays: detection logic drifts, capabilities silently break, and "no findings" stops meaning anything. GhostTrace is built so that failure mode is structurally impossible to hide.
Every capability the platform claims is checked against the code on each build. A claim without matching code — or a "live" claim without a test proving it runs — fails the build.
Each detector ships with a known weakness it must catch. When a framework change breaks detection, the build breaks first — not your security posture.
A recurring audit confirms every "live" capability is actually exercised by real scan paths. Anything dormant is surfaced and resolved, never left quietly broken.
The full discipline — standing rules, build gates, and the self-audit that surfaces drift before it can ever reach a report — is documented in the Trust Center.
Before you book anything, see exactly what lands in your hands. A complete assessment for a fictional org — six proven findings across both modules, an AI-chained attack path, evidence and remediation on every one, and the machine-readable artifacts that let you verify each finding yourself.
No form, no email. Report opens in your browser; the .zip adds results.json, evidence bundles, and the audit ledgers.
Against a vulnerable canary: the expected findings every run, zero false-positive recurrence. Against real infrastructure: a genuine exposure — autonomously gate-verified, adjudicated, and reported to the owner. We're taking a few design partners who want that discipline on their surface.
A live run — discovery, the gates, the evidence bundle your team would receive — and we'll scope a design-partner engagement for your environment.
Not ready to talk? The tour and sample report are ungated — dig in first, no email required.