CLI Commands

pensar pentest

Overview

The pensar pentest command runs a full autonomous penetration test from the command line without launching the TUI. This is ideal for CI/CD pipelines, scripting, and headless environments.

Usage

$pensar pentest --target <url> [options]

Options

FlagDescription
--target <url>(required) Target URL, domain, or IP address
--cwd <path>Source code path — enables whitebox attack surface analysis
--mode <mode>Pentest mode: exfil (pivoting & flag extraction)
--model <model>AI model to use (defaults to your configured provider’s default)
--prompt <text|@file>Guidance for the pentest agent (inline text or @filepath)
--threat-model <text|@file>Threat model to guide the pentest (inline text or @filepath)

Examples

$# Basic blackbox pentest
$pensar pentest --target https://example.com
$
$# Whitebox pentest with source code access
$pensar pentest --target https://example.com --cwd ./my-app
$
$# Specify a model
$pensar pentest --target https://example.com --model claude-sonnet-4-5
$
$# Exfil mode for CTF-style flag extraction
$pensar pentest --target https://example.com --mode exfil
$
$# Provide inline guidance
$pensar pentest --target https://example.com --prompt "Focus on authentication bypass"
$
$# Load guidance from a file
$pensar pentest --target https://example.com --prompt @./pentest-notes.md
$
$# Feed a threat model document
$pensar pentest --target https://example.com --threat-model @./threat-model.md
$
$# Combine both
$pensar pentest --target https://example.com --threat-model @./threat-model.md --prompt "Focus on critical paths"

Guiding the Pentest

The --prompt and --threat-model flags let you steer the pentest agent with additional context.

Both flags accept inline text or an @file reference. Prefix a file path with @ to read its contents instead of passing the path as a literal string.

When --threat-model is used, the content is automatically wrapped with guidance explaining how the agent should use it — prioritizing attack paths by severity, following pentest guidance sections, and verifying control gaps.

How It Works

  1. Apex creates a session (named “Blackbox Pentest” or “Whitebox Pentest” depending on whether --cwd is provided)
  2. The AI agent swarm is deployed against the target
  3. Progress and tool calls are streamed to stdout in real time
  4. On completion, a summary is printed with the number of findings and paths to the findings file, POCs directory, and report

Output

============================================================
PENTEST ORCHESTRATION
============================================================
Target:  https://example.com
Model:   claude-sonnet-4-5
→ execute_command
✓ execute_command completed
→ http_request
✓ http_request completed
...
============================================================
RESULTS
============================================================
Findings:  3
Path:      /home/user/.pensar/sessions/.../findings.json
POCs:      /home/user/.pensar/sessions/.../pocs/
Report:    /home/user/.pensar/sessions/.../report.md

Default Model

When --model is not provided, Apex uses the default model for your highest-priority configured provider. See pensar models for the priority order.

Authorization Required: Only test systems you own or have explicit authorization to test.

pensar targeted-pentest

Run a focused pentest with specific objectives

/pentest

Launch a pentest from the TUI with an interactive wizard