Real exploitation, verified, in 24 hours
SQUR discovers, exploits, verifies, and reports vulnerabilities in your web applications and APIs, with the depth of an expert pentester and the speed of automation. Fixed €1,995. EU-hosted.
How an engagement runs
You provide a target URL, optional credentials for one or more roles, an objective, and a scope (which URLs are in or out of bounds, and what may be actively exploited). Then the agents work through six stages.
- Reconnaissance. Map the application, enumerate technologies, surface the attack surface.
- Planning. Prioritise based on what was discovered and your objectives.
- Exploitation. Real attacks against likely vulnerabilities using an industry-standard security toolchain.
- Verification. A separate agent independently re-tests every candidate finding, via an alternative path, before it reaches your report.
- Deduplication. Equivalent findings are merged into a clean, distinct list, not scanner noise.
- Reporting. Role-tailored reports with reproducible evidence.
Nine specialised AI agents collaborate as a pentest team (planner, explorer, attacker, verifier, scope enforcer, reporter, and more). A dedicated agent enforces your scope before every action, at the system level, not left to individual agent discretion. That is what makes production-safe testing possible. Human-in-the-loop is reserved for exceptional cases (a target temporarily inaccessible, a complex login flow needing operator help), not a routine part of every engagement.
Controls you keep throughout
Follow it live
An activity timeline shows what the agents are doing as the engagement runs, with findings appearing as they are confirmed.
Pause any time
Pause a running pentest to take load off a target system while testing is underway, then resume.
Cancel for a full credit
Cancel within the first 60 minutes and the credit is returned. If something looks wrong early, stop.
Retest included
Trigger a retest of any fixed finding with one click. Retesting is included in your pentest.
What it covers
Testing follows a SQUR methodology aligned to the OWASP Top 10, the OWASP API Security Top 10, and the OWASP Web Security Testing Guide (WSTG). Authenticated testing runs with multiple user roles per engagement (for example admin, regular user, guest), which is required for access-control classes like IDOR and privilege escalation.
It is real exploitation, not detection
SQUR scored 87.5% on an independent pentest benchmark, beating the top human pentester at 85%. Every finding passes an independent verification step by a separate agent before it appears in your report.
| Vulnerability class | Benchmark success |
|---|---|
| IDOR, SQLi, SSRF, XXE, GraphQL, business logic | 100% |
| XSS, privilege escalation, command injection | 90%+ |
SQUR's detection engine is co-developed with KASTEL Security Research Labs at the Karlsruhe Institute of Technology (KIT). Customers include Gameforge, bitExpert, and Codeligence.
What you get
Verified, deduplicated findings with reproducible evidence: confirmed vulnerabilities with documented proof-of-exploitation, not a raw list of detections. Four report formats from a single engagement, all delivered as PDF and HTML with embedded evidence screenshots.
| Report | Audience | Focus |
|---|---|---|
| Executive | Leadership, decision-makers | Risk posture, business impact, headline numbers |
| Audit | Compliance and audit functions | Evidence, reproducibility, traceability |
| Technical | Engineers, developers | Full technical detail, remediation guidance |
| Full | Internal record-keeping | Everything in one place |
Every finding is enriched with:
When a pentest closes with no high or critical findings, you can generate a shareable public certificate attesting the result, useful evidence for customers, partners, and procurement reviews.
Speed, price, and compliance
| Speed | 24-hour turnaround versus 3 to 6 weeks for a traditional manual engagement. On-demand, no scheduling or procurement. |
| Price | €1,995 fixed per pentest. Bulk 10 credits €14,950 (€1,495 each, valid 12 months). A typical manual engagement runs €10,000 to €30,000, so SQUR is roughly 80% below. |
| Onboarding | Self-serve, no security expertise required to launch. No scoping calls, no procurement process. |
| Data residency | All scanning data, findings, and reports stored in GCP europe-west1 (Belgium). GDPR-aligned handling. |
| Compliance evidence | Reports are structured to support GDPR, DORA Article 24 (annual penetration testing), ISO 27001, SOC 2, and NIS2. |
Start a pentest
Create a free account to see a ready-made demo pentest with a full sample report, then run your own. No scoping calls.