AssurePort continuously tests your web apps, APIs, GitHub, mobile and cloud the way a senior penetration tester would — only faster, cheaper, and on a schedule your auditor will actually accept.
A pentest signed off in January describes a system that no longer exists by March. Your team ships continuously. The attackers iterate continuously. The audit cadence is the only thing that hasn’t moved.
The result is a widening gap between what your last pentest verified and what is actually exposed to the internet today. That gap is where breaches are born — and where insurers, auditors and regulators are starting to look first.
AssurePort closes the gap by running the same depth of test your annual provider runs, but on every meaningful change — pull request, deploy, new endpoint, new cloud bucket, new domain.
AssurePort is a continuous penetration testing platform that combines AI agents — trained against the OWASP, MITRE ATT&CK and CWE corpora — with deterministic security checks to find, prove and explain exploitable vulnerabilities across web applications, REST and GraphQL APIs, Android mobile apps, GitHub repositories and cloud configurations. It is operated from the European Union, with all data, scan logs and AI inference contained within EU-hosted infrastructure (Cloudflare EU + Fly Frankfurt + Anthropic EU endpoint).
AssurePort is not a vulnerability scanner with marketing on top. Scanners tell you what might be wrong. AssurePort proves what is exploitable, on your specific configuration, with a reproducible proof-of-concept attached to every critical finding.
No agents to install. No long onboarding. Sign up, point us at something, and read the report.
Point AssurePort at a domain, a Git repository, a cloud account or a mobile APK. Connections are read-only by default and revocable in one click.
AI agents run authenticated scans, business-logic probes and controlled exploit attempts — every action mapped to OWASP, MITRE ATT&CK and CWE.
Each finding ships with severity, a reproducible PoC, the suggested remediation and CWE/CVE references. Export to PDF or JSON.
Stop assembling six scanners, a consultancy and a Friday-night spreadsheet. AssurePort covers every surface your auditor will ask about.
OWASP Top 10, business-logic abuse, broken authentication, IDOR — full proof-of-concept.
OWASP API Top 10 2023. Auth bypass, BOLA, mass assignment, injection.
Binary analysis, insecure storage, cert pinning bypass. MASVS L1 + L2.
Leaked secrets, vulnerable dependencies, IaC misconfigurations.
AWS, Azure, GCP, Kubernetes. CIS Benchmark aligned. IAM blast-radius, exposed buckets, K8s API surface.
Kerberoasting, ACL gaps, DC recon. Read-only, non-destructive AD security assessment.
NetWeaver / S/4HANA auth gaps, ABAP and RFC misuse. Read-only analysis.
SPF/DKIM/DMARC validation, phishing-kit detection, passive mail infrastructure reconnaissance.
TCP port and service discovery, product fingerprinting, and no-authentication exposure detection (open Redis/Elasticsearch/MongoDB/Docker API, anonymous FTP, SMTP open-relay). Detection only — no exploitation.
Passive and light-active external footprinting: WHOIS/RDAP, certificate-transparency subdomain enumeration, full DNS records, origin-IP discovery behind a CDN, live subdomain probing. Your public attack surface, mapped.
Import an existing Nessus, OpenVAS, Nmap, Burp, CSV or PDF report and get an AI-triaged summary mapped to GDPR/NIS2/ISO. Turns raw findings into prioritised insight.
We built AssurePort with the assumption that the security teams using it would read our architecture diagram, our independent pentest report and our DPA before granting access. They do. Here is what they read.
All scan inputs, code excerpts, screenshots and findings are processed inside isolated, tenant-scoped containers. Nothing you give us — not a line of source code, not a screenshot, not a URL — is used to train AssurePort’s models or any third-party model. Contractually guaranteed in our DPA. Anthropic EU endpoint enforces this at the infrastructure level.
AssurePort is hosted exclusively on European infrastructure — Cloudflare Workers (EU edge regions), Fly.io (Frankfurt), Cloudflare R2 (EU jurisdiction), Resend (EU). Anthropic AI inference is routed to the EU endpoint. Data, logs, AI inference and backups never leave the EU.
Every action an AssurePort agent takes is logged with the model used, the prompt, the tool call and the resulting output. You can replay any scan minute-by-minute and export the full trace for forensic review. 7-year retention, GDPR Article 32 compliant.
AssurePort never writes to your production systems, never executes destructive payloads, and never persists credentials beyond the lifetime of an authenticated scan. Domain Control Verification (DCV) and Rules of Engagement (RoE) validation are enforced as hard gates before any Advanced Mode scan proceeds.
We refuse to ship a critical-severity finding without a proof-of-concept you can rerun in your own environment. If we cannot reproduce it deterministically, we do not call it critical. Period. Findings without a working PoC are automatically downgraded to unconfirmed.
Our own platform is pentested before every release. The latest self-pentest report (May 2026: 5 findings, all remediated; SSRF + path-traversal + info-disclosure) is published on our Trust Center. External CREST-accredited audit is on our roadmap for Q4 2026 — Q2 2027 alongside ISO 27001 certification.
No model training. No data leaving the EU. Every action audit-logged.
| Annual pentest | DIY scanners | AssurePort | |
|---|---|---|---|
| Frequency | Once a year | On-demand, manual | Continuous, on every change |
| Surfaces covered | What you pay for | One per tool | 11 engines live today |
| Time to first report | 4–8 weeks | Hours of setup | Under 10 minutes |
| Proof-of-concept per finding | Sometimes | No | Always (reproducible) |
| Auditor-acceptable | Yes | No (raw output) | Yes (CWE/CVE/OWASP mapped) |
| Remediation guidance | Rarely | No | Yes, per finding |
| Annual cost (mid-size org) | €40k–€120k | €15k+ in licences | From $99 one-time / $349 monthly |
No fabricated case studies. No anonymous metrics. We make claims we can back with a link.
May 2026. 5 findings. All remediated. SSRF, path-traversal and info-disclosure confirmed and closed before release.
Read the full report →RFC 9116 security.txt with PGP-signed contact. Responsible disclosure policy. Researcher reports processed within 5 business days.
View security.txt →ISO 27001 + external CREST audit targeted Q4 2026 — Q2 2027. Public commitment, tracked monthly on our Trust Center.
View roadmap →“We chose ‘continuous AI pentest’ as a category because the alternative — annual pentest + quarterly scanner reports — was demonstrably failing the customers we talked to. We publish our own findings. We publish our own roadmap. We publish our own architecture. That’s the bar.”AssurePort engineering team — May 2026
unconfirmed rather than published as critical.No credit card. No sales call. Sign up, point us at a domain, get a real report.