Technique-Level Execution.
Validated Findings.
Measurable Security Posture.
PENTRA is a penetration testing and vulnerability management platform that executes MITRE ATT&CK techniques and OWASP test cases at the individual technique level. Every result is validated by a security engineer, every detection is marked by the Blue Team, and every finding is backed by proof of execution.
PENTRA can be used by internal security teams as a platform or delivered as a fully managed service by Reacts — using the same structured methodology, technique library, and evidence-based execution model.
Penetration testing generates findings. PENTRA turns them into evidence.
Most engagements cover what the engineer remembers to test. PENTRA enforces scope through its technique library and Open Points tracker — every technique in scope must be executed and validated before the engagement can close.
A finding without proof is an opinion. Every PENTRA test case carries screenshot evidence for the pass and fail outcome — stored securely, embedded in reports, and traceable to the engineer who validated it.
Red teams execute. Blue teams guess. PENTRA gives the Blue Team a live portal showing what is being executed — so detection can be marked per technique, with evidence, in real time. The result is a measured Detection Rate, not an estimate.
From Finding to Confirmed Fix — Without Losing the Thread.
Most platforms track findings. PENTRA closes them — with the same rigor used to discover them.
Penetration testing produces findings. Findings require remediation. Remediation requires confirmation. PENTRA manages the complete lifecycle — from the moment a vulnerability is confirmed by the engineer to the moment a retest proves it no longer exists.
| Step | Who Acts | What Happens |
|---|---|---|
| 1 | Engineer | Technique executed, exploitability validated, severity assigned, evidence uploaded. Finding recorded in PENTRA. |
| 2 | Blue Team / Needed Actions queue | Finding appears immediately in the Blue Team Portal as a Needed Action — with technique reference, severity, affected object, and engineer evidence. |
| 3 | Blue Team | Defense team applies the mitigation. Blue Team marks the finding as mitigated in their portal, with a mitigation note. |
| 4 | Engineer | PENTRA automatically notifies the engineer that the Blue Team has marked the finding as mitigated and that retest is ready. |
| 5 | Engineer | Engineer retests the specific technique against the patched environment using the same execution path. Result is recorded with new evidence. |
| 6 | Engineer | If retest confirms the fix, the finding is marked resolved — with retest evidence attached. If the technique still succeeds, the finding is escalated back to the Blue Team with new evidence. |
Every finding PENTRA discovers, PENTRA can confirm is fixed — under the same attack conditions that found it.
Four Domains. One Platform. One Methodology.
PENTRA applies the same structured execution model — technique selection, execution, validation, evidence, reporting — across every attack surface.
Internal Network & Active Directory
Structured technique execution against the full MITRE ATT&CK kill chain.
Execute MITRE ATT&CK techniques across the complete tactic sequence — from Initial Access through Impact — against internal network infrastructure and Active Directory environments. Each technique is executed individually, validated by the engineer, and recorded with evidence.
- Full MITRE ATT&CK tactic/technique library for internal network and AD assessments
- Windows agent deployment with unique TLS certificates per agent
- Technique-level execution with real-time output streaming via WebSocket
- Attack path builder with diagram editor and per-step annotations
- Security Score and Detection Rate computed per tactic in real time
- Open Points tracker — engagement cannot close until all techniques are validated
Web Application Penetration Testing
Structured web security testing against the complete OWASP testing guide.
Execute OWASP-aligned test cases against web applications — from authentication and session management through injection, business logic, and API security. Each test case is validated for exploitability and evidenced before the finding is recorded.
- Full OWASP Web Application Testing Guide — test case library per category
- Scoped technique selection per engagement
- Engineer-validated findings with severity, affected object, and evidence
- Attack path documentation for multi-step exploitation scenarios
- On-demand PDF and Word report generation
Mobile Application Penetration Testing
Structured mobile security testing for iOS and Android — against OWASP Mobile.
Apply the same structured execution model to iOS and Android application assessments. Each OWASP Mobile test case is executed by the engineer, findings are validated and evidenced, and professional mobile pentest reports are generated on demand.
- Full OWASP Mobile Application Testing Guide — iOS and Android
- Test case execution tracking per technique
- Evidence gallery per finding
- Open Points tracker for 100% scope coverage
- On-demand mobile pentest PDF report
API Security Testing
Structured API security testing against OWASP API Security.
APIs represent one of the most consistently under-tested attack surfaces in enterprise environments. PENTRA's API module applies structured test case execution to REST, SOAP, and GraphQL endpoints — with engineer-validated findings, evidence per test case, and on-demand reporting.
- Full OWASP API Security test case library
- Test case-level finding tracking with severity ratings
- Evidence gallery per finding
- Open Points tracker for 100% scope coverage
- On-demand API pentest PDF with preview mode
PT++: Purple Team Built Into the Platform
PENTRA's PT++ framework enables simultaneous red team execution and blue team detection validation — in the same engagement, in real time.
PT++ is not a separate product or add-on. It is the structured Purple Team methodology built into every PENTRA engagement. When a PT++ engagement is active, the Engineer Portal and Blue Team Portal run in parallel — red team executes techniques while the Blue Team Portal streams live execution data to defenders, who mark detection manually with evidence.
| Capability | What It Produces |
|---|---|
| Structured Technique Execution | A complete execution record for every in-scope technique — who ran it, when, what the output was, and whether it was validated as exploitable. |
| Verified Security Score | A Security Score computed per tactic from confirmed engineer findings — not scanner output. Tracks how well the environment resists each ATT&CK or OWASP category. |
| Measured Detection Rate | A Detection Rate computed per tactic from Blue Team manual markings — not inferred from tool logs. Tracks how effectively the SOC detects what the Red Team executes. |
| Enforced Scope Coverage | 100% coverage — enforced through the Open Points tracker. No technique can be missed without being explicitly marked Not Applicable. |
| Metric | Definition | Computed From |
|---|---|---|
| Security Score | The percentage of MITRE ATT&CK techniques or OWASP test cases that the environment successfully resisted. | Engineer-confirmed findings per tactic — updated in real time |
| Detection Rate | The percentage of executed techniques that the Blue Team manually marked as detected, with supporting evidence. | Blue Team manual markings per tactic — updated in real time |
| Scope Coverage | Percentage of in-scope techniques executed and validated. Reaches 100% only when all Open Points are cleared. | Open Points tracker |
Every Stakeholder Has a Portal Built for Them
PENTRA operates three independent, isolated portals. Each has its own authentication, permissions, and purpose. Sessions cannot cross portal boundaries.
| Portal | For | Core Capabilities |
|---|---|---|
| Engineer Portal | Pentesters running the engagement | MITRE ATT&CK / OWASP technique library, technique-level execution, evidence upload, attack path builder, finding records, on-demand report generation, agent management |
| Blue Team Portal | Defenders and SOC analysts | Live feed of executed techniques, manual detection marking with evidence upload, Detection Rate per tactic, mitigation tracking, Needed Actions queue, Blue Team detection report |
| Admin Portal | Platform and engagement administrators | Project configuration, user account management, agent provisioning and certificate management, technique library management, license management, system health monitoring |
Architecture Designed for Controlled, Secure Testing
Every action in PENTRA is tracked, attributed, and recoverable. Deployed on-premises — your data never leaves your infrastructure.
The central management layer where all projects, techniques, findings, and reports are managed. Engineers operate from the console: selecting techniques, reviewing execution output, recording findings, and generating reports. The C2 server hosts the Engineer, Blue Team, and Admin portals — and runs the Web, Mobile, API, and Purple testing modules directly.
The Network module is the only module that requires an agent. Web, Mobile, API, and Purple modules run from the C2 server directly. The Network agent is deployed on a customer-provided Windows initial-access machine and issued a unique TLS certificate from the PENTRA internal CA — cryptographically identifying it to the C2 server.
- Receives technique execution commands from the engineer console
- Executes MITRE ATT&CK techniques against the internal network
- Streams real-time output back to the engineer via WebSocket over TLS
- Monitored for liveness — automatically flagged as offline if unreachable
agentN.pentra.internal)
Agents do not persist between engagements unless explicitly retained
All execution output is logged in private, non-web-accessible storage
Agent count enforced by license — no unauthorized deployments possible
No cloud connectivity required — PENTRA is fully air-gappable
PENTRA Security Lab
Your Environment Tested Against What Attackers Are Actually Using Today — Including what AI is helping them build.
The PENTRA Security Lab is a dedicated internal research function that continuously develops, validates, and integrates new attack content into the PENTRA platform. When your team runs an engagement, they are working from a technique library that reflects the current threat landscape — including attack payloads that did not exist six months ago.
| What the Lab Produces | Benefit to Your Team |
|---|---|
| New MITRE ATT&CK techniques and OWASP test cases | Your technique library grows without any effort from your team |
| AI-generated attack payloads and bypass scripts | Tests reflect attacker capabilities that evade conventional detection and signature-based defenses |
| Updated execution payloads | Tests reflect current attacker tooling — not legacy implementations |
| APT group TTP mappings | Test specifically against the threat actors relevant to your industry |
| Detection use cases per new technique | Blue Team and SOC receive actionable detection guidance alongside every new test case |
| Mitigation recommendations | Every new technique comes with a remediation reference |
Outsource your attack R&D. Your engineers test against what is current. The Security Lab ensures current means now — not last year.
Compare Security Controls Across Environments. In One Engagement.
Deploy multiple agents. Execute the same techniques. See which configurations hold — and which don't.
Most penetration tests answer a binary question: can an attacker get in? PENTRA enables a more precise question: which of our security control configurations actually stops this technique?
| Scenario | What It Answers |
|---|---|
| EDR policy validation | Which EDR configuration blocks this technique? Which lets it through? |
| OS hardening baseline comparison | Does our CIS Level 1 baseline stop lateral movement techniques that Level 2 blocks? |
| Network segmentation validation | Can an attacker pivot from VLAN A to VLAN B using these techniques — or does the segmentation hold? |
| Golden image security posture | Which of our candidate golden images has the lowest residual attack surface against our ATT&CK scope? |
| Security control procurement | Before deploying a new EDR or NGFW, validate its effectiveness against your specific technique scope — with evidence. |
Define the technique scope for the engagement
Deploy PENTRA agents on each target environment — different machines, VMs, or network segments
Execute the same technique set across all agents — simultaneously or sequentially
Engineer validates each outcome per agent
PENTRA generates a comparative report — Security Score per configuration, per tactic — showing exactly where each environment succeeded or failed
Validate Security Before Deployment — Not After.
Apply the same attack library you use in production to the environments you build before they get there.
PENTRA's attack library and technique-level execution automation can be applied at any stage of the development lifecycle. The same MITRE ATT&CK and OWASP techniques executed against production assets can be executed against staging environments, containerized build artifacts, or infrastructure-as-code deployments before they reach production.
| Stage | What PENTRA Validates |
|---|---|
| Pre-production environment | Execute the full OWASP test case set against the application before it is promoted to production. Find authentication flaws and injection surfaces before users can reach them. |
| Infrastructure deployment | Validate that a new server image or container configuration resists the ATT&CK techniques relevant to your environment — before it joins the production network. |
| Security control deployment | After deploying a new EDR, WAF, or network policy, run the relevant ATT&CK or OWASP techniques to confirm the control is effective — with engineer-validated evidence. |
| Patch validation | After patching a known vulnerability, retest the specific technique that exploited it — confirming remediation under the same attack conditions, not just on paper. |
Find it in staging. Fix it before deployment. Confirm it with evidence.
Aligned With Every Major Security Framework
| Standard | How PENTRA Aligns |
|---|---|
| MITRE ATT&CK | Full tactic/technique library for network (internal and external) assessments. Every finding is mapped to the ATT&CK technique from the moment it is recorded. |
| OWASP | Full test case coverage for Web Application, Mobile Application, and API security assessments. |
| NIST Cybersecurity Framework | Pentest findings are cross-referenced to NIST controls in generated reports. |
| PCI-DSS | Compliance impact analysis per finding available in all reports. |
| ISO 27001 | Report findings are referenceable against ISO 27001 controls for audit use. |
One Platform. Designed for the Full Security Organization.
Industries We Serve
Banking, insurance, and fintech security testing with PCI-DSS compliance alignment and audit-ready reporting.
Security assessments for healthcare systems, patient data environments, and regulated infrastructure — with evidence-backed compliance documentation.
Payment system security testing with PCI-DSS scope coverage.
OT/ICS-adjacent network segmentation validation and internal network assessments for industrial environments.
MSPs and MSSPs delivering structured, evidence-backed penetration testing to their client base through PENTRA.
Large-scale internal and external network assessments with continuous engagement cadence and trend reporting.
What Organizations Use PENTRA For
| Use Case | Description |
|---|---|
| SOC Detection Validation | Execute MITRE ATT&CK techniques in a controlled environment while the Blue Team tracks detection in real time. Identify exactly which techniques your detection stack misses — with evidence. |
| Continuous Security Validation | Run recurring structured engagements against an always-current technique library. Track Security Score and Detection Rate trends across quarters to validate security investment impact. |
| Compliance Readiness | Use PENTRA's audit-ready reports — with MITRE ATT&CK and OWASP-mapped findings and evidence per test case — to demonstrate control effectiveness to auditors and regulators. |
| PT++ Purple Team Exercises | Run coordinated purple team engagements where Red Team execution and Blue Team detection marking happen simultaneously. Produce a combined report with attack coverage, Detection Rate per tactic, and an open mitigation backlog. |
| Executive Security Reporting | Generate on-demand executive summaries with Security Scores, severity distributions, and Detection Rates — formatted for board-level risk decisions. |
| Multi-Client Consulting | Deliver consistent, evidence-backed engagements across multiple clients from a single platform. Provide clients with live portals and automated reports that differentiate your firm from document-only competitors. |
| Security Control Comparison | Deploy multiple PENTRA agents simultaneously across different golden images, VLAN segments, or security control configurations. Execute the same technique set across all targets in parallel and compare outcomes. |
| DevSecOps Security Validation | Integrate PENTRA's attack library into your development pipeline to validate the security posture of assets before they reach production — find and fix security gaps before deployment, not after. |
Available Globally — Deployed On-Premises
PENTRA is deployed on your infrastructure — your data never leaves your environment. Engagements are supported internationally, with remote delivery available across all regions.