Skip to main content

Pentrova is launching soon. Join the waitlist for early access.Join the waitlist

Product · Integrations

Send Pentrova findings where your team already works.

Findings flow into Slack, Teams, Discord, and email. Pentests run from your CI pipeline. No custom code.

Join the waitlist See the platform

Notification destinations

Tenant admins configure each destination in the platform UI. Severity filters, channel routing, and per-target subscriptions are tenant-level settings.

  • Slack

    Incoming Webhook routing per workspace, per channel, with severity filters.

  • Microsoft Teams

    Incoming Webhook posting to a target channel with the same severity filters.

  • Discord

    Incoming Webhook routing for community-led security teams.

  • Email

    SMTP delivery to one or more recipients per integration.

  • Custom webhook

    Signed JSON POST to any HTTPS endpoint. Forward findings into a custom queue, an internal API, or a system Pentrova does not yet ship as a first-class connector.

CI gating templates

Drop-in templates run a Pentrova pentest from your pipeline. Build fails on new exploitable findings; the pentest evidence URL is posted back to the build artifact or merge request.

  • GitHub Actions

    Reusable workflow file with Pentrova credentials in repository secrets and a single job step.

  • GitLab CI

    Pipeline template that triggers a pentest on every merge request and posts a summary comment.

  • Jenkins

    Declarative Jenkinsfile snippet for environments still running self-hosted Jenkins.

  • CircleCI

    Orb-style configuration for CircleCI projects.

  • Azure Pipelines

    YAML task that runs against staging on every release branch.

  • Bitbucket Pipelines

    Atlassian-cloud Bitbucket Pipelines step shipped alongside the others.

Integration questions

  • Common objection We already have a scanner — why add another tool?
    Most scanners score findings probabilistically, which is why AppSec queues grow faster than they shrink. Pentrova only publishes findings our verifier can reproduce, so you are not adding a second queue — you are retiring the unreproducible half of the first one. The product is engineered so backlog should shrink as Pentrova lands, not expand.
  • Common objection Aren't you too expensive compared to free open-source tools?
    Free scanners are excellent at what they do and we ship our own four free tools for that reason. Pentrova replaces the human hours teams spend triaging and reproducing probabilistic findings, not the scanners themselves. The pricing is set so a verified PoC bundle costs less than the engineering time a probabilistic queue would consume.
  • Common objection DAST scanners are too noisy — what stops Pentrova from drowning us in alerts?
    Every candidate finding is replayed in a clean session by our verifier and the differential signal that flagged it — status code, response body hash, sensitive byte sequences, error patterns — is compared against a clean baseline before it becomes a ticket. Findings whose differential does not reproduce never enter the queue. In practice that turns the "noise vs signal" ratio into a binary gate: if the differential reproduces, it is signal.
  • Which destinations does Pentrova ship as first-class today?
    Five notification providers — Slack, Microsoft Teams, Discord, email, and a custom webhook — plus six CI gating templates (GitHub Actions, GitLab CI, Jenkins, CircleCI, Azure Pipelines, Bitbucket Pipelines).
  • Where are the integration credentials stored?
    Webhook URLs and integration secrets are stored encrypted at rest, scoped per tenant, and visible only to tenant admins. Failing destinations are auto-disabled after ten consecutive errors so a broken endpoint never silently absorbs notifications.
  • Does the webhook payload carry raw exploit content?
    No. The webhook event carries the finding metadata (id, severity, class, chain id, target, evidence URL, created_at). The raw exploit payload and the full evidence stay in the Pentrova evidence store; recipients fetch them via the evidence URL with their workspace credentials.
  • Can I map Pentrova severities to my internal severities?
    Severity is included in every event as Critical / High / Medium / Low / Info. Custom mapping happens on the receiving side — for example, in an automation rule keyed on the severity field.
  • How are duplicate findings handled?
    Pentrova dedupes findings by fingerprint inside the platform so one bug does not produce one notification per pentest. The webhook fires only when a finding is first confirmed, when its severity changes, or when it regresses after being marked fixed.

Pairs well with

  • Web App Pentesting

    Browser-side coverage with replay-verified findings, ready to flow into a notification channel or a CI pipeline gate.

    Open Web App Pentesting →

  • API Pentesting

    REST, GraphQL, gRPC, SOAP coverage across six auth modes — findings flow through the same webhook contract.

    Open API Pentesting →

  • Custom webhook + REST API

    Forward findings into any system Pentrova does not ship as a first-class connector today. Same payload, same HMAC signature, no extra abstraction.

    See the platform →

Next step

Start your first pentest.

No sales call. No setup fee. Proof in minutes.

Start free Explore the platform

Site search

↑↓ navigateEnter openEsc close