Pentest-Tools.com helps security professionals find, validate, and communicate vulnerabilities faster and with greater confidence - whether they’re internal teams defending at scale, MSPs juggling clients, or consultants under pressure.
With comprehensive coverage across network, web, API, and cloud assets, and built-in exploit validation, it turns every scan into credible, actionable insight.
Trusted by over 2,000 teams in 119 countries and used in more than 6 million scans annually, it delivers speed, clarity, and control - without bloated stacks or rigid workflows.
Toots about #infosec #penetrationtesting /
#pentesting #ethicalhacking #offensivesecurity
| Free pentest tools | https://pentest-tools.com/for/free |
| Free account | https://pentest-tools.com/usage/pricing/free |
| Product | https://pentest-tools.com/ |
| Blog | https://pentest-tools.com/blog |
| LinkedIn (49k peeps) | https://www.linkedin.com/company/pentesttools |
| Youtube | https://www.youtube.com/c/PentestToolscom |
World Password Day. The finding that should sting: roughly 60% of credential issues from real pentests this year came from factory defaults still running. FTP, RDP, Redis, Telnet. No brute-forcing needed.
Dragos Sandu, Product Manager at Pentest-Tools.com, shared the data with IT Security Guru. Full piece: https://www.itsecurityguru.org/2026/05/07/world-password-day-2026-the-credential-crisis-hasnt-gone-away-its-just-got-more-dangerous/
The Crafter CMS Groovy sandbox has been patched three times. CVE-2021-23259, CVE-2022-40635, CVE-2025-6384.
Our team went back in anyway and found 14 distinct RCE bypass techniques in v5.0.0: AST Transformations, SpelExpressionParser, GroovyShell, Template Engines, XStream, BeanShell, Jakarta EL, Commons Exec, Object Factories, MBeans, and more.
The sandbox wasn't broken in one place. It was porous.
CVE-2026-1770 (PTT-2025-022). Full PoC: https://pentest-tools.com/research
Most tools added AI and called it a feature. We kept asking whether it actually makes results more reliable.
Session two of Office Hours is recorded. Jan covers the ML classifier, the authentication layer, and the MCP integration that won't act without your explicit go-ahead.
45 minutes. Q&A included.
Recording: https://www.youtube.com/watch?v=abGruzf2pPk
#penetrationtesting #offensivesecurity #vulnerabilitymanagement
CVE-2026-40321: stored XSS in DNN (DotNetNuke) prior to v10.2.2 chains to full RCE.
Any authenticated user can upload a crafted SVG with embedded JavaScript. If a power user opens it, the payload calls DNN's own config endpoint to drop an ASPX backdoor in the server root.
One file. One click. Full RCE. CVSS 8.1, patched, fully documented.
Write-up + PoC payloads: https://pentest-tools.com/blog/dotnetnuke-xss-to-rce
More research from our team: https://pentest-tools.com/research
False positives in web scans often aren't wrong detections. They're unfiltered responses: soft 404s, error pages, and redirect chains that look like findings until someone checks.
We added an ML classifier that catches those before they ever surface as results. Fewer findings to re-validate, cleaner reports, less explaining to developers.
Full breakdown: https://pentest-tools.com/usage/minimize-false-positives
Compliance evidence trails don't build themselves in the two weeks before an audit.
Jan Pedersen walked through how continuous scanning handles that automatically: scheduled scans, before-and-after remediation proof, reports for both auditors and engineers.
Recording: https://www.youtube.com/watch?v=HpuXoV_ngRQ
Tomorrow: session two on AI, accuracy and what's next.
1️⃣ 3:00 PM Bucharest / 1:00 PM London / 8:00 AM New York
👉 https://zoom.us/webinar/register/WN_uMAjbUwRSqCj1knLCcOCTg
2️⃣ 7:00 PM Bucharest / 5:00 PM London / 12:00 PM New York / 9:00 AM Los Angeles
👉 https://zoom.us/webinar/register/WN_xp1ewHcMQVKVoZe4bAEIxw
#infosec #compliance #penetrationtesting
We shipped an MCP server for Pentest-Tools.com. Connect Claude, Cursor, VS Code, Gemini CLI, or any MCP-compatible client and drive scans, finding triage, and report generation through natural language.
Every tool call needs explicit approval before it runs. JSON-Schema validated.
Python package is open source, self-hosting supported: https://github.com/pentesttoolscom/pentesttools-pypi
Docs and ready-made configs: https://pentest-tools.com/docs/ai/mcp/overview
New research from Matei "Mal" Bădănoiu (Pentest-Tools.com):
Stored XSS to RCE in DNN Platform (DotNetNuke), CVE-2026-40321.
SVG upload with javascript: in an <a href> bypasses the filter. The /API/personaBar/ConfigConsole/UpdateConfigFile endpoint writes an ASPX backdoor to the web root. whoami → iis apppool, Potato your way to SYSTEM.
Delivery: DNN's own internal messaging. No external infra.
The frameworks keep multiplying. The calendar doesn't.
But let's be honest about how it actually feels.
#cybersecurity #infosec #compliance
What is your relationship with compliance?
