Loading…
Coastline Cyber Security
Autonomous penetration testing.
Driven by your prompt.
The same P1/P2 hunting methodology our analysts use by hand — running on demand against the targets you describe in plain English. Subdomain enumeration, attack-surface mapping, vulnerability discovery, board-ready reporting.
First scan free with code FIRSTSCAN — no card required.
Black-box external·
25+ vulnerability classes·
Independently validated·
Board-ready report
What every engagement delivers
A real pentest deliverable — not a scanner dump.
Every Coastline engagement is validated, evidence-backed, and written up like a human consultant would.
✓
Validated findings
Each finding is independently re-checked by a separate model before you ever see it — scanner noise and false positives filtered out.
✓
Verbatim evidence
Every finding ships the exact request/response or PoC that proves it. Reproducible, not theoretical.
✓
CVSS + VRT severity
Scored and mapped to the industry VRT taxonomy with a CWE — ready to triage and track.
✓
Remediation guidance
Concrete, configuration-level fix steps written for each finding.
✓
Board-ready report
A Coastline-branded report: executive summary, matrix of findings, detailed write-ups, methodology.
✓
Coverage appendix
Exactly what was tested vs only enumerated — a straight answer to "did you test this host?"
How it works
From a plain-English prompt to a validated report.
1
Describe the target
Paste your scope in plain English — domains, IPs, what's in and out.
2
Recon + exploitation
Subdomain enumeration, attack-surface mapping, and active exploitation across 25+ vulnerability classes.
3
Independent validation
Every candidate finding is adversarially verified before it's reported.
4
Professional report
Download a board-ready report the moment the engagement completes.
What a finding looks like
A real report finding — not a scanner line item.
Every finding in your report carries severity, CWE, CVSS, the affected asset, impact, a reproducible proof, and remediation. This is the exact structure of the DOCX you download.
Pricing
Your first scan is on us.
Create a free account and redeem FIRSTSCAN for a complete engagement — no card required. Then top up as you grow. 1 credit = 1 pentest.
Single Scan
$199
1 credit · one pentest
Starter Pack
$799
5 credits · $160 each
Pro Pack
$2,499
20 credits · $125 each
Team Pack
$4,999
50 credits · $100 each
Unused budget on under-scope scans is auto-refunded. Prices in USD.
Compare packages
| Package | Price | Credits | Per scan | Best for |
|---|---|---|---|---|
| Single Scan | $199 | 1 | $199 | One-off / first test |
| Starter Pack | $799 | 5 | $160 | Quarterly testing |
| Pro Pack | $2,499 | 20 | $125 | Monthly across apps |
| Team Pack | $4,999 | 50 | $100 | Continuous / MSP |
How Coastline compares
| Coastline | Traditional pentest | Vuln scanner | |
|---|---|---|---|
| External pentest price | from $199/scan | $5,000–$15,000 | $100–$300/mo |
| Turnaround | Hours | 2–4 weeks | Minutes |
| Validated findings (no false-positive dump) | ✓ | ✓ | ✗ |
| Verbatim PoC evidence | ✓ | ✓ | Partial |
| Professional report (exec + matrix + remediation) | ✓ | ✓ | ✗ |
| Run on-demand & repeat | ✓ | No (re-quote) | ✓ |
| Cost to re-run | 1 credit | Full re-engagement | Included |
Scanner speed and price, with the validation and reporting of a real pentest.
Ready to get started?
Create your free account and run your first scan — redeem FIRSTSCAN for a free engagement. No card required.
Sign-in error
Already have an account? Sign in
Stuck? Reset auth state
Ready to run a pentest?
Paste a target URL or describe the scope in plain English.
We'll plan the engagement, let you review, and run it against
the target plus its associated SaaS/cloud footprint.
1 credit = 1 full pentest engagement. If the agent needs more
runtime on a deep scope, you can top up with +1 credit to extend;
refund unsatisfactory engagements within 30 days.
·
✓ RoE signed (,
)
· consultant, client:
re-sign
⚠ Rules of Engagement unsigned —
sign now
30-day activity
engagements
Most recent engagements
Go to Engagements
to launch a new scan or review a specific engagement in detail.
Top up
Each credit buys one full pentest engagement. Credits never expire, and unsatisfactory runs are refundable for 30 days.
$
Loading packages…
New accounts: redeem a code for a free scan.
Admin-only dev grant — bypasses billing for testing.
Projects
No projects yet.
A project bundles related engagements under one umbrella so you can track an asset over time, compare scans, and share access with specific teammates.
When to create one
- Recurring scans — "Q1 external attack surface", "monthly OWASP web sweep"
- Per-customer engagements — keep Acme Corp's scans separate from Globex's
- Restricted access — assign only certain teammates to a sensitive project (defaults to org-wide)
- Shared scope baselines — set a default scope so every job in this project inherits it
Click + New project above to start.
Members
Org-wide visibility. Add members to restrict.
Attack Surface
asset(s) of shown · clear filtersEverything the agent has ever discovered in your footprint, deduplicated across every engagement. A "new" asset appears for the first time in a scan; a re-confirmed asset was already on file. First-seen and last-seen timestamps drive the delta-pentest view.
No assets discovered yet. Run an engagement to populate the inventory.
| Type | Value | Seen | First | Last |
|---|---|---|---|---|
Showing
of
·
New engagement
SOW / RoE / scope export · CSV, TXT, JSON, Markdown · max 100 KB · auto-parsed
1 credit
· full engagement · top up with +1 credit if the agent needs
more runtime on a deep scope
Engagements
Showing
of
More scans exist on the server.
Organization settings
Members
Roles control what each member can do. Owners + Admins manage members, billing, and notifications; Operators run scans + triage; Viewers read reports. Owner/Admin can flip per-member notification toggles below — each member can also control their own from Settings.
Loading members…
| Role | Notifications | Last sign-in | ||
|---|---|---|---|---|
| you suspended |
Pending invites
No pending invites. Use the form below to invite a teammate.
| Role | Invited by | Expires | ||
|---|---|---|---|---|
| expired |
Invite a teammate
We'll send them an email with a single-use link to join this org. Invites expire in 14 days. Only owners can invite admins.
Invite created
— email sent to
— email failed, send the link manually below
API tokens
Use these for CI/CD integrations. Send as
Authorization: Bearer cstk_….
Tokens are only shown once on creation — store them securely.
New token — copy now, won't be shown again
No API tokens yet. Create one below to integrate Coastline with your CI/CD or scripted tooling.
+ New API token
Notifications
Notifications go to .
Profile
Your account identity. Email is managed by Auth0 — to change it, update your Auth0 profile and log back in.
Compliance — Rules of Engagement
Most-recent RoE acceptance per member of . Current canonical version: . Older versions render in amber; unsigned members are flagged so an admin can chase them before a vendor due-diligence review.
No members loaded yet — open Team first.
| Name | Accepted version | Accepted at | Signer IP | User-Agent | |
|---|---|---|---|---|---|
| unsigned | — | server-only | server-only |
Engagement detail
Model
Credits used
/
Steps
/ tools
Duration
Findings
Last activity
Attack Surface
ofEvery host the agent discovered, what was tested, what was skipped — and why. The amber rows are gaps customers actually want to see.
coverage
Assets discovered
Tested
Untested gaps
Tests attempted
Findings
Coverage by vuln class ()
| Vuln class | Probes | Vulnerable | Clean |
|---|---|---|---|
| Host : Port | Status | Last test result | Vuln classes attempted |
|---|---|---|---|
| Not yet tested. No findings on this asset. Probe blocked at network layer. |
|
||
| No assets match the current filter. | |||
Attack surface map will appear once recon phase completes.
Hosts, subdomains, and URLs the agent discovers populate here
in real time, then flip from "untested" to "tested" as each
vuln class is probed.
Loading attack surface…
Remediation PRs
Opened by the agent against your GitHub repos. Review + merge like any dev PR.| Repo | PR | Title | Opened |
|---|---|---|---|
Tripwires planted
Honeytokens planted along discovered attack paths. Any hit on one of these between tests alerts you in real time.| Kind | Label | Planted where | Hits | Last hit |
|---|---|---|---|---|
Agent trajectory (ATIF)
thinking
Findings
No findings reported yet.
Used full budget
Unused budget refunded
(
credit
returned)
Refunded — scan
Scheduled scans
Recurring engagements run automatically on the cadence you set. Each run is queued shortly after its scheduled time and only actually-burned credits are charged — unused budget rolls back to your balance.
No scheduled scans yet.
Create one to run automatically on a daily / weekly / monthly cadence.
| Target | Cadence | Next Run | Status | Actions |
|---|---|---|---|---|
|
|
Rules of Engagement
Acceptance of the current Rules of Engagement is required before launching a scan. Please review the document below and sign — or cancel to return to the dashboard.
Required once per tenant before your first engagement. Provide an emergency contact and accept the Gold Standard Safe Harbor.
Acceptance is timestamped, IP-logged, and versioned against RoE
. Scope and
third-party-hosting warrants are captured per-engagement at
submit time.