Sample report

See what you get

Every Pentry scan ships a clean report with severity-ranked findings, evidence, and copy-paste AI prompts you can drop straight into Cursor or Claude to ship the fix.

Run my own scan

Pentry.ai

Security Assessment Report

Pro AI scan · app.example.com

Scanned
May 12, 2026
Duration
8m 42s
Scan ID
4a490e1c-9f3b-4d8e

Executive summary

A pro ai scan of app.example.com identified 5 findings across the following severity levels. Two High-severity findings expose production credentials and should be fixed within 24 hours; the remaining issues are configuration hardening recommendations.

0
Critical
2
High
2
Medium
1
Low
0
Info

Methodology

  • Subdomain enumeration: subfinder
  • Host probing: httpx
  • Crawling: katana
  • Vulnerability scanning: nuclei (8,000+ templates)
  • AI analysis: Claude-class model + validator
  • Validation: Second-pass AI confirms each finding before reporting

Findings

High#1

Exposed .env file with production credentials

CWE-522
CVSS 8.3

A .env file was discovered at the web root containing database credentials, API keys, and other secrets. This file should never be publicly accessible — anyone with the URL can read it.

Evidence
GET /.env HTTP/1.1
Host: app.example.com

HTTP/1.1 200 OK
Content-Type: text/plain

DB_PASSWORD=SuperS3cret!Pr0d
AWS_ACCESS_KEY_ID=AKIA...
STRIPE_SECRET_KEY=sk_live_...
Remediation

Remove the .env file from the web root or block dotfile access at the web-server level. Then rotate every credential the file exposed — assume they're compromised.

# nginx
# /etc/nginx/snippets/deny-dotfiles.conf
location ~ /\. {
    deny all;
    access_log off;
    log_not_found off;
    return 404;
}
AI prompt — paste into Cursor / Claude / Copilot

I have a Next.js app deployed behind nginx. There's a vulnerability where /.env is publicly accessible. Add an nginx rule that returns 404 for any path starting with a dot, and add a check in my deployment script that fails if .env files exist under the web root. Show me the exact files to change.

High#2

WordPress wp-config backup exposed

CWE-200
CVSS 7.5

A wp-config.php.bak file is accessible without authentication, exposing database credentials and WordPress secret keys.

Evidence
GET /wp-config.php.bak HTTP/1.1
Host: app.example.com

HTTP/1.1 200 OK
Content-Type: application/octet-stream

define('DB_PASSWORD', 'wp-prod-pass-2024');
define('AUTH_KEY', 'p7K9...');
Remediation

Delete the backup file immediately. Block .bak / .backup / .old / .orig at the web-server level so future backups don't leak.

# apache
# .htaccess
<FilesMatch "\.(bak|backup|old|orig|swp|swo)$">
  Require all denied
</FilesMatch>
AI prompt — paste into Cursor / Claude / Copilot

My WordPress site exposes wp-config.php.bak publicly. Write me an Apache .htaccess rule that blocks backup file extensions, and write a one-liner I can run on the server to find and delete any existing backup files in /var/www.

Medium#3

Missing security headers (CSP, HSTS, X-Frame-Options)

CWE-693
CVSS 5.4

Responses are missing Content-Security-Policy, Strict-Transport-Security, and X-Frame-Options headers. This makes the app easier to clickjack and reduces defense-in-depth against XSS.

Evidence
GET / HTTP/1.1
→ HTTP/1.1 200 OK
Server: nginx/1.24
Content-Type: text/html
# (no CSP, HSTS, or X-Frame-Options header present)
Remediation

Add the three headers to all responses. Start with a permissive CSP in report-only mode, then tighten over a few days.

# nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "DENY" always;
add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' 'unsafe-inline'" always;
AI prompt — paste into Cursor / Claude / Copilot

Add security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy) to my Next.js app via next.config.js headers(). Start CSP in report-only mode. Show me the exact next.config.js diff.

Medium#4

Admin panel reachable without IP allow-list

CWE-284
CVSS 5.0

The /admin endpoint is reachable from any IP on the internet. While auth is required, an IP allow-list massively reduces attack surface against credential-stuffing and 0-day auth bypasses.

Evidence
GET /admin HTTP/1.1
→ HTTP/1.1 302 Found
Location: /admin/login
Remediation

Restrict /admin to office and VPN egress IPs at the load-balancer or web-server level. Keep authentication, but treat the IP filter as a hard gate before it.

AI prompt — paste into Cursor / Claude / Copilot

Set up an IP allow-list for /admin in my nginx config that only permits 10.0.0.0/8 (office VPN range) and 203.0.113.42 (my home IP). Anyone else should get a 404 — not a 403 — so attackers can't enumerate that the endpoint exists.

Low#5

Server version disclosed in response headers

CWE-200
CVSS 3.1

The Server response header includes the exact nginx version, helping attackers narrow their CVE search.

Evidence
Server: nginx/1.24.0
Remediation

Set `server_tokens off;` in nginx's http block.

AI prompt — paste into Cursor / Claude / Copilot

Hide my nginx version from response headers. Tell me the exact config line and where to put it in /etc/nginx/nginx.conf.

Pentry.ai · Confidential · Generated May 12, 2026 · 4a490e1c-9f3b-4d8e

Want one for your site?

Free, no credit card. Your report in under 10 minutes.

Start free scan