Plans and limits
Pentestas offers three plan tiers plus custom arrangements. This page enumerates the caps; pricing is at pentestas.com/pricing.
Quick matrix
| Feature | Free | Pro | Enterprise |
|---|---|---|---|
| Scans / month | 10 | 200 | Unlimited (SLA'd) |
| Concurrent scans | 1 | 5 | Negotiated (typical 25β100) |
| Verified domains | 1 | 10 | Unlimited |
| Max scan depth | 3 | 6 | Unlimited |
| Finding retention | 365 days | 3 years | Unlimited |
| AI analysis (Claude) | β | β | β |
| Attack chain synthesis | β | β | β |
| Agents | β | 3 | Unlimited |
| Browser capture | β | β | β |
| Authenticated scans | β | β | β |
| Scheduled scans | β | β | β |
| Webhooks | β | β | β |
| Slack integration | β | β | β |
| Custom report branding | β | β | β |
| SSO (SAML / OIDC) | β | β | β |
| BYOK encryption | β | β | β |
| SLA | β | 99.5% | 99.9% |
| Support | Community | Email (24h) | Slack + dedicated CSM |
Rate limits (all plans)
| Scope | Limit |
|---|---|
| Auth endpoints (login, signup) | 5 / min per IP |
| API read endpoints | 30 / s per IP (burst 60) |
| Public / anonymous endpoints | 10β30 / hour per IP |
| Scan creation | 30 / min per tenant |
| Failed agent connects | 5 / hour per IP (then blocklist) |
Scan timeouts
| Scan type | Default timeout |
|---|---|
| Web / API | 3 hours |
| Network | 1 hour per /24 |
| Cloud storage | 30 minutes |
| Subdomain enumeration | 15 minutes |
| Azure / GWS audit | 30 minutes |
Pro+ can raise timeouts per scan. Enterprise gets arbitrary bounds negotiated in contract.
What happens at the cap
- Concurrent scans exceeded β
409 ConflictonPOST /api/scans. Wait for a running scan to finish. - Monthly scan quota exhausted β
403 Forbidden. Upgrade or wait for the month boundary (1st of calendar month, tenant-local timezone). - Retention window past β scan + findings auto-purged. Exports must be generated before this.
- Agent cap exceeded β
403onPOST /api/agents. Remove an agent or upgrade.
Custom plans
For regulated industries, multi-team orgs, or consultancies running scans on client infrastructure:
- Child tenants / sub-workspaces β one billing relationship, many isolated workspaces. One per client engagement.
- On-prem deployment β full Pentestas stack behind your firewall. Quarterly release updates.
- Air-gapped deployment β Pentestas + Exploit-DB mirror + Claude Sonnet model (if applicable) running entirely inside your network.
Get in touch at sales@pentestas.com.