VULNARY
The Proof Engine · On your side

Trust your pentest? Prove it.

You paid for a penetration test. Did it cover the scope? Do the findings reproduce? What did it miss? We take their report and re-run it — every finding rebuilt into a working exploit, the whole scope re-walked — and hand you an independent verdict. We work for you, not your vendor.

Book a scoping call → See a sample verdict

NDA-first · nothing leaves your hands until scope & terms are set

On your side of the table. We don't name or grade your other vendors — we verify your coverage, reproduce your findings, and surface what's still exposed. Trust, but verify.
01 · METHOD

We don't read the report. We re-run it.

REPRODUCE

Every finding, re-exploited

Each reported issue is rebuilt into a working, reproducible exploit on an isolated copy of your target — the same engine behind our public CVE reconstructions. Real, inflated, or noise? We prove which.

working PoC
or it's noise
RE-WALK

The whole scope, independently re-tested

We re-test the agreed scope end to end — hunting the criticals the original test never reached, and confirming the coverage you paid for was actually delivered.

coverage %
+ missed crits
VERDICT

A signed second opinion, with receipts

You get a verdict you can take to anyone: what reproduced, what was over-stated, what was missed, corrected severities — every line backed by a trace.

independent
& defensible
02 · EXHIBIT

What lands on your desk.

INDEPENDENT VERDICTacme-corp · external web · 11 findings · classification: confidential
8/11reported findings reproduced
into working exploits
REPRODUCEDSQLi · /api/ordersCritical ✓
REPRODUCEDIDOR · invoice exportHigh ✓
OVER-STATED"RCE" · admin uploadHigh → Low
NOT REPROSSRF · metadataCritical → none
2criticals the original test missed
— scope was 81% covered
MISSEDAuth bypass · JWT alg-confusionCritical
MISSEDDeser RCE · legacy /reportCritical
UNTESTEDstaging.acme.io · in scope, never touched
Every line links to a reproducible trace + remediation — defensible to your board, your auditor, or the vendor.
03 · ENGAGEMENT

Three ways to put it to work.

First-Look
Intro rate
DISCOUNTED · PRICED TO SCOPE & REPORT SIZE
  • 30-min scoping call, NDA-first
  • Headline findings reproduced
  • The first gaps we surface
  • One-page verdict
Book a call
Automated Verdict
By scope
THE RESIDENT · DAYS
  • Every finding reproduced or refuted
  • Full scope re-walked by the engine
  • Severity corrections + missed-critical sweep
  • Reproducible trace per line
Book a call
Verified Engagement
Custom
RESIDENT + NAMED PRINCIPAL
  • Human-led, signed second opinion
  • Scope & methodology review
  • We sit on your side vs. other vendors
  • Ongoing program assurance
Talk to us
04 · WHY US
If we can rebuild any published CVE into a working exploit, reproducing your report's findings is the same engine — pointed at your evidence.

The Proof Engine runs on the exact capability behind our public CVE reconstructions: nginx, Apache ActiveMQ, XWiki, Joomla — rebuilt from disclosure into live, proven exploits. We don't take a finding's word for it. We make it run, or we mark it noise.

CVE-2026-42945nginx · memory corruptionPROVEN
CVE-2026-34197ActiveMQ · Jolokia→xbeanPROVEN
CVE-2025-24893XWiki · unauth SSTI→RCEPROVEN
their-report.pdf11 findings · same engine→ VERDICT

Did you get what you paid for?

Book a scoping call. We'll agree terms, prove what's real, surface what's missing — and put the receipts in your hands.

Book a scoping call →