auto/attack

Fix it. Retest it.

PCI DSS 11.4.4 says every exploitable weakness a penetration test finds has to be corrected, then retested to confirm the fix held. AutoAttack re-runs the same attack path on demand, so you can see whether the path you fixed still lets an attacker through before your qualified retest, and hand your assessor the evidence either way.

Deploy

what requirement 11.4.4 asks

the rule In PCI DSS v4.0.1, any exploitable vulnerability a penetration test finds has to be corrected, and the penetration testing repeated to verify the correction (Requirement 11.4.4).
who runs the retest That repeat test is itself penetration testing, so it calls for the same qualified, organizationally independent tester as the first (Requirements 11.4.2 and 11.4.3). Booking it takes time, and until it runs the finding stays open.
the cadence Internal and external penetration tests are due at least once every 12 months and after any significant change (Requirements 11.4.2 and 11.4.3). Every exploitable finding they raise inherits the 11.4.4 retest.

how AutoAttack closes the loop

retest on demand Re-run the exact campaign the moment a fix ships. AutoAttack walks the same path and reports whether it still reaches the objective, so you catch a fix that did not hold before your tester does.
evidence to hand over Every step is captured as it runs. You keep the before, the path and the access it reached, and on retest the after, the step where the same path now stops. That before-and-after is the kind of evidence assessors look for.
segmentation (11.4.5) 11.4.5 asks you to prove segmentation by actively trying to cross it, which reviewing a firewall rule cannot show. Set the goal to reach the cardholder data environment from an out-of-scope segment, and AutoAttack attempts the crossing and captures whether any route it tried got through. See a full path walked step by step
included Re-running a fix comes with the subscription, so you can verify your own remediation as often as you need before the formal retest, with no separate engagement to check your work. See pricing

where AutoAttack fits your program

with your assessor PCI penetration tests are performed by a qualified internal resource or independent third party (Requirements 11.4.2 and 11.4.3). AutoAttack does not replace that tester. It re-verifies fixes between their engagements, so issues surface earlier instead of at the formal test.
not an attestation AutoAttack produces the proof; your QSA or internal assessor issues the paperwork. It does not generate a Report on Compliance, a Self-Assessment Questionnaire, or an Attestation of Compliance.
safe in the CDE Run properly, it stays within your account-lockout policy, installs nothing, and leaves nothing on disk, so it can run against production cardholder systems the way it runs any live network. How it stays safe

common questions

Does AutoAttack make my company PCI DSS compliant?

No. AutoAttack does not issue a Report on Compliance or an Attestation of Compliance, and it is not a QSA. It proves whether an exploitable path is open or closed and hands that evidence to the qualified assessor who signs off your PCI penetration testing.

What is PCI DSS requirement 11.4.4?

Requirement 11.4.4 says exploitable vulnerabilities found during penetration testing must be corrected, and the penetration testing repeated to verify the corrections. It is the retest obligation that follows every internal and external PCI penetration test.

Can AutoAttack replace my annual PCI penetration test?

No. Requirements 11.4.2 and 11.4.3 call for a qualified internal resource or independent third party to perform the internal and external tests. AutoAttack runs alongside that engagement, re-verifying fixes on demand and testing segmentation between the annual tests, so less is left to find.

Deploy