The tools we built
because nobody else did.

Black-box test whether an LLM chatbot is vulnerable to markdown/HTML exfil (the Copilot CVE-2025-32711 / Feb 2026 ChatGPT / ForcedLeak class). Spins up a local sink, sends 36 exfil payloads, renders each LLM response in headless Chromium, correlates via network to confirm real exfil vs CSP-blocked.

Read-only vector DB poison detector. Connect to Pinecone / Weaviate / Chroma / Qdrant / pgvector, scan for embedding outliers, prompt-injection patterns in chunks, invisible Unicode smuggling, and AgentPoison-style backdoor triggers. Live-tested against chromadb with planted poison: all 6 check classes surfaced at expected severities.

Static scanner for GitHub Actions workflows targeting the pwn-request RCE class that hit Microsoft, DataDog, CNCF, and hundreds of OSS projects Feb-April 2026. 8 checks, embedded compromised-SHA feed (tj-actions March 2025, Ultralytics Dec 2024). First run on our own repos caught PW4 (default permissions) + PW5 (secret interpolation). We fixed ours before shipping.

Scan a repo for AI-IDE configuration that triggers RCE: Claude Code SessionStart hooks, Cursor/Windsurf rules-file Unicode smuggling, MCP auto-registration, ANTHROPIC_BASE_URL redirect, VS Code folderOpen tasks. Addresses CVE-2025-59536, CVE-2026-21852, CVE-2026-30615, and Pillar Rules File Backdoor.

Audit AI gateway deployments (LiteLLM, OpenRouter, Portkey, Vercel AI Gateway) for master-key exposure, virtual-key cross-tenant leak, missing per-key budgets, provider fallback cost-DoS, PII masker bypass, rate-limit bypass via X-Forwarded-For rotation, and known-vulnerable LiteLLM versions.

Find AI/LLM endpoints on a target domain. Static-fingerprints 18 AI SDKs in JS bundles, extracts gateway base URLs, probes common endpoint paths with one benign completion to classify auth posture. Smoke test on vercel.com picked up Vercel AI SDK + OpenAI + Replicate + 8 hinted paths.

Audit OIDC / OAuth 2.0 authorization-server metadata for weak algorithms, PKCE downgrade, algorithm confusion (RSA + HMAC mix), SSRF via request_uri, JWKS quality, and issuer-mismatch attacks. First run on accounts.google.com caught a real PKCE 'plain' method advertisement. Microsoft's multi-tenant issuer placeholder ({tenantid}) flagged too.

Black-box test that Row-Level Security actually enforces tenant isolation on Supabase / PostgREST / Hasura / PocketBase. Give it two tenant JWTs, it probes every table and flags where tenant A can read tenant B's rows.

Detect exposed source maps on production websites, reconstruct the original TypeScript sources, and grep for leaked Stripe keys, internal API routes, unreleased feature flags, and design-intent TODO comments. Built after the March 2026 Claude Code source-map leak (59.8MB to prod, 16-21M views).

Enumerate every /.well-known/ resource on a domain and score it for compliance + oversharing. First run on github.com found they're leaking an internal-dev Android package name via assetlinks.json.

Enumerate every environment variable across a Vercel team and flag which aren't marked Sensitive. Built in response to the April 2026 Vercel security incident.

Detect Supabase, Convex, Clerk, Firebase, Auth0, Appwrite, Hasura, and PocketBase on a live website. Flag the platform-specific misconfigurations each one is prone to. Read-only, no exploit traffic.

Static audit of an MCP (Model Context Protocol) server for the five attack patterns from our blog post: tool arg validation, shell passthrough, FS scope, SSRF via fetch, credential exposure. Found a genuine schema gap in Anthropic's own reference server on first run.

Enumerate what Salesforce Experience Cloud guest users can see. Reproduces the read-only half of the ShinyHunters attack pattern that hit McGraw-Hill, AT&T, Ticketmaster, Santander.

Given a Google Workspace / GitHub / Slack / Vercel admin token, enumerate every OAuth grant (installed apps, third-party integrations) with a scope-breadth risk score.