Every scan type, in one place.

What it does: SAST analyzes your raw source code line-by-line. It never executes the code — it just looks at how data flows through your functions, what APIs you call, and what inputs end up in dangerous sinks. Think of it as a senior security engineer reading every file before you ship.

How to run it: Connect a Git repository, pick a branch, and click Run scan. The engine clones the code, parses it into an AST, traces tainted input from sources (user input, network, files) to sinks (SQL, shell, eval, HTML), and reports anything risky with the exact file and line number.

What it does: Modern apps are 80–95% open-source code. SCA reads your package.json / requirements.txt / pom.xml / go.mod and cross-references every dependency (direct and transitive) against the public CVE database, GitHub Advisory Database, and our own intel feed.

How to run it: Point it at the same repo as SAST. It builds a full dependency tree, checks each version against known vulnerabilities, and tells you exactly which package to upgrade and which CVE it fixes. AI explains the real-world exploit risk per finding.

What it does: DAST is black-box testing. You give it the URL of a deployed site and (if needed) login credentials. It crawls every page like a real user, then safely probes inputs for runtime vulnerabilities — exactly what an attacker would do, without breaking your database.

How to run it: Add a target URL in the DAST page. Optionally provide test-account credentials so it can scan logged-in pages. The engine spiders the site, fingerprints the stack, and runs a battery of safe payloads against forms, query strings, and API endpoints.

What it does: APIs are the #1 attack surface today. This module imports your OpenAPI/Swagger spec (or auto-discovers endpoints from DAST traffic) and exhaustively tests each endpoint for the OWASP API Top 10 — including the ones generic web scanners miss.

How to run it: Upload an OpenAPI spec or let the platform auto-discover endpoints from DAST. The engine fuzzes parameters, tries auth bypasses, tests rate-limiting, and checks every method on every route.

What it does: Performs static analysis on the compiled binary you upload — parsing the Android manifest or iOS Info.plist and inspecting bundled resources. Catches issues that live in the shipped artifact, like hardcoded secrets, insecure transport settings, and over-exposed components.

How to run it: Upload an .apk or .ipa file. The engine unpacks it, parses the binary manifest/plist and bundled strings, and runs MASTG-aligned static checks against the build.

What it does: Container images bundle an entire OS plus your app. This scan inspects every layer for vulnerable system packages (apt/apk/yum), exposed secrets baked into layers, and Dockerfile misconfigurations like running as root.

How to run it: Point it at a container registry (GHCR, ECR, Docker Hub) or upload a tarball. It enumerates installed packages per layer, cross-references CVEs, and audits the Dockerfile recipe.

What it does: Cloud Security Posture Management (CSPM) connects to AWS, Azure, and GCP with scoped read-only access and audits your live cloud setup against CIS and best-practice rules — no agents to deploy. It surfaces public storage, over-permissive identities, open security groups, and weak account settings.

How to run it: Add read-only credentials for AWS, Azure, or GCP in the Cloud Account console. The engine inventories your resources, checks each one against the rule set, and reports every misconfiguration with the exact resource and a plain-English fix.

What it does: Kubernetes Security Posture Management (KSPM) inspects your cluster configuration, workloads, and access controls for security misconfigurations that expose your applications — privileged containers, permissive RBAC, missing network policies, and more.

How to run it: Connect your cluster context in the Kubernetes console. The engine reads workload and RBAC configuration and checks it against Kubernetes hardening best practices, reporting each issue with the affected resource and a fix.

What it does: Instead of treating every CVE the same, the AI Threat Predictor scores each finding against EPSS (Exploit Prediction Scoring System), KEV (CISA's Known Exploited Vulnerabilities catalog), proof-of-concept availability on GitHub, and your runtime exposure to produce a single 'fix this first' score.

How to run it: Runs automatically on top of SCA, SAST, and DAST findings. No setup required — open the Vulnerabilities dashboard and see your queue re-ranked by real-world exploit probability.

What it does: All findings from SAST, SCA, and DAST roll up into a single de-duplicated, prioritized queue. Filter by severity, engine, status, or project. Each finding is re-ranked by the AI Threat Predictor so you always see what to patch today vs. what can wait.

How to run it: Always-on. As soon as you run any scan, results appear here. Click any row to jump to its source console for triage, AI fix, or PR creation.