# AppSec Santa — Tools Catalog (Plain-Text) This file lists every active tool reviewed on AppSec Santa with frontmatter and body content truncated for context-window efficiency. For non-tool content (guides, research, categories) see /llms-guides.txt, /llms-research.txt, and /llms-categories.txt. For the complete unified index, see /llms-full.txt. All content is authored by Suphi Cankurt and may be cited with attribution to AppSec Santa (appsecsanta.com). Base URL: https://appsecsanta.com License: Content may be cited with attribution --- # 42Crunch URL: https://appsecsanta.com/42crunch Description: 42Crunch audits OpenAPI specs with 300+ security checks, scores APIs 0-100, and deploys micro API firewalls. IDE extensions used by 1.6M+ developers. 42Crunch is an [API security tools](/api-security-tools) platform that audits OpenAPI specifications, tests live APIs for conformance, and deploys micro firewalls for runtime protection. Its IDE extensions have been used by over 1.6 million developers across VS Code, JetBrains, and Eclipse. The company was founded in 2016 by Jacques Declas and Isabelle Mauny. It is headquartered in London and backed by a $17M Series A round led by Energy Impact Partners, with Adara Ventures participating. ## What is 42Crunch? 42Crunch covers the API security lifecycle from design through runtime. The platform works in three stages: audit your OpenAPI spec before deployment, scan the running API for conformance issues, and then protect it with a micro firewall that enforces the contract in production. Unlike traffic-based API security tools that analyze behavior after deployment, 42Crunch starts with the OpenAPI definition itself. The spec becomes the single source of truth for what the API should accept, return, and block. API Security Audit:::Static analysis of OpenAPI definitions with 300+ checks across security, data validation, and spec compliance. Each API gets a score from 0 to 100. ||| API Conformance Scan:::Dynamic testing that sends real traffic to live API endpoints. Validates that the implementation matches the documented contract and flags deviations. ||| Micro API Firewall:::Runtime protection deployed as a sidecar or gateway. Blocks any transaction that does not conform to the OpenAPI definition. Sub-millisecond latency overhead. ## What are 42Crunch's key features? 42Crunch's 300+ checks include OWASP API1:2023 broken object-level authorization (BOLA) test cases — the vulnerability class that has dominated real-world API breaches since the OWASP API Top 10 first added it in 2019. Schema-injection, parameter-injection, and authorization-test families all map back to BOLA / broken authorization testing patterns rather than generic input fuzzing. The platform handles shadow API discovery by scanning runtime traffic against the registered OpenAPI contract — endpoints that respond to traffic but do not appear in the spec are flagged as undocumented or shadow APIs. Because the model is contract-first, "shadow" here means anything not declared in OAS, which is a tighter definition than the network-traffic discovery used by Salt Security or Akamai API Security. | Feature | Details | | ---------------------- | --------------------------------------------------------------------------- | | Security Audit | 300+ checks on OpenAPI v2, v3.0, v3.1 definitions | | Audit Scoring | 0-100 score (30 pts security, 70 pts data validation) | | Conformance Scan | Dynamic testing with happy path, unhappy path, and custom tests | | Micro API Firewall | Positive security model based on OpenAPI contr [...truncated for length...] --- # 7AI URL: https://appsecsanta.com/7ai Description: 7AI is an agentic security platform with 60+ autonomous AI agents that replace manual SOC triage — cutting false positives 95-99% and tier-1 time 80%. 7AI is an [AI security](/ai-security-tools) platform that deploys autonomous AI agents to handle security operations center (SOC) work — alert triage, investigation, threat hunting, and incident response. Unlike traditional SOAR tools that execute pre-written playbooks, 7AI uses Dynamic Reasoning to investigate novel threats in real time without predefined rules. Founded in 2024 by Lior Div and Yonatan Striem-Amit — the same team behind Cybereason — 7AI launched from stealth in February 2025 and raised a $130 million Series A by December 2025 (the largest cybersecurity Series A in history), bringing total funding to $166 million. The company is headquartered in Boston, Massachusetts, with backing from Index Ventures, Greylock, CRV, Spark, and Blackstone Innovations Investments. ## What is 7AI? 7AI is an agentic SOC platform: it deploys 60+ specialized AI agents that autonomously investigate security alerts end-to-end, from initial triage through cross-system correlation to a final determination — without waiting for a human analyst at each step. Instead of routing alerts through static playbooks, 7AI agents assess each alert's context and determine their investigative strategy in real time, which is what allows them to handle novel threats that no playbook was written for. In practice, 7AI replaces the manual, repetitive work that consumes most SOC analyst time. Rather than having human analysts triage thousands of alerts, enrich data across multiple tools, and correlate signals by hand, specialized agents swarm on each alert and work through the investigation autonomously. 60+ purpose-built agents cover five domains: Endpoint, Identity, Cloud, Email, and Network. Each handles specific investigative tasks — device enrichment, file provenance, user behavior, network traffic correlation. As of early 2026, 7AI reports processing 5M+ alerts across its customer base, saving 732,910+ analyst hours (roughly 366 full-time analyst-years) and reclaiming $42.1M in SOC productivity value since launching in February 2025. Dynamic Reasoning:::Agents autonomously determine the investigative approach for each alert in real time — including novel, previously unseen threats. Unlike SOAR playbooks that require predefined rules, Dynamic Reasoning follows unexpected leads and adapts to each scenario dynamically. ||| Autonomous Investigations:::AI agents swarm on alerts end-to-end: enriching data, querying environments, correlating across systems, and forming conclusions. Investigations that took analysts hours complete in minutes. ||| Unified Case Management:::Every incident gets auto-populated summaries, cross-alert correlation, and collected evidence in a single view. Agents tie related alerts together automatically, surfacing the full attack story rather than isolated events. ## What are 7AI's key features? | Feature | Details | | ------------------------ | --------------- [...truncated for length...] --- # AccuKnox URL: https://appsecsanta.com/accuknox Description: AccuKnox is a runtime-aware ASPM platform combining SAST, DAST, SCA, IaC, and container scanning with eBPF visibility from its KubeArmor project. AccuKnox is a runtime-aware [ASPM](/aspm-tools) platform that bundles SAST, DAST, SCA, IaC, container, and secrets scanning with runtime visibility from its open-source KubeArmor project. ## What is AccuKnox? The hook on AccuKnox's marketing — _"Drowning in Application Security Alerts? Reclaim Control with Intelligent ASPM That Actually Works"_ — points at the same alert-fatigue problem the rest of the ASPM category is solving. What makes AccuKnox different is the runtime layer. Most ASPM tools ingest scanner output and try to deduce exploitability from static signals. AccuKnox runs its own runtime telemetry through KubeArmor, an eBPF and LSM-based engine that watches what containers actually do in production. That runtime view feeds directly into the prioritization model. ## Scanner coverage Static analysis:::SAST, SCA, IaC, container, secrets — all native, no third-party dependency required to get started. ||| Dynamic and runtime:::DAST for application-layer testing plus eBPF/LSM runtime visibility for production workloads via KubeArmor. ||| Pipeline security:::CI/CD scanning across GitHub Actions, Jenkins, GitLab, Bamboo, and Azure DevOps to catch issues before deploy. ## KubeArmor: the runtime engine KubeArmor is the open-source project that gives AccuKnox its differentiating signal. It uses eBPF (in-kernel observability) and Linux Security Modules (LSM, the kernel-level enforcement layer used by AppArmor and SELinux) to: | Capability | What it does | | ------------------ | ------------------------------------------------------------------------------ | | Runtime visibility | Maps process, network, and file activity per workload | | Policy enforcement | Blocks disallowed syscalls, file access, or network egress at the kernel level | | Threat correlation | Feeds runtime telemetry into the AccuKnox ASPM prioritization layer | | CNCF status | Accepted into the CNCF Sandbox — community-validated open source | For AppSec teams, the practical effect is that AccuKnox can mark a vulnerable package as _not actually reachable in production_ because the runtime engine sees that the affected code path is never invoked. That is the kind of context that lets the platform suppress noise instead of just sorting it. ## Customers and integrations | Type | Examples | | -------------------- | ------------------------------------------------------------------------------------------------------------- | | Customers | Prudent Insurance, IDT Telecom, Buck.AI, DeepOrigin, SupportLogic ([accuknox.com](https://www.accuknox.com/)) | | CI/CD | GitHub Actions, Jenkins, GitLab, Bamboo CI, Azure DevOps | | Ticketing | Jira, Servic [...truncated for length...] --- # Acunetix AcuSensor URL: https://appsecsanta.com/acunetix-acusensor Description: Acunetix AcuSensor provides exact source file and line number locations for vulnerabilities. Traces SQL injections from HTTP request to database query. Acunetix AcuSensor is an [IAST](/iast-tools) agent that pairs with the Acunetix DAST scanner to give you code-level vulnerability details. It supports PHP, Java, .NET, and Node.js. The agent runs inside your application runtime. While the DAST scanner throws attack payloads from outside, AcuSensor watches how those payloads travel through backend code. For PHP, that means exact file names and line numbers. For Java and .NET, you get full stack traces. Acunetix detects over 7,000 vulnerability types including zero-days. AcuSensor adds internal visibility to that scanning by confirming whether attacks actually reach vulnerable code paths. Over 2,300 companies use the scanner, including NASA, American Express, and the U.S. Air Force. ## What is Acunetix AcuSensor? AcuSensor turns the Acunetix black-box DAST scanner into a grey-box IAST solution. You don't need to modify your source code. The agent intercepts code execution at runtime and feeds intelligence back to the scanner as it runs. Code-Level Precision:::Pinpoints vulnerabilities to exact file names and line numbers for PHP. Java and .NET get full stack traces showing the call chain from HTTP request to vulnerable code. ||| Hidden Asset Discovery:::Builds a full file listing of the application directory and intercepts variable access to surface hidden GET/POST parameters, unlinked admin panels, and undocumented API endpoints. ||| False Positive Elimination:::Confirms whether attack payloads actually reach vulnerable code paths at runtime. If input is properly sanitized before hitting the database, AcuSensor drops the finding. ## What are Acunetix AcuSensor's key features? | Feature | Details | |---------|---------| | Supported Languages | PHP, Java (including Spring), .NET (including .NET Core), Node.js | | Operating Systems | Linux/UNIX and Windows servers | | Vulnerability Coverage | 7,000+ vulnerability types including zero-days | | API Support | REST, SOAP, and GraphQL | | Performance Overhead | Less than 1% in standard scenarios | | Agent Generation | Unique per target for security | | Bridge URL | `https://iast.invicti.com` (default, configurable per target) | | Deployment | Staging servers and CI/CD VMs only | ### SQL Injection Trace Analysis When a SQL injection turns up, AcuSensor shows the full data flow from user input through business logic to the database query. You see whether sanitization functions were called, whether they worked, and how the final query was constructed. For PHP applications, AcuSensor parses source code to map every input point. For Java and .NET, it captures stack traces showing the complete call chain. ### Hidden Asset Discovery AcuSensor finds assets the external crawler misses. It builds a full file listing of the application directory and intercepts variable access (like PHP's `$_GET` and `$_POST` arrays) to surface hidden parameters. What this catches: - Admin panels with no public links - Undocumented API endpoints - Backup files and d [...truncated for length...] --- # Acunetix URL: https://appsecsanta.com/acunetix Description: Acunetix review. 7,000+ vulnerability checks with 99.98% accuracy. How it compares to Burp Suite and Invicti, plus honest pros and cons from real use. Acunetix is a web vulnerability scanner built for teams that want automated DAST without a steep learning curve. It detects over 7,000 vulnerability types with 99.98% accuracy through proof-based scanning. Part of the Invicti family, Acunetix targets small and mid-sized organizations while [Invicti](/invicti) handles enterprise accounts. Thousands of companies use it, including Cisco, NASA, and American Express. According to the OWASP Foundation, automated dynamic testing is a recommended practice for identifying runtime vulnerabilities that static analysis alone misses. ## What are Acunetix's key features? | Feature | Details | | -------------------- | ----------------------------------------------------------------- | | Vulnerability checks | 7,000+ types including OWASP Top 10, out-of-band | | Accuracy | 99.98% with proof-based scanning | | Scanning engine | C++ based, 2-4 hour average scan time | | IAST support | AcuSensor agent for .NET, Java, PHP, Node.js | | Risk scoring | Predictive AI model using 220+ parameters, 83% minimum confidence | | API scanning | REST, SOAP, GraphQL | | SPA support | Full JavaScript rendering for React, Angular, Vue | | Concurrent scans | Unlimited parallel scans | | Update cadence | Monthly releases with auto-update | I run authenticated dynamic scans against logged-in user sessions using the Business Logic Recorder, which lets me reach pages that anonymous crawlers cannot. The scanner does API security testing (black-box) against REST, SOAP, and GraphQL endpoints by ingesting OpenAPI/Swagger specs or recorded traffic. SQL injection / XSS probing uses payload mutation across discovered parameters, and the proof-based engine confirms each finding by safely exploiting it before I see the alert. Proof-Based Scanning:::Acunetix confirms vulnerabilities by safely exploiting them, producing proof-of-exploit for each finding. Less time triaging, more time fixing. ||| AcuSensor IAST:::Deploy the AcuSensor agent inside your application server to combine DAST with IAST. The agent identifies the exact line of code causing a vulnerability and catches issues invisible to external scanning alone. ||| Business Logic Recorder:::Record multi-step workflows like checkout flows, registration sequences, or admin operations. The scanner replays these recorded paths during scans, covering areas that automated crawlers miss. ## Predictive Risk Scoring Acunetix uses a machine learning model that analyzes over 220 parameters to estimate vulnerability risk before scanning begins. The model requires a minimum 83% confidence threshold before assigning a risk score. Your mos [...truncated for length...] --- # Agentic Radar URL: https://appsecsanta.com/agentic-radar Description: Agentic Radar is an open-source scanner for LangGraph, CrewAI, OpenAI Agents, AutoGen, and n8n agentic workflows with dependency graphs and OWASP risk mapping. Agentic Radar is an open-source CLI security scanner that analyzes LLM-based agentic workflows for vulnerabilities across five major frameworks: LangGraph, CrewAI, OpenAI Agents SDK, AutoGen, and n8n. Unlike component-level scanners such as [MCP-Scan](/snyk), Agentic Radar takes a system-level view — parsing entire workflow definitions, generating visual dependency graphs, and mapping risks to OWASP security frameworks. Built by SPLX AI — a company focused on end-to-end AI security — Agentic Radar was released in March 2025 as one of the first tools purpose-built for scanning agentic AI architectures. While individual components like MCP servers have their own scanners, Agentic Radar takes a broader view: analyzing the entire workflow to understand how agents connect, what tools they access, and where security gaps exist in the system as a whole. The tool supports five major agentic frameworks: LangGraph, CrewAI, OpenAI Agents SDK, AutoGen, and n8n. ## What is Agentic Radar? Agentic AI systems are inherently complex — multiple agents coordinate across tools, APIs, and data sources, often with chained decisions where one agent's output becomes another's input. Traditional security tools that analyze individual components miss the systemic risks that emerge from these interactions. Agentic Radar addresses this by parsing the full workflow definition, mapping every agent-to-tool and agent-to-agent connection into a dependency graph, and then analyzing that graph for vulnerabilities. The output is an HTML report that security teams can share and review without needing to understand the underlying framework code. Workflow Visualization:::Parses agentic framework code and generates visual dependency graphs showing all agents, tools, MCP servers, and their connections. Makes complex multi-agent architectures understandable at a glance for security review. ||| Vulnerability Mapping:::Maps identified security risks to the OWASP Top 10 for Large Language Models and OWASP Agentic AI Threats and Mitigations. Provides standardized risk categories that align with established security frameworks rather than ad-hoc findings. ||| Prompt Hardening:::Automatically analyzes system prompts across your agentic workflow and refines them using LLM assistance to follow security engineering best practices. Catches overly permissive instructions, missing guardrails, and prompt injection vulnerabilities. ## What are Agentic Radar's key features? | Feature | Details | | -------------------- | -------------------------------------------------------------------------------------------------- | | Supported Frameworks | LangGraph, CrewAI, OpenAI Agents SDK, AutoGen, n8n | | Dependency Graphs | Visual agent-tool-MCP connection mapping | | OWASP Mapping | [...truncated for length...] --- # Aikido Security URL: https://appsecsanta.com/aikido Description: Aikido bundles SAST, DAST, SCA, CSPM, and secrets detection trusted by 50,000+ organizations. AutoTriage reduces security noise by 95% with free tier. Aikido Security is an [ASPM](/aspm-tools) platform used by over 50,000 organizations and 100,000+ teams. The Belgian company bundles SAST, DAST, SCA, container scanning, secrets detection, CSPM, IaC scanning, and runtime protection into one platform. AutoTriage cuts alert noise by 95%. Founded in 2022 in Ghent, Belgium, with a San Francisco office, Aikido is SOC 2 Type II and ISO 27001:2022 certified. Public customers — visible on the [Aikido customers page](https://www.aikido.dev/customers) — include Revolut, Niantic, Premier League, SoundCloud, Visma, Pendo, and n8n. > **Where Aikido lives on AppSec Santa.** Aikido is canonicalised under [ASPM](/aspm-tools) here because the platform's value proposition is unifying SAST, SCA, DAST, IaC, container, and secret-scanning findings under one prioritized inbox — that's the ASPM job-to-be-done. The individual scanners (Aikido SAST, SCA, container, IaC, secret-scanning, DAST) are why the page also lives across [SAST](/sast-tools), [SCA](/sca-tools), [DAST](/dast-tools), [Container](/container-security-tools), [IaC](/iac-security-tools), and [Secret Scanning](/secret-scanning-tools) hubs via `also_in`. Brand-led queries land here; cross-category comparisons sit under the relevant category hub. ## What is Aikido Security? The platform splits into four areas, each covering a different part of the security problem: Code Security:::SAST, SCA, secrets detection, IaC scanning, container image analysis, malware detection, and license compliance. Supports JavaScript, TypeScript, Python, Go, Ruby, PHP, and Java with framework-specific rules. ||| Cloud Security:::Cloud Security Posture Management for AWS, Azure, and GCP. VM scanning, Kubernetes runtime scanning, and cloud asset discovery. ||| Attack Surface:::AI-powered pentesting, DAST, and API scanning with fuzzing. Finds vulnerabilities that static analysis misses by testing running applications. ||| Runtime Protection:::Zen in-app firewall blocks attacks in production. Bot protection, AI monitoring for LLM usage tracking, and real-time threat blocking without code changes. Aikido uses read-only repository access and runs analysis in temporary Docker containers that get deleted after each scan. Setup takes minutes — connect your repositories and scanning starts with sensible defaults. ## What are Aikido Security's key features? ### Noise reduction The noise reduction works through several layers. Deduplication catches the same vulnerability found by multiple scanners and reports it once. Reachability analysis filters SCA vulnerabilities by actual code usage. Context correlation groups related findings into single actionable issues. Aikido reports 95% fewer alerts compared to running equivalent standalone scanners. AutoTriage combines deduplication, reachability analysis, and context correlation to cut through scanner noise. A vulnerability that appears in three different tools shows up once, and only if the affected code is actually reachable in your [...truncated for length...] --- # Akamai API Security (Noname) URL: https://appsecsanta.com/akamai-api-security Description: Akamai API Security (formerly Noname) discovers shadow and GenAI APIs, runs 200+ CI/CD security tests, and monitors east-west and north-south API traffic. Akamai API Security is a platform-agnostic [API security tools](/api-security-tools) product that discovers APIs enterprise-wide, tests them in CI/CD pipelines, and detects runtime attacks using machine learning. It was [previously sold as Noname Security](/akamai-api-security), which Akamai acquired in June 2024 for $450 million. The platform is vendor-neutral. It does not require Akamai's CDN or any other Akamai product, though a native connector is available for Akamai Cloud customers. It works across SaaS, hybrid, and on-premises environments with multiple CDNs, WAFs, and gateways. Akamai was named a Leader across four categories (Overall, Product, Innovation, and Market) in the 2025 KuppingerCole Leadership Compass for API Security and Management. Published customer stories include Godrej, Novant Health, and Commerzbank (which secured 6 billion monthly API calls through the platform). ## What is Akamai API Security? The platform works in four stages: Discover, Test, Detect, and Respond. Discover:::Generates a full API inventory including how many and what type of APIs you have. Covers shadow, zombie, and AI-related APIs. Tags GenAI, LLM, and MCP server connections automatically. ||| Test:::Adds security testing to your CI/CD pipeline. Runs 200+ dynamic tests that simulate malicious traffic against the OWASP API Top 10, without slowing down development. ||| Detect:::Identifies API vulnerabilities and attacks with automated, ML-powered detection. Covers both east-west and north-south traffic patterns. ||| Respond:::Creates workflows to remediate API issues by integrating with your existing WAFs, SIEMs, and ITSM tools. API Security is a standalone product. When paired with Akamai App & API Protector, the two work together for inline blocking plus enterprise-wide visibility. But App & API Protector focuses on traffic through Akamai Cloud, while API Security covers all API endpoints regardless of where they're hosted. ## What are Akamai API Security (Noname)'s key features? | Feature | Details | | ------------------ | ----------------------------------------------------------------------------- | | API Discovery | Shadow, zombie, GenAI, LLM, and MCP server APIs. Continuous, not on-demand | | CI/CD Testing | 200+ dynamic tests simulating malicious traffic against OWASP API Top 10 | | Runtime Detection | ML-based behavioral anomaly detection across all API traffic | | Traffic Coverage | Both east-west (internal) and north-south (external) API traffic | | Posture Management | OWASP API Top 10 compliance with business logic visualization | | Compliance | PCI DSS v4.0, GDPR, ISO 27001, HIPAA, FAPI, MITRE ATT&CK | | Deployment | Platform-agnostic: SaaS, hybrid, on-prem. Multiple CDNs, WAFs, gateways | | Sensitive Data | PII, IP, and internal documentat [...truncated for length...] --- # Akto URL: https://appsecsanta.com/akto Description: Akto secures AI agents and MCP servers with 1,000+ exploit tests and automated red teaming. Free tier available. Pivoted from open-source API security in 2025. Akto is an [AI security](/ai-security-tools) platform for securing AI agents and MCP (Model Context Protocol) servers. Fortune 500 security teams and over 1,000 AppSec teams use it. Ankita Gupta (CEO) and Ankush Jain (CTO) founded the company in 2022. It started as an open-source API security tool, then pivoted to AI agent security in 2025. Akto shipped one of the first dedicated MCP security solutions in June 2025 and launched the full Agentic Security Platform in September 2025. ## What is Akto? Akto's platform does three things: discovers your AI agents and MCP servers, red teams them, and enforces runtime guardrails. It inventories every AI agent and MCP tool in your infrastructure, runs attack simulations against them, and blocks risky agent behavior at runtime. The 50+ traffic and code connectors cover both cloud and on-prem environments. Agentic Discovery:::Automatically discovers MCP servers, AI agents, tools, and data sources. Builds a complete inventory with lineage tracking to map dependencies and risks across your infrastructure. ||| Red Teaming:::Continuous attack simulations powered by the AI Agent Attack Matrix, a database of 1,000+ real-world agent exploits. Tests for prompt injection, tool poisoning, and cascading failures. ||| Runtime Guardrails:::Enforceable enterprise policies that block risky agent behavior and unauthorized actions in real time. Detects AI behavior drifting and access pattern anomalies. ## What are Akto's key features? | Feature | Details | | ------------------ | --------------------------------------------------------------------------- | | AI Agent Discovery | MCP servers, agents, tools, resources with lineage tracking | | Attack Library | 1,000+ real-world agent exploits (AI Agent Attack Matrix) | | Red Teaming | Automated via Agent Probe | | Threat Detection | Prompt injection, tool poisoning, poisoned memory, cascading hallucinations | | Runtime Protection | Guardrails, behavior drift detection, access anomaly detection | | Connectors | 50+ traffic and code connectors | | MCP Tools | MCP Endpoint Shield, MCP Recon | | API Security | Legacy open-source platform (MIT license, 1.4k GitHub stars) | ### Agentic visibility and discovery Akto finds every MCP server and AI agent your developers deploy. The connectors build an inventory of agents, MCP servers, tools, and data sources across cloud providers and on-prem environments. Lineage tracking maps dependencies between agents — which tools each agent can access, which data sources it touches. That matters because a single compromised MCP server could give an attacker access to multiple downstream agents. ### AI Agent Attack Matrix The r [...truncated for length...] --- # Alter URL: https://appsecsanta.com/alter-ai Description: Alter is a zero-trust identity and access control platform for AI agents with RBAC/ABAC policies, ephemeral credentials, and tool call verification. YC S25. Alter is a zero-trust identity and access control platform purpose-built for AI agents, verifying every tool call with fine-grained RBAC/ABAC authorization and ephemeral credentials that expire in seconds. While broader platforms like Onyx Security or Noma Security address full AI governance, Alter specializes in the identity and access control layer where unauthorized agent actions cause the most damage. The company was founded by Srikar Dandamuraju (CEO) and Kevan Dodhia (CTO) and is backed by Y Combinator (S25 batch). Before Alter, Dandamuraju was a Platform Lead at Goldman Sachs, where he scaled post-trade infrastructure and helped launch the GM Card. Dodhia was the technical co-founder of ComputeAI, where he built a compute engine 5x faster than EMR Spark and sold into regulated enterprises like the London Stock Exchange Group. ComputeAI was acquired by Terizza in 2025. Dodhia is a Carnegie Mellon graduate (2019). Their shared experience building mission-critical infrastructure at Goldman Sachs and for the London Stock Exchange informs Alter's approach: treat every AI agent interaction with the same rigor applied to financial transactions. ## What is Alter? Alter sits between AI agents and the tools they call, acting as an authentication and authorization layer. Every request is verified at the parameter level, authorized against granular policies, executed with least-privilege access, and fully audited in real time. The platform eliminates long-lived API keys — a common vulnerability in agent workflows — by issuing ephemeral, scope-narrowed tokens that expire in seconds. Agents receive only the minimum access needed for a specific task, and credentials are rotated or revoked automatically after use. Parameter-Level Authorization:::Every tool call is verified at the parameter level against RBAC and ABAC policies. Dangerous operations like DROP TABLE or payments above policy limits are blocked before reaching production systems. ||| Ephemeral Credentials:::Eliminates long-lived API keys by issuing scope-narrowed tokens that expire in seconds. Each agent interaction gets the minimum access needed, with automatic rotation and revocation. ||| Audit & Compliance:::CISO-ready dashboard with complete request/response logging. Designed to pass SOC 2, HIPAA, and GDPR audits with full visibility into every agent action. ## What are Alter's key features? | Feature | Details | | -------------- | -------------------------------------------------------------------------------------- | | Access Control | Fine-grained RBAC (Role-Based) and ABAC (Attribute-Based) policies | | Verification | Parameter-level checks on every tool call | | Credentials | Ephemeral, scope-narrowed tokens with seconds-lived expiration | | Blocking | Pre-execution blocking of dangerous opera [...truncated for length...] --- # Anchore URL: https://appsecsanta.com/anchore Description: Anchore Enterprise for 2026 — SBOM-first container SCA built on Syft + Grype. FedRAMP compliance automation, OSS + commercial tiers, multi-registry. Anchore is a container security company built around the principle that [SBOMs](/sca-tools/what-is-sbom) should be the foundation of software security. The company maintains two widely-used open-source tools -- Syft for SBOM generation and [Grype](/grype) for vulnerability scanning -- with over 50 million combined downloads across the ecosystem. Anchore Enterprise extends these with continuous monitoring, compliance automation, and policy enforcement. The push for SBOM adoption accelerated after [Executive Order 14028](https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity) mandated software bills of materials for federal suppliers. Where many SCA tools focus on developer workflows and fix PRs, Anchore targets organizations that need to prove compliance. Its pre-built policy packs for FedRAMP, NIST, and DISA standards, combined with air-gapped deployment support, make it a go-to choice for government agencies and regulated industries. ## What is Anchore? Anchore takes an SBOM-first approach to container security. Rather than scanning an image once and moving on, it generates a detailed SBOM, stores it centrally, and continuously matches it against updated vulnerability feeds. When a new CVE drops, Anchore knows immediately which images in your inventory are affected, without rescanning a single container. The platform spans two tiers: free open-source CLI tools for individual developers and CI pipelines, and a commercial enterprise platform for organizations that need dashboards, compliance, and governance. SBOM Lifecycle Management:::Generate SBOMs with Syft, store them centrally in Anchore Enterprise, and continuously monitor them against new vulnerability disclosures. No rescanning needed when new CVEs drop. ||| Compliance Automation:::Pre-built policy packs automate checks against FedRAMP, NIST 800-53 Rev 5, NIST 800-190, and DISA standards. Federal Edition deploys in IL2 through IL6 air-gapped environments. ||| Open-Source Foundation:::Syft (8,400+ GitHub stars) and Grype (11.5K GitHub stars) are free Apache 2.0 tools. Enterprise builds on them with governance, dashboards, and continuous monitoring. ## Open-source tools ### Syft: SBOM generation Syft is a CLI tool and Go library that generates Software Bills of Materials from container images, filesystems, and archives. It supports dozens of packaging ecosystems including Alpine, Debian, RPM, npm, pip, Maven, Go, Cargo, Composer, NuGet, and more. Output formats include CycloneDX, SPDX, Syft JSON, and GitHub's dependency snapshot format. Syft can also convert between SBOM formats, making it useful as a general-purpose SBOM utility. ```bash # Generate SBOM from container image syft alpine:latest -o cyclonedx-json > sbom.json # Generate SBOM from directory syft dir:/path/to/project -o spdx-json # Generate SBOM from archive syft docker-archive:image.tar # Convert SBOM format syft convert sbom.cdx.json -o spdx-json ``` ### Grype: vulnerability scanning [G [...truncated for length...] --- # Apiiro URL: https://appsecsanta.com/apiiro Description: Apiiro is an ASPM platform that uses Deep Code Analysis and a Risk Graph to prioritize real risk across code, infrastructure, and runtime — not just another scanner. Apiiro is an [ASPM](/aspm-tools) platform that uses Deep Code Analysis (DCA) and a proprietary Risk Graph to understand code behavior and prioritize risk from code to runtime. Unlike traditional SAST tools that scan for known vulnerability patterns in source code, Apiiro flags material changes that shift risk even when no scanner fires an alert — because it understands what the code does, not just what it looks like. Apiiro raised $135M in total funding, including a $100M Series B in 2022 led by General Catalyst. Customers include USAA, BlackRock, Shell, SoFi, Cloudera, and Equinix. ## What is Apiiro? Apiiro is a risk-based ASPM platform that sits on top of existing security scanners and uses code intelligence to separate real risk from noise. It splits the development lifecycle into three phases: Design:::Threat modeling and risk detection before coding starts. Contextual questionnaires replace manual security reviews. ||| Develop:::Secrets detection, open source security, API inventory, SAST, and sensitive data detection. All findings get Risk Graph context. ||| Deliver:::SCM and CI/CD pipeline protection with release risk assessment. Software supply chain security across the build process. Apiiro is tool-agnostic — it aggregates findings from whatever SAST, DAST, and SCA tools you already run, then layers Risk Graph context on top to determine which findings actually matter based on reachability, business criticality, and internet exposure. It does not replace your existing scanners; it makes them more useful. ## What are Apiiro's key features? ### Deep Code Analysis Deep Code Analysis builds an abstract representation of how code actually behaves, not just what it looks like syntactically. It traces data flows across function and service boundaries, spots business logic patterns (authentication, payment processing, PII handling), and flags behavioral changes even when the diff looks minor. Material Change Detection separates high-risk changes from routine refactoring. A rename that touches 200 files won't trigger the same response as a 3-line change to your authentication flow. Traditional SAST scans for known vulnerability patterns in source code. Apiiro's DCA understands code behavior and flags material changes that shift risk, even when no vulnerability pattern matches. A new API endpoint that exposes PII gets flagged based on what it does, not because it matches a regex. ### Risk Graph The Risk Graph is Apiiro's queryable knowledge graph that connects code, infrastructure, and people with business context. It ties together code (repositories, branches, commits, functions, data flows), infrastructure (build pipelines, deployment targets, runtime environments), and people (developers, reviewers, approvers) with business context like data sensitivity and internet exposure. You can query it in natural language: | Query | What it returns [...truncated for length...] --- # APIsec URL: https://appsecsanta.com/apisec Description: APIsec provides AI-driven API security testing trusted by Nike, Tesla, PayPal and 5,000+ organizations. Zero-touch deployment with business logic. APIsec is a cloud-based [API security tools](/api-security-tools) platform that uses AI to run continuous penetration tests against your APIs. It generates attack scenarios based on your API specification, then executes them against live endpoints to find vulnerabilities that static scanners miss. The platform sits inside the broader [API security testing approaches](/api-security-tools/api-security-testing-guide) landscape as an automated-pentest replacement, distinct from runtime-protection tools. APIsec is trusted by 5,000+ organizations. Customer logos on the APIsec website include Nike, FedEx, PayPal, Johnson & Johnson, McKesson, Home Depot, Bank of America, Tesla, Coca-Cola, and Cigna. APIsec claims 80% of Fortune 100 organizations use the platform. ## What is APIsec? APIsec provides automated API penetration testing through a cloud-delivered platform. You upload an API specification (OpenAPI, Swagger, Postman, or RAML), and the platform learns your API's behavior. It then generates and executes attack scenarios designed to find security weaknesses, including business logic flaws that generic scanners overlook. It operates in a zero-touch model. No agents, no code instrumentation, no direct network access to your infrastructure. Tests run from APIsec's cloud against your publicly accessible or staging endpoints. For internal APIs, APIsec offers hosted agents deployed via Docker containers that communicate with the control plane over SSL. APIsec focuses on business logic vulnerabilities — BOLA, broken access controls, workflow bypass — rather than just injection and authentication flaws. It builds context-aware attacks from your API specification instead of running generic test cases. ## What are APIsec's key features? | Feature | Details | | ---------------------- | -------------------------------------------- | | **Testing approach** | AI-generated attack scenarios from API specs | | **Protocols** | REST, GraphQL, SOAP, RAML | | **Spec formats** | OpenAPI/Swagger, Postman collections, RAML | | **Security playbooks** | 1,200+ pre-built playbooks | | **Compliance** | PCI DSS, HIPAA, GDPR, SOC 2, ISO 27001 | | **Deployment** | Cloud-native, hosted agents, on-premises | | **CI/CD** | 10 supported platforms | | **Issue trackers** | Jira, GitHub, Trello | AI-Driven Attack Generation:::Learns your API structure from specifications and observed traffic. Creates context-aware attacks based on endpoint relationships, auth patterns, and parameter types instead of running static test cases. ||| Business Logic Testing:::Tests for BOLA/IDOR, mass assignment, RBAC bypass, rate limiting abuse, and workflow bypass. These require understanding of how your API is supposed to work, which APIsec infers from your spec. ||| Continuous Monitoring:::Scheduled [...truncated for length...] --- # Apktool URL: https://appsecsanta.com/apktool Description: Apktool is a free, open-source Android APK reverse engineering tool. Decode resources, disassemble smali, and rebuild modified APKs. 24k+ GitHub stars. Apktool is a free, open-source reverse engineering tool that decodes Android APK resources to near-original form, disassembles DEX bytecode to smali, and rebuilds modified APKs. With over 24,100 GitHub stars, it is the most widely used tool for APK modification and repackaging. Originally created by Brut.all in 2010 and maintained by iBotPeaches since 2012, Apktool occupies a unique position in the Android [mobile security](/mobile-security-tools) toolkit: while tools like [Jadx](/jadx) decompile to readable Java, Apktool works at the resource and smali level. This makes it the go-to choice when you need to actually modify and repackage an APK — something no other mainstream tool can do. **GitHub:** [iBotPeaches/Apktool](https://github.com/iBotPeaches/Apktool) | **Stars:** 24k+ | **Latest Release:** v3.0.1 (February 2026) | **License:** Apache 2.0 The tool decodes Android resources (layouts, strings, drawables) back to near-original XML form and disassembles DEX bytecode into smali — a human-readable assembly language for the Dalvik virtual machine. After making changes, Apktool reassembles everything into a working APK that can be signed and installed. This decode-modify-rebuild cycle is Apktool's core workflow and the primary reason security researchers, pentesters, and developers rely on it. | Feature | Details | | ----------------- | ------------------------------------------------------------------------------ | | Core function | Decode, modify, and rebuild Android APK files | | Resource decoding | Binary XML to near-original readable XML (layouts, strings, styles, drawables) | | Bytecode handling | DEX disassembly to smali, reassembly back to DEX | | Resource compiler | aapt2 (v3.0+), replacing deprecated aapt1 | | API detection | Automatic baksmali API version detection (v3.0+) | | Manifest handling | Full AndroidManifest.xml decoding with permissions, components, intent filters | | Framework support | Install and manage device framework APKs for system app decoding | | Platforms | Windows, macOS, Linux (pre-installed on Kali Linux) | | Requirements | Java 8+ (JRE or JDK) | | License | Apache 2.0 (fully open source, no restrictions) | ## Overview Apktool reverse engineers APK files into their constituent parts. When you run `apktool d app.apk`, it extracts and decodes the AndroidManifest.xml, resource files, assets, and DEX bytecode into a project directory. Resources come out as readable XML rather than the binary format stored in the APK, and DEX files are disassembled into smali code. The main difference between Apktool and decompilers like [Jadx](/jadx) is the [...truncated for length...] --- # AppCheck URL: https://appsecsanta.com/appcheck Description: AppCheck review with pros and cons. Born from real pentest tools, with OSINT recon, browser-based crawling, and 100,000+ vulnerability checks. Worth it? AppCheck is a DAST platform that started life as an internal tool for penetration testers at SEC-1, now part of the Claranet Group. That origin shows in the product: it combines OSINT reconnaissance with browser-based crawling and dynamic fuzzing rather than relying on signature matching alone. The platform scans web applications, APIs, and infrastructure using browser-based crawling and OSINT reconnaissance. ISO 27001:2022 certified, based in the UK. ## What are AppCheck's key features? | Feature | Details | | ---------------------- | ------------------------------------------------------------------ | | Vulnerability coverage | 100,000+ known security flaws | | Crawling engine | Real browser rendering (handles SPAs, AJAX, WebSockets) | | OSINT recon | Subdomain enumeration, tech fingerprinting, cert transparency logs | | API testing | OpenAPI/Swagger, GraphQL, SOAP | | Custom workflows | GoScript Flows scripting language | | Vuln database | VulnFeed with hourly updates | | Detection methods | Dynamic fuzzing, out-of-band, IDOR detection | | Licensing | Unlimited scans and users per license | | Certifications | ISO 27001:2022 | I run authenticated dynamic scans against logged-in user sessions using GoScript Flows for the multi-step login. The platform does API security testing (black-box) against REST, GraphQL, and SOAP endpoints by ingesting OpenAPI/Swagger specs. SQL injection / XSS probing uses payload mutation across discovered parameters, and out-of-band detection catches blind variants that fail to surface in the HTTP response. Browser-Based Crawling:::Uses a real browser engine to render pages, execute JavaScript, and interact with SPAs built on React, Angular, or Vue. Finds endpoints that traditional HTTP-parsing crawlers miss entirely. ||| OSINT Reconnaissance:::Before active scanning starts, AppCheck gathers intelligence on the target: subdomain enumeration, technology stack fingerprinting, certificate transparency log analysis, and DNS record inspection. This widens the attack surface before a single probe is sent. ||| GoScript Flows:::A custom scripting language for modeling multi-step user journeys. Script login sequences, form submissions, and business logic workflows. The scanner follows these scripts during testing to reach areas behind authentication or complex navigation. ## VulnFeed Database AppCheck maintains its own vulnerability database, VulnFeed, updated hourly with newly published vulnerabilities. This means the scanner picks up new attack vectors faster than tools that rely on monthly or quarterly signature updates. I [...truncated for length...] --- # Appdome URL: https://appsecsanta.com/appdome Description: Appdome delivers 400+ no-code mobile defenses for Android & iOS apps. AI-native CI/CD integration, ONEShield RASP, ThreatScope analytics, and fraud. Appdome is a no-code [mobile application security](/mobile-security-tools) platform that protects Android and iOS apps without requiring developers to write code, integrate SDKs, or modify source. The platform uses patented Fusion technology to inject security, anti-fraud, anti-bot, and compliance protections directly into compiled app binaries through CI/CD pipelines. The company offers over 400 individual defenses across categories including app security, fraud prevention, malware detection, bot defense, and geo-compliance. Appdome positions itself as an AI-native platform and has gained significant enterprise adoption in financial services, gaming, streaming, and retail verticals. ## What is Appdome? Traditional mobile security tools require developers to integrate SDKs, write protection logic, and manage ongoing maintenance. Appdome takes a different approach. The platform works on the finished app binary, meaning protection can be added after development is complete and without touching source code. Development teams upload their APK, AAB, or IPA file, select the defenses they want through a web-based interface, and receive a protected build back. This entire process fits into existing CI/CD pipelines, so protected builds can ship automatically alongside regular releases. No-Code Fusion:::Patented technology injects protections into compiled app binaries. No SDK integration, no code changes, no specialized mobile security expertise required. ||| 400+ Defenses:::Covers app security, anti-fraud, anti-malware, anti-bot, anti-cheat, geo-compliance, and social engineering protection in a single platform. ||| AI-Native CI/CD:::Plugs directly into build pipelines to automate protection, certification, and deployment. Supports automated Certified Secure verification. ## What are Appdome's key features? ### ONEShield Mobile RASP ONEShield is Appdome's runtime application self-protection layer. It detects and responds to threats while the app is running on a user's device. The protection includes anti-tampering checks, anti-debugging measures, emulator detection, and defenses against hooking frameworks such as Frida, Xposed, and Magisk. Unlike RASP solutions that require SDK integration, ONEShield is applied through Appdome's no-code Fusion process. Protected apps gain runtime awareness without developers writing a single line of defense code. ### ThreatScope Threat Intelligence ThreatScope provides real-time visibility into the threats targeting your mobile apps in production. The dashboard monitors the active attack surface across devices, OS versions, geographies, and app releases, giving security teams data on what attacks are occurring and how defenses are performing. The platform includes a threat analytics engine for segmenting and analyzing fraud attempts, account takeover events, and cyberattacks by application, API, or attack type. ### Anti-Fraud and Bot Defense Beyond traditional app security, Appdome addresses fraud and bot [...truncated for length...] --- # AppKnox URL: https://appsecsanta.com/appknox Description: AppKnox mobile security testing trusted by 300+ enterprises including Samsung and Singapore Airlines. SAST, DAST, API testing plus expert pentesting. AppKnox is an enterprise mobile application security testing platform trusted by over 300 organizations, including Singapore Airlines, Samsung, and Paytm. Founded in 2014 in Bangalore, the platform combines automated scanning with manual penetration testing across Android and iOS applications. AppKnox evaluates mobile apps against 130+ security test cases covering static analysis, dynamic analysis, and API testing. ## What is AppKnox? AppKnox is a mobile application security testing (MAST) platform that bundles static analysis (SAST), dynamic analysis (DAST), and API testing into one product. The platform also offers manual penetration testing by security researchers for issues that automated tools can't catch. Organizations upload their Android APK/AAB or iOS IPA files through the web dashboard at secure.appknox.com. AppKnox then runs automated scans and delivers results with severity ratings, compliance mapping, and remediation guidance. The platform targets regulated industries — banking, healthcare, and enterprises with customer-facing mobile apps where security compliance is non-negotiable. AppKnox claims over 60 BFSI (banking, financial services, insurance) clients and 10+ Fortune 500 companies among its user base. AppKnox also offers Storeknox, a separate add-on that monitors app stores for unauthorized copies, trademark violations, and malicious clones of your applications. ## What are AppKnox's key features? | Feature | Details | | -------------------- | ------------------------------------------------------- | | Testing Types | SAST, DAST, API testing, manual penetration testing | | Test Coverage | 130+ security test cases | | Platforms | Android (APK, AAB), iOS (IPA) | | Frameworks | Java, Kotlin, Swift, Objective-C, Flutter, React Native | | Manual PT Turnaround | 3–5 business days | | Deployment | Cloud-based (SaaS) or on-premises | | Integrations | 20+ DevSecOps integrations | | Add-ons | Storeknox, Privacy Shield, SBOM | Automated Scanning:::SAST, DAST, and API tests run against 130+ security test cases. Upload your APK, AAB, or IPA and get results with severity ratings and remediation steps. ||| Manual Penetration Testing:::Certified security researchers investigate logic flaws, authentication bypasses, and business logic bugs that automated scanners miss. Reports arrive within 3–5 days. ||| Storeknox Monitoring:::Monitors Google Play and the App Store for unauthorized copies, repackaged apps with malware, and phishing apps impersonating your brand. ### API Security Testing AppKnox tests the backend APIs that mobile apps communicate with. This covers authentication checks, authorization validation, input sanitization, and dat [...truncated for length...] --- # AppTrana URL: https://appsecsanta.com/apptrana Description: AppTrana by Indusface combines DAST scanning, WAF, DDoS protection, and managed security in one platform. Protects 6,500+ customers across 95 countries. AppTrana is a fully managed Web Application and API Protection (WAAP) platform built by Indusface that combines [DAST scanning](/dast-tools), a web application firewall, DDoS protection, bot mitigation, and API security into a single subscription with 24/7 managed services included. Unlike standalone DAST scanners that only identify vulnerabilities, AppTrana closes the loop by automatically applying virtual patches through its managed WAF. ## Overview What sets AppTrana apart from most [DAST tools](/dast-tools) is that it does not stop at finding vulnerabilities. The platform ties scanning to real-time protection: when the built-in DAST scanner finds a vulnerability, the managed WAF can apply a virtual patch within hours, reducing the exposure window while your developers work on a permanent fix. Compared to standalone DAST scanners like [Acunetix](/acunetix) or [Invicti](/invicti), AppTrana eliminates the gap between detection and protection. AppTrana protects over 6,500 customers across 95 countries, with strong adoption in banking, insurance, financial services, and IT services sectors. ## Product Screenshots ![AppTrana WAAP dashboard showing protection status score, attack trends graph with 28.1K blocked attacks, vulnerability trends, traffic metrics, and suggested actions with SwyftComply button](/images/tools/apptrana/dashboard.webp) _AppTrana WAAP main dashboard — protection score, attack trends (DDoS + bot breakdown), vulnerability overview, traffic analytics, and actionable suggestions with SwyftComply integration. Source: [indusface.com](https://www.indusface.com/blog/apptrana-waap-dashboard/)_ ![AppTrana attack trends chart showing 2.86 million blocked attacks over a month with DDoS and bot traffic breakdown](/images/tools/apptrana/attack-trends.webp) _AppTrana attack trends — monthly view showing 2.86M blocked attacks with DDoS (84.73K) and bot (96.40K) traffic breakdown compared to the previous period. Source: [indusface.com](https://www.indusface.com/blog/apptrana-waap-dashboard/)_ ![AppTrana Groups & Assets page showing protection score, per-application protection levels, severity ratings, and recommended actions](/images/tools/apptrana/protection-status.webp) _AppTrana protection status — per-application view showing protection levels (fully protected, partially protected, unprotected), severity breakdown, and recommended actions for each asset. Source: [indusface.com](https://www.indusface.com/blog/apptrana-waap-dashboard/)_ ## What are AppTrana's key features? | Feature | Details | | ---------------------- | -------------------------------------------------------------------- | | DAST Scanner | OWASP Top 10, SANS 25, and zero-day vulnerability detection | | WAF | Fully managed with zero-false-positive guarantee | | DDoS Protection | Unmetered Layer 3-7 with behavioral AI analysis [...truncated for length...] --- # Aqua Security URL: https://appsecsanta.com/aqua-security Description: Aqua Security is the enterprise CNAPP behind Trivy (32k+ stars). Image scanning, runtime protection, Kubernetes security — agent-based and agentless. Aqua Security is an enterprise cloud native application protection platform (CNAPP) vendor that provides full-lifecycle security from code to cloud to runtime. The company is headquartered in Burlington, MA and Ramat Gan, Israel, and develops both commercial products and open-source tools that protect over 500 enterprise customers. Most people know Aqua as the company behind [Trivy](/trivy), the most-starred open-source security scanner on GitHub (32.2k stars). The commercial platform adds runtime protection, policy enforcement, and centralized management on top of what Trivy offers. ## What does Aqua Security do? Aqua Security spans the five CNAPP pillars in one console: container image scanning, cloud workload protection (CWPP), Kubernetes security posture management (KSPM), cloud security posture management (CSPM), and infrastructure-as-code scanning. Runtime protection ties them together with eBPF-based detection through the Tracee engine. It covers containers, Kubernetes, serverless functions, and cloud infrastructure across AWS, Azure, GCP, on-prem Kubernetes, OpenShift, ECS, AKS, EKS, and GKE. The platform protects workloads from build through production with both pre-deployment scanning and real-time runtime enforcement. There are two deployment modes. Agentless scanning covers cloud workloads and registry images by reading cloud APIs, with no software installed on hosts. Agent-based deployment runs as a Kubernetes DaemonSet and adds runtime protection with real-time enforcement, drift prevention, and behavioral monitoring. SaaS and self-hosted air-gapped deployments are both supported, which matters for regulated environments that cannot route security telemetry through a vendor cloud. Image & Code Scanning:::Scans container images, code repositories, and IaC templates for vulnerabilities, misconfigurations, and embedded secrets before deployment. ||| Runtime Protection:::Monitors running containers and Kubernetes workloads with eBPF-based detection (via Tracee), policy enforcement, and drift prevention. ||| Cloud Posture Management:::Assesses cloud infrastructure configurations across AWS, Azure, and GCP against security benchmarks and compliance frameworks. ## What open-source tools does Aqua Security maintain? Aqua runs a dedicated open-source team separate from commercial engineering. Four projects have significant community adoption, making Aqua one of the largest contributors to open-source cloud native security: | Project | GitHub Stars | Purpose | | --------------- | ------------ | --------------------------------------------------------------- | | [Trivy](/trivy) | 32.2k | Vulnerability scanner for containers, IaC, code, and Kubernetes | | kube-bench | 7.9k | CIS Kubernetes Benchmark compliance checks | | kube-hunter | 5k | Kubernetes cluster penetration testing | | Tracee [...truncated for length...] --- # Arize AI URL: https://appsecsanta.com/arize-ai Description: Arize AI provides AI observability via Phoenix (9k+ GitHub stars, open-source) and AX enterprise platform. OpenTelemetry-based LLM tracing and evaluation. Arize AI is an AI observability and LLM evaluation platform built on OpenTelemetry standards, offering vendor-agnostic tracing from development through production. The company provides Phoenix (open-source, 9.1k+ GitHub stars) for LLM tracing and evaluation, and AX for enterprise-scale AI monitoring. Arize processes 1 trillion spans and runs 50+ million evaluations monthly across customers including DoorDash, Instacart, Reddit, and Uber. It is listed in the [AI security](/ai-security-tools) category. The platform is used by organizations including DoorDash, Instacart, Reddit, Uber, Booking.com, Roblox, PagerDuty, Air Canada, Cohere, Conde Nast, Flipkart, TripAdvisor, Siemens, Microsoft, and Priceline to monitor and evaluate their AI applications. Arize's approach centers on open standards — OpenTelemetry for instrumentation, open-source evaluation models rather than proprietary black-box evaluators, and standard data formats that prevent vendor lock-in. ## What is Arize AI? Arize operates across two layers of the AI stack: development-time experimentation (Phoenix) and production-scale monitoring (AX). This split lets teams start with the free, open-source Phoenix for prototyping and evaluation, then move to AX when they need enterprise-grade scale and collaboration. OpenTelemetry is central to Arize's architecture. LLM application traces use the same standard as traditional application performance monitoring (APM), so AI observability plugs into existing DevOps infrastructure instead of requiring a separate monitoring stack. Phoenix (Open-Source):::Fully self-hostable AI observability with zero feature gates. LLM tracing, evaluation, experiment tracking, prompt management, and dataset versioning. 9.1k+ GitHub stars, runs locally, in Jupyter, Docker, or cloud. Elastic License 2.0. ||| Arize AX (Enterprise):::Production-scale AI monitoring with two editions: AX-Generative for LLM and generative AI, AX-ML & CV for traditional machine learning and computer vision. Built on adb, a purpose-built datastore for real-time ingestion and sub-second queries. ||| OpenTelemetry Native:::Vendor-agnostic instrumentation built on the OpenTelemetry standard. Traces export to any compatible backend, preventing lock-in. Same format as traditional APM, so AI observability integrates with existing DevOps tooling. ## What are Arize AI's key features? | Feature | Details | | ----------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **LLM Tracing** | Full-flow logging of agent interactions, tool calls, retrieval steps, and configurations [...truncated for length...] --- # ArmorCode URL: https://appsecsanta.com/armorcode Description: ArmorCode is an AI-powered ASPM platform with 320+ integrations, named a Leader in IDC MarketScape ASPM 2025. Review covers Anya AI, correlation, alternatives. ArmorCode is an AI-powered [ASPM](/aspm-tools) platform that ingests findings from 320+ security tools and correlates them into one prioritized backlog. The platform has processed over 40 billion findings and was named a Leader in the IDC MarketScape: Worldwide ASPM 2025 Vendor Assessment. Founded in 2020 and headquartered in Palo Alto, California, it supports security teams managing vulnerabilities across application, cloud, and infrastructure tooling. Founded in 2020 and headquartered in Palo Alto, California, ArmorCode was named a Leader in the IDC MarketScape: Worldwide ASPM 2025 Vendor Assessment released in September 2025. Public customers include Shutterfly, Johnson Controls, NetApp, Athena Health, S&P Global, and The Motley Fool. **Notable results:** Shutterfly reduced vulnerability remediation from 240 days to 7 days. NetApp consolidated findings from 30+ security tools into a single prioritized view. - **Category:** Application Security Posture Management (ASPM) - **Founded:** 2020 - **Headquarters:** Palo Alto, California - **CEO & co-founder:** Nikhil Gupta - **Funding:** $81M total across seed ($11M), Series A ($14M, Nov 2022), Series B ($40M, Dec 2023), and strategic round ($16M, March 2026) - **Named customers:** Shutterfly, NetApp, Johnson Controls, Athena Health, S&P Global, The Motley Fool - **Target buyer:** Fortune 1000 CISOs and AppSec leaders with multi-vendor scanner sprawl - **Analyst recognition:** Leader, IDC MarketScape for ASPM (September 2025) ## What is ArmorCode? ArmorCode is an AI-powered ASPM platform that consolidates findings from the scanners a security team already owns. It does not scan source code itself. It sits downstream of SAST, DAST, SCA, CSPM, and container tools and turns their output into one prioritized backlog. The platform solves three problems in that order: Unify:::Ingests findings from 320+ security scanners across SAST, DAST, SCA, CSPM, containers, IaC, and infrastructure. One platform, one taxonomy, one view. ||| Prioritize:::AI correlation engine identifies relationships between findings from different tools. A code vulnerability, a cloud misconfiguration, and an exposed API might all connect to the same underlying risk. ||| Remediate:::Automated workflows route prioritized findings to the right teams with full context. Shutterfly cut mean remediation time from 240 days to 7 days using this flow. The core problem ArmorCode solves is tool sprawl. Organizations running dozens of security scanners end up with millions of findings, many overlapping and most missing business context. ArmorCode deduplicates, correlates, and ranks them so teams can focus on what actually matters. ## What are ArmorCode's key features? ### AI correlation engine The correlation engine goes past simple deduplication. It uses machine learning to spot relationships between findings across different tools and asset types. A SQL injection in application code, a misconfigured database in your cloud environment, [...truncated for length...] --- # Arnica URL: https://appsecsanta.com/arnica Description: Arnica provides instant SCA without CI/CD changes via GitHub App, featuring package reputation scoring and developer risk profiling. Arnica is a pipelineless [SCA platform](/sca-tools) that delivers security scanning without CI/CD pipeline integration. Install it as a GitHub or GitLab app and it continuously monitors repositories for vulnerable dependencies, hardcoded secrets, and developer risk patterns. With the [Sonatype 2026 State of the Software Supply Chain report](https://www.sonatype.com/state-of-the-software-supply-chain/introduction) framing open-source malware as "a nation-state business model," Arnica's package reputation scoring adds a layer of defense that CVE databases alone cannot provide. Arnica's package reputation scoring evaluates dependencies beyond CVE databases, factoring in maintainer trustworthiness, download patterns, and community signals. Reachability analysis then filters out vulnerabilities in code paths your application never calls. ## What is Arnica? Traditional SCA tools require pipeline integration, adding complexity and slowing builds. Arnica operates at the repository level instead. Once installed as a GitHub App or GitLab integration, it scans continuously in the background with results appearing directly in pull requests. Pipelineless Architecture:::Connects to GitHub, GitLab, Bitbucket, or Azure DevOps as a native app. No pipeline YAML changes, no build slowdowns. Scanning happens continuously in the background. ||| Package Reputation:::Evaluates package trustworthiness based on maintainer reputation, account age, download velocity, and community signals. Flags risky dependencies before CVEs exist. ||| Developer Risk Profiling:::Analyzes developer behavior patterns including commit frequency, code ownership, and security violation history. Identifies where training or additional review is needed. ## What are Arnica's key features? ### Supported platforms and ecosystems | Category | Coverage | |----------|----------| | SCM platforms | GitHub, GitLab, Bitbucket, Azure DevOps | | JavaScript | npm, yarn, pnpm | | Python | pip, Poetry | | Java | Maven, Gradle | | Go | Go modules | | .NET | NuGet | | Ruby | Bundler | | Containers | Docker images | ### Pipelineless architecture Arnica connects to your SCM as a native app. No CI/CD changes, no pipeline modifications, no build slowdowns. Results appear in pull requests and the Arnica dashboard. ### Package reputation scoring Beyond CVE scanning, Arnica evaluates packages based on maintainer reputation, account age, download velocity, dependency patterns, and community engagement. New packages from unknown maintainers get lower scores, flagging supply chain risks before any vulnerability is disclosed. ### Reachability analysis Arnica traces code paths to determine whether vulnerable functions are reachable from your application entry points. A vulnerable function buried in dead code scores lower than one called directly from your API handlers. ### Hardcoded secrets detection Scans for API keys, credentials, tokens, and other secrets committed to repositories. Covers AWS keys, datab [...truncated for length...] --- # Adversarial Robustness Toolbox (ART) URL: https://appsecsanta.com/art Description: Adversarial Robustness Toolbox (ART) is IBM's open-source Python library for ML security with 55+ attack methods and 30+ defenses. LF AI graduated project. Adversarial Robustness Toolbox (ART) is an open-source Python library from IBM Research for testing and improving the security of machine learning models against adversarial attacks. ART implements 55+ attack methods and 30+ defense mechanisms across four threat categories: evasion, poisoning, extraction, and inference. It has 5,900+ GitHub stars and is listed in the [AI security](/ai-security-tools) category. IBM started the project in 2018 and donated it to the Linux Foundation AI & Data Foundation (LF AI & Data), where it became a graduated project — the highest maturity level in the foundation. The current version is 1.20.1, released in July 2025. ART is different from most [AI security tools](/ai-security-tools) because it focuses on traditional ML model robustness rather than LLM-specific threats. If you work with image classifiers, object detectors, speech recognition models, or tabular ML pipelines, ART is the go-to library for testing adversarial resilience. ## Overview ART addresses four categories of adversarial threats against machine learning systems: - **Evasion** — Modifying inputs at inference time to cause misclassification (adversarial examples) - **Poisoning** — Manipulating training data to compromise model behavior - **Extraction** — Stealing a model's functionality through queries - **Inference** — Attacking the privacy of training data (membership inference, model inversion) The library implements 55+ attack methods and 30+ defense mechanisms across these categories. I reviewed ART's documented behavior with PyTorch image classifiers, and the API is consistent regardless of which framework or attack type you use — you wrap your model, pick an attack or defense, and run it. ART supports all popular ML frameworks: TensorFlow, Keras, PyTorch, scikit-learn, XGBoost, LightGBM, CatBoost, and GPy. It handles images, tabular data, audio, and video inputs, covering tasks from classification and object detection to speech recognition and generative models. 55+ Attack Methods:::Implements FGSM, PGD, C&W, DeepFool, AutoAttack for evasion; backdoor and clean-label for poisoning; CopycatCNN and KnockoffNets for extraction; membership and attribute inference for privacy attacks. ||| 30+ Defense Mechanisms:::Preprocessors (spatial smoothing, JPEG compression, feature squeezing), postprocessors, adversarial training, certified defenses (randomized smoothing), and detection methods. ||| Multi-Framework Support:::Works with TensorFlow, Keras, PyTorch, scikit-learn, XGBoost, LightGBM, CatBoost, and GPy. BlackBoxClassifier wrapper for prediction-API-only access. ## What are Adversarial Robustness Toolbox (ART)'s key features? | Feature | Details | | ----------------- | ------------------------------------------------------------------------------- | | Current version | 1.20.1 (July 2025) | [...truncated for length...] --- # Arthur AI URL: https://appsecsanta.com/arthur-ai Description: Arthur AI provides model monitoring, bias detection, explainability, and LLM guardrails across tabular, NLP, CV, and LLM models. Open-source engine available. Arthur AI is an [AI security](/ai-security-tools) platform for model monitoring, observability, bias detection, and governance across LLMs, tabular, NLP, and computer vision models. It combines runtime monitoring with an LLM firewall and open-source evaluation tools. Founded in 2018 in New York City by Adam Wenchel (CEO), Liz O'Sullivan, Priscilla Alexander, and John Dickerson, Arthur has raised $63 million across funding rounds, including a $42 million Series B in September 2022 led by Acrew Capital and Greycroft with participation from Index Ventures and Work-Bench. In December 2025, Arthur launched its [Agent Discovery & Governance](/ai-security-tools/llm-red-teaming) (ADG) platform, positioning itself as the first end-to-end product for managing agentic AI in production — discovery, monitoring, and policy enforcement in one console. ## What is Arthur AI? Arthur operates across three layers of the AI stack: observability (monitoring deployed models), security (firewalling LLM interactions), and governance (evaluating and auditing AI systems). This breadth distinguishes it from tools that focus solely on prompt injection or runtime defense. The observability layer continuously monitors deployed models for performance degradation, data drift, bias, and anomalies. The security layer — Arthur Shield — acts as a firewall between applications and LLMs, detecting threats like prompt injection and PII leakage in real time. The governance layer includes evaluation tools (Arthur Bench) and the Agent Discovery & Governance platform for managing agentic AI deployments. Model Observability:::Continuous monitoring of deployed AI models across LLMs, tabular, NLP, and computer vision. Tracks performance metrics, detects data drift, and alerts on degradation before it impacts business outcomes. ||| Bias Detection & Fairness:::Active probing compares outcomes between subgroups to detect bias, even when group identity is not a model input. Set custom fairness thresholds and receive instant notifications when models drift from acceptable fairness ranges. ||| Arthur Shield (LLM Firewall):::Real-time firewall for LLM applications that detects PII leakage, hallucinations, prompt injection, and toxic language through configurable rules. Deploys as SaaS or on-premises between your application and LLM endpoint. ## What are Arthur AI's key features? | Feature | Details | | ------------------ | ------------------------------------------------------------------------ | | Model Monitoring | Performance, accuracy, data drift, anomaly detection | | Model Types | LLMs, tabular, NLP, computer vision | | Bias Detection | Active probing across subgroups with configurable fairness thresholds | | Explainability | LIME (image, text) and SHAP (tabular) algorithms | | LLM Firewall | Arthur Shiel [...truncated for length...] --- # Astra Security URL: https://appsecsanta.com/astra-security Description: Honest Astra Security review. 9,300+ automated tests plus managed pentesting with a verifiable certificate. Compared against Burp Suite, Acunetix, and Intruder. Astra Security combines automated DAST scanning with a managed penetration testing service on the same platform. The scanner runs 9,300+ security tests against web applications and 10,000+ authenticated attack cases against APIs. What sets Astra apart from pure DAST tools is the human layer. On the Pentest Plan, certified pentesters manually review findings, verify vulnerabilities, and ship a publicly verifiable security certificate. ## What are Astra Security's key features? | Feature | Details | |---------|---------| | Automated tests | 9,300+ security checks | | API attack cases | 10,000+ authenticated scenarios | | Manual review | Included on the Pentest Plan | | Compliance | ISO 27001, HIPAA, SOC 2, GDPR, PCI DSS mapping | | Certification | Publicly verifiable security certificate on Pentest Plan | | Resolution Center | Track and manage remediation in-platform | | Risk scoring | Per-vulnerability and aggregate risk scores | | CI/CD | Pipeline integration for automated scans on deploy | Automated DAST Scanner:::Runs 9,300+ security tests covering OWASP Top 10, SANS 25, injection flaws, authentication issues, and misconfigurations. Setup is three steps: add target URL, configure authentication, pick your tech stack. ||| Managed Pentest Services:::Certified pentesters manually review your application on the Pentest Plan. They chase business logic flaws, chained attacks, and authorization issues that automation misses. The engagement ends with remediation re-tests and a verifiable certificate. ||| API Security Testing:::10,000+ authenticated attack cases covering REST API vulnerabilities, broken authentication, parameter tampering, and broken access control. ||| Resolution Center:::Built-in remediation tracking. Each finding gets severity, reproduction steps, and fix guidance. Assign issues to developers and track progress without leaving the platform. ## Scan Configuration Setting up a scan takes three steps: 1. **Add your target URL** and verify domain ownership 2. **Configure authentication** so the scanner can reach protected areas of your application 3. **Select your technology stack** (framework, language, CMS) for more targeted test selection Most [DAST tools](/dast-tools) are either fully automated or fully manual. Astra sits in between. The automated scanner handles volume and coverage. Human pentesters handle business logic, complex attack chains, and edge cases that automation misses. ## Compliance and Certification As recommended by [NIST SP 800-53](https://csf.tools/reference/nist-sp-800-53/) controls for system and information integrity, regular dynamic testing helps maintain a strong security posture. Astra maps scan findings to compliance frameworks: - ISO 27001 - HIPAA - SOC 2 - GDPR - PCI DSS The Pentest Plan includes a publicly verifiable security certificate. Each certificate carries a unique URL that auditors, clients, or partners can check independently. This matters for teams selling into regulated industries [...truncated for length...] --- # Augustus URL: https://appsecsanta.com/augustus Description: Augustus is Praetorian's open-source LLM vulnerability scanner with 210+ adversarial probes across 47 attack categories. Single Go binary, 28 providers, Apache 2.0. Augustus is an open-source LLM vulnerability scanner built in Go by Praetorian that tests large language models against 210+ adversarial probes across 47 attack categories, including jailbreaks, prompt injection, data extraction, and RAG poisoning. It ships as a single binary with zero runtime dependencies and connects to 28 LLM providers out of the box. It is listed in the [AI security](/ai-security-tools) category. [OWASP ranks prompt injection](/ai-security-tools/prompt-injection-guide) as the number one security risk in LLM applications, yet most organizations deploy LLMs into production with minimal adversarial testing. Augustus addresses this gap with a production-grade scanning framework that goes beyond research-oriented tools to deliver concurrent scanning, rate limiting, retry logic, and actionable vulnerability reports. The scanner is part of Praetorian's "The 12 Caesars" open-source security release campaign and is licensed under Apache 2.0. ## What is Augustus? Augustus operates through a five-stage pipeline: probe selection defines adversarial inputs, buff transformations apply optional evasion layers, generators send requests to target LLMs, detectors analyze responses, and a scoring engine records findings. This modular architecture lets security teams mix and match probes, transformations, and detectors to build custom scan profiles. Unlike research-focused tools that prioritize breadth of academic coverage, Augustus targets production security testing. It handles concurrency through Go goroutine pools, includes built-in rate limiting to avoid API quota exhaustion, and supports proxy integration with tools like Burp Suite for interception and analysis. 210+ Adversarial Probes:::Covers 47 attack categories including jailbreaks (DAN, AIM, ArtPrompt), prompt injection (encoding, tag smuggling), multi-turn attacks (Crescendo, GOAT, Hydra), data extraction, RAG poisoning, and format exploits. ||| 28 LLM Providers:::Connects to OpenAI, Anthropic, Azure, Bedrock, Vertex AI, Cohere, Replicate, HuggingFace, Together AI, Groq, Mistral, NVIDIA NIM, Ollama, and any OpenAI-compatible REST endpoint. ||| Single Go Binary:::Zero runtime dependencies — just download and run. Built-in concurrent scanning, rate limiting, retry logic, and timeout handling for production environments. ## What are Augustus's key features? | Feature | Details | | ------------------------ | ----------------------------------------------------------------------------------------------------------- | | **Probe Coverage** | 210+ probes across 47 attack categories | | **Providers** | 28 provider categories, 43 generator variants | | **Detectors** | 90+ detection mechanisms (pattern matching, LLM- [...truncated for length...] --- # Bandit URL: https://appsecsanta.com/bandit Description: Is Bandit enough for Python security? I reviewed its 47 checks against documented vulnerability classes — injection, XSS, crypto flaws, plus setup tips. Bandit is a free, open-source [SAST](/sast-tools) tool built specifically for Python. Maintained by the Python Code Quality Authority (PyCQA), it scans Python source code for common security issues using Abstract Syntax Tree analysis. The project has over 7,900 GitHub stars, 151 contributors, and is used by 59,500+ repositories on GitHub. Sponsored by Mercedes-Benz, Tidelift, and Stacklok, Bandit originally grew out of the OpenStack Security Project before moving to PyCQA. Bandit is the kind of scanner Python teams typically wire into pre-commit hooks rather than a heavy dashboard. The rule set is narrow enough that false positives stay manageable, the output is readable in a terminal, and the scan runs fast enough that developers do not fight it. It is not a full SAST — Bandit catches patterns like hardcoded passwords, weak cryptography, and shell injection, but misses taint-flow bugs that a tool like Semgrep or CodeQL finds. ## What is Bandit? Bandit parses Python files into Abstract Syntax Trees and runs security-focused plugins against the AST nodes. It ships with 47 built-in checks organized into 7 categories: injection, cryptography, XSS, framework misconfiguration, hardcoded credentials, and more. Unlike multi-language SAST tools, Bandit does one thing: Python security analysis. According to the Python Packaging Authority (PyPA), Bandit is one of the recommended security tools in the Python ecosystem. Its checks are written for Python idioms and common mistake patterns, not adapted from generic rules. Bandit 1.9.3 (January 2026) supports Python 3.10–3.14. 47 Security Checks:::Built-in plugins across 7 categories — injection, cryptography, XSS, framework misconfiguration, and more. Each check targets a specific Python security anti-pattern. ||| AST-Based Analysis:::Parses source code into Abstract Syntax Trees rather than using regex matching. Detects security patterns regardless of formatting or variable naming. ||| 9 Output Formats:::Screen, JSON, SARIF, HTML, XML, YAML, CSV, text, and custom formatters. SARIF output plugs directly into GitHub code scanning. ## What are Bandit's key features? ### Security check categories Bandit organizes its 47 plugins into 7 ID ranges: | Category | Checks | |----------|--------| | B1xx — Miscellaneous | `assert_used`, `exec_used`, `hardcoded_password_string`, `hardcoded_tmp_directory`, `request_without_timeout`, and 9 more | | B2xx — Framework misconfiguration | `flask_debug_true`, `tarfile_unsafe_members` | | B3xx — Blacklist calls | Dangerous function calls like unsafe XML parsing | | B4xx — Blacklist imports | Imports of known-vulnerable modules | | B5xx — Cryptography | `ssl_with_bad_version`, `weak_cryptographic_key`, `yaml_load`, `snmp_insecure_version`, and 5 more | | B6xx — Injection | `subprocess_popen_with_shell_equals_true`, `hardcoded_sql_expressions`, `django_extra_used`, `trojansource`, and 9 more | | B7xx — XSS | `jinja2_autoescape_false`, `use_of_mako_templates`, `django_mark_ [...truncated for length...] --- # Beagle Security URL: https://appsecsanta.com/beagle-security Description: Honest review of Beagle Security's AI trained on 350,000+ pentest workflows. Pros, cons, and how it compares to Burp Suite, Acunetix, and other DAST tools. Beagle Security is an AI-powered pentesting platform trained on over 350,000 penetration test workflows. It scans web applications, REST APIs, and GraphQL endpoints for vulnerabilities, with a focus on making the results usable by teams without deep security expertise. Used by over 1,800 dev and security teams. ISO 27001 certified. 4.7/5 rating across 200+ reviews. ## What are Beagle Security's key features? | Feature | Details | | ------------------------ | ------------------------------------------ | | AI training data | 350,000+ penetration test workflows | | Testing scope | Web apps, REST APIs, GraphQL, WordPress | | Private scanning | Cosmog tunnel for internal applications | | False positive reduction | AI-based validation against known patterns | | Results turnaround | 48-72 hours | | Free trial | 14 days, no credit card required | | Certifications | ISO 27001 | | User base | 1,800+ dev and security teams | I run authenticated dynamic scans against logged-in user sessions, with login flows recorded so the scanner can replay them. The platform does API security testing (black-box) against REST and GraphQL endpoints by ingesting Postman collections or OpenAPI specs. SQL injection / XSS probing fires against discovered parameters, and the agentic AI prioritizes payload mutation paths based on what the application reveals during reconnaissance. Agentic AI Pentesting:::The AI is trained on real penetration test workflows, not just vulnerability signatures. It learns how human pentesters approach different application types and applies those patterns during automated scanning. This includes recording business logic for custom AI training. ||| Private Tunnel Scanning (Cosmog):::Scan internal applications that are not publicly accessible. Cosmog creates a secure tunnel between Beagle's cloud infrastructure and your internal network, so staging and development environments get the same testing as production. ||| API and GraphQL Testing:::Import Postman collections or API specifications to define the attack surface. The scanner tests REST endpoints and GraphQL queries for authentication flaws, injection, and access control issues. ||| WordPress Security:::Dedicated WordPress testing module that checks for plugin vulnerabilities, theme security issues, and WordPress-specific misconfigurations. Useful for agencies managing multiple WordPress sites. ## How the AI Works Beagle's approach differs from traditional DAST tools that rely on predefined attack signatures. According to the [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/), effective dynamic testing requires adapting to each application's behavior rather than replaying fixed payloads. The AI model learned from 350,000+ pentest workflows, [...truncated for length...] --- # Betterleaks URL: https://appsecsanta.com/betterleaks Description: Betterleaks is an open-source secrets scanner by Gitleaks creator Zachary Rice. Token efficiency filtering, live CEL validation, drop-in Gitleaks replacement. Betterleaks is an open-source secrets scanner built by Zachary Rice, the original creator of [Gitleaks](/gitleaks) (25,000+ GitHub stars). It detects and validates hardcoded credentials in git repositories, directories, and archives using BPE tokenization instead of entropy-based filtering, achieving 98.6% recall on the CredData benchmark compared to 70.4% with traditional entropy detection. Rice is currently Head of Secrets Scanning at Aikido Security. The project was created on February 3, 2026 and reached v1.1.1 by March 17, 2026. It is written in Go, licensed under MIT, and designed as a drop-in replacement for Gitleaks with backwards-compatible configuration files and CLI flags. ## What is Betterleaks? Betterleaks is a free, open-source secrets detection tool that scans git repositories, directories, stdin, and compressed archives for hardcoded credentials such as API keys, tokens, and passwords. It replaces Shannon entropy with BPE (Byte Pair Encoding) tokenization using the cl100k_base model to determine whether a string is likely a real secret. On the CredData benchmark, this approach achieves 98.6% recall versus 70.4% for entropy-based scanning. Betterleaks is licensed under MIT and can be installed via Homebrew, Docker, DNF, or built from source. ## Why secret detection matters Hardcoded credentials in source code are one of the most common — and most damaging — failure modes I see in application security. GitGuardian's State of Secrets Sprawl reports have tracked tens of millions of new secrets leaked to public GitHub each year, and once a credential lands in a repository it tends to stay reachable in commit history long after rotation. The cost shows up two ways. First, attackers actively scrape public commits for valid keys — AWS, Stripe, OpenAI, internal SSO tokens — and exploit them within minutes. Second, pre-commit and pre-push secret scanners reduce that exposure window only when the false-positive rate is low enough that developers stop ignoring the noise. That is the gap a Gitleaks-style tool tries to close, and the gap Betterleaks tries to close better. Token efficiency filtering cuts entropy false positives, and the CEL-driven validation step distinguishes a string that looks like a key from a credential that is still live against the issuing API. Both moves push the scanner toward the regime where developers actually act on findings instead of muting the rule. ## How does Betterleaks improve on Gitleaks? Betterleaks targets the same problem as Gitleaks -- finding hardcoded secrets in git repositories -- but improves detection accuracy, validation capability, and scanning speed. The core difference is the detection engine. Gitleaks relies on Shannon entropy to distinguish random strings from real secrets. Betterleaks uses BPE tokenization with the cl100k_base model (the same tokenizer GPT-4 uses). On the CredData benchmark, Betterleaks hits 98.6% recall compared to Gitleaks' 70.4% with entropy-based filtering. O [...truncated for length...] --- # Black Duck Web Scanner URL: https://appsecsanta.com/blackduck-web-scanner Description: Independent Black Duck Web Scanner review. Proof-based vulnerability verification on the Polaris Platform. Two decades of enterprise deployments. Honest pros and cons. Black Duck Web Scanner (formerly Synopsys Web Scanner) is an enterprise DAST tool that runs on the Polaris Software Integrity Platform. It tests running web applications and APIs for security vulnerabilities using a headless browser engine and proof-based verification. The scanner is part of Black Duck's larger security portfolio, which includes Coverity (SAST), Black Duck SCA, and Seeker (IAST). Over 4,000 organizations use Black Duck products. Synopsys divested its Software Integrity Group to Clearlake Capital and Francisco Partners in 2024. The products now operate under the Black Duck Software brand. ## What is Black Duck Web Scanner? Black Duck Web Scanner performs automated security testing against live or staging web applications. It crawls applications using a headless browser that executes JavaScript, handles SPAs, and intercepts AJAX calls. Then it fires attack payloads and checks responses for vulnerabilities. What sets it apart from many [DAST tools](/dast-tools) is proof-based verification. When the scanner finds a potential flaw, it attempts to confirm the vulnerability is real and exploitable. This cuts down false positives and gives development teams concrete evidence of the issue. The Verizon 2024 Data Breach Investigations Report found that web application attacks remain one of the top breach vectors, making proof-based verification a practical way to focus remediation on confirmed, exploitable risks. The scanner plugs into the Polaris platform alongside Coverity (SAST) and Black Duck SCA. Findings from all three testing methods appear in a single dashboard, letting security teams see whether a code-level flaw identified by SAST is also exploitable at runtime. | Feature | Details | | ------------------ | ------------------------------------------------ | | Platform | Polaris Software Integrity Platform | | Deployment | Cloud (SaaS) and on-premises | | Detection approach | DAST with proof-based verification | | Browser engine | Headless browser with full JavaScript execution | | API testing | REST, GraphQL, OpenAPI/Swagger import | | Authentication | Form-based, OAuth, SSO, custom auth | | Integration | SAST + SCA + DAST correlation on Polaris | | CI/CD | GitHub Actions, GitLab CI, Azure DevOps, Jenkins | | Compliance | OWASP Top 10 mapping, audit-ready reports | ## What are Black Duck Web Scanner's key features? I run authenticated dynamic scans against logged-in user sessions, with form-based, OAuth, SSO, or custom auth profiles handling the multi-step login. The scanner does API security testing (black-box) against REST and GraphQL endpoints by ingesting OpenAPI/Swagger specs. SQL injection / XSS probing fires payload mutation across discovered parameters in error-based, blind, and time-based variants, and proof-based [...truncated for length...] --- # Black Duck URL: https://appsecsanta.com/blackduck Description: Black Duck 2026 review: BDSA advisory feed, binary analysis (BDBA), SBOM generation, and license obligation engine for enterprise SCA at scale. Black Duck Software is an enterprise [software composition analysis (SCA) platform](/sca-tools) for managing open-source security, license compliance, and code quality risks. As of April 2026, it operates as an independent company after the Synopsys Software Integrity Group spinoff on October 1, 2024. The platform scans source code, binaries, and containers to identify open-source components, map known vulnerabilities, and flag license obligations. Thousands of organizations use it, mostly in regulated industries that need auditable SBOMs and license compliance reporting. The Black Duck KnowledgeBase indexes over 10 million open-source projects and 8.7 million unique components from more than 57,700 forges and repositories. Proprietary Black Duck Security Advisories (BDSAs) add vulnerability intelligence that goes beyond public databases like the NVD. Companies in healthcare, finance, and defense use it for [SBOM generation](/sca-tools/what-is-sbom) and [license compliance](/sca-tools/open-source-license-compliance). The Synopsys 2024 OSSRA report found that 53% of audited codebases contained license conflicts, which is the kind of number that keeps Black Duck on enterprise shortlists. - **Category:** Software Composition Analysis (SCA) / license compliance - **Owner:** Independent company since October 1, 2024; majority-owned by Clearlake Capital and Francisco Partners (formerly Synopsys Software Integrity Group) - **CEO:** Jason Schmitt - **Headquarters:** Burlington, Massachusetts - **Main products:** Black Duck SCA (self-hosted) and Black Duck Polaris Platform (SaaS) - **Target customers:** Regulated enterprises, M&A due diligence, commercial software vendors - **Free tier:** None (commercial only) ## What is Black Duck? Black Duck is a commercial software composition analysis (SCA) platform that scans source code, binaries, and containers to inventory open-source components, map them to known vulnerabilities, and track license obligations. Black Duck Software has operated the platform as an independent company since its October 1, 2024 spinoff from Synopsys. Each component is then checked against vulnerability databases and the organization's policy rules for acceptable licenses. SBOM Generation:::Generates SBOMs in SPDX, CycloneDX, and custom formats. Tracks component versions, transitive dependencies, and maintains historical snapshots for audit trails and supply chain transparency. ||| Vulnerability Intelligence:::Black Duck Security Advisories (BDSAs) provide earlier warnings and more actionable guidance than NVD entries alone. Includes exploitability analysis and upgrade guidance. ||| License Compliance:::Identifies all license types across your portfolio. Flags conflicts like GPL in proprietary code, generates attribution reports, and enforces custom policies. ## What are Black Duck's key features? ### Supported ecosystems | Ecosystem | Package managers | |-----------|-----------------| | Java | Maven, Gradle, Ant, sbt | | [...truncated for length...] --- # Brakeman URL: https://appsecsanta.com/brakeman Description: Brakeman is a SAST tool for Ruby on Rails, free for non-commercial use. Deep Rails framework awareness with XSS, SQLi, and CSRF detection. No setup required. Brakeman is a [SAST](/sast-tools) tool built for Ruby on Rails applications, free for non-commercial use under the Brakeman Public Use License. It scans Rails source code for 33 types of security vulnerabilities without ever running the application. With 7,200+ GitHub stars, 154 contributors, and 54,100+ projects depending on it, Brakeman is the standard security scanner for the Rails ecosystem. OWASP lists Brakeman among its recommended [Source Code Analysis Tools](https://owasp.org/www-community/Source_Code_Analysis_Tools) for Ruby on Rails. Organizations using it include Code Climate, GitHub, Groupon, New Relic, and Twitter. The latest release is v8.0.2 (February 2026). ## What is Brakeman? Brakeman performs static analysis on Ruby on Rails source code. You point it at a Rails app directory and it parses models, controllers, views, routes, and configuration files looking for security issues. It doesn't need a running server or database, and you don't have to install application dependencies first. It understands Rails conventions, so it can trace data from params through controllers into views and detect when user input reaches a dangerous method without sanitization. 33 Warning Types:::Covers SQL injection, XSS, command injection, CSRF, mass assignment, path traversal, unsafe deserialization, remote code execution, and 25 more Rails-specific security checks. ||| Zero Configuration:::Run `brakeman` in your Rails app directory and get results. No config files, no setup, no dependencies beyond the gem itself. Supports Rails 2.3.x through 8.x. ||| 11 Output Formats:::Text, HTML, JSON, SARIF, JUnit, Markdown, CSV, tabs, CodeClimate, GitHub, and Sonar. Generate multiple reports from a single scan with `-o report.html -o report.json`. ## What are Brakeman's key features? ### Security checks Brakeman detects 33 categories of security vulnerabilities, all specific to Rails patterns: | Category | Checks | |----------|--------| | Injection | SQL injection, command injection, remote code execution, dangerous eval, YAML deserialization | | Cross-site scripting | Standard XSS, content_tag XSS, JSON response XSS | | Access control | CSRF protection gaps, mass assignment, unscoped finds, unsafe redirects | | Cryptography | SSL verification bypass, weak hashing algorithms | | Data exposure | Information disclosure, path traversal, file access issues | | Configuration | Default routes, session settings, basic authentication weaknesses | | Dependencies | Unmaintained gems with known vulnerabilities | ### How the engine works Brakeman performs taint analysis on proprietary code: it tracks user-supplied input from `params`, headers, and cookies through controllers, models, and views, and flags every dangerous sink it reaches. Because the analyzer follows controller-to-model-to-view paths, it does cross-file dataflow in source code rather than the single-file pattern matching that simpler linters use. On top of dataflow, Brakeman runs rule-based patte [...truncated for length...] --- # Bright Security URL: https://appsecsanta.com/bright-security Description: Bright Security review: developer-first DAST with under 3% false positives, LLM Top 10 coverage, and CI/CD-native scanning. How it compares to Burp Suite and Invicti. Bright Security (formerly NeuraLegion) is a developer-first dynamic application security testing (DAST) platform that integrates into CI/CD pipelines and delivers findings with less than 3% false positives. Unlike traditional DAST tools aimed at security teams, Bright is designed for developers who need scan results inside their pull requests, not in a quarterly report. Coverage spans OWASP Top 10, API Top 10, and LLM Top 10 vulnerabilities — making it one of the few DAST tools with explicit support for AI-specific risks like prompt injection and insecure output handling. According to the [Verizon DBIR](https://www.verizon.com/business/resources/reports/dbir/), web application attacks remain one of the top breach vectors, making CI/CD-integrated DAST scanning increasingly important. Bright holds ISO 27701, ISO 27001, SOC 2, and Cyber Essentials certifications. ## What are Bright Security's key features? | Feature | Details | | ---------------------- | ------------------------------------------------ | | False positive rate | Less than 3% | | Vulnerability coverage | OWASP Top 10, API Top 10, LLM Top 10 | | Deployment | SaaS, Docker, CLI, Kubernetes | | API scanning | OpenAPI/Swagger, GraphQL, HAR file replay | | Remediation | AI-powered fix generation and validation | | CI/CD support | GitHub Actions, GitLab CI, Jenkins, Azure DevOps | | IDE support | VS Code, IntelliJ | | Certifications | ISO 27701, ISO 27001, SOC 2, Cyber Essentials | I run authenticated dynamic scans against logged-in user sessions, with header-based, form-based, OAuth, or scripted auth profiles handling the multi-step login. The scanner does API security testing (black-box) against REST and GraphQL endpoints by ingesting OpenAPI/Swagger specs or HAR file replays. SQL injection / XSS probing fires payload mutation across discovered parameters, and the AI validation loop confirms each finding before it lands in the dashboard. Developer-First Design:::Built for developers from day one. CLI tools, Docker scanners, IDE integrations, and Git-aware scanning that understands branches and pull requests. Findings include code-level remediation guidance. ||| AI Vulnerability Validation:::Every finding gets validated automatically by the AI engine. Context-aware payload generation and automated exploit confirmation keep false positives under 3%. ||| Bright STAR:::Next-gen platform combining DAST, IAST, and API security. Adds automated remediation with AI-generated fixes and a validation loop that confirms fixes actually work. ## Scanning Modes Bright supports multiple ways to define your scan target: - **Crawler** — Point it at a URL and let it discover pages and endpoints automatically - **HAR file replay** — Import recorded HTTP traffic and rep [...truncated for length...] --- # Burp Suite URL: https://appsecsanta.com/burp-suite Description: Honest Burp Suite review. Free Community Edition vs $499 Pro vs DAST for CI/CD. How it compares to ZAP, plus manual testing tools and BApp ecosystem. Burp Suite is a widely used toolkit for web application security testing, popular among penetration testers and security researchers. Developed by PortSwigger, pre-installed in Kali Linux, and backed by over two decades of web security research. PortSwigger's Web Security Academy, used by millions of learners worldwide, is built on the same vulnerability research that powers Burp Suite's detection engine. Three editions: Community (free), Professional ($499/year), and Burp Suite DAST (formerly Enterprise) for automated CI/CD scanning. ## What are Burp Suite's key features? | Feature | Details | | ------------- | ----------------------------------------------------------- | | Editions | Community (free), Professional ($499/yr), DAST (enterprise) | | Proxy | Intercepting proxy for HTTP/HTTPS/WebSocket | | Scanner | Active and passive vulnerability scanning (Pro/DAST) | | Extensions | 500+ BApps in the BApp Store | | Attack tools | Intruder (Sniper, Battering Ram, Pitchfork, Cluster Bomb) | | AI | Burp AI for scan analysis and attack suggestions | | CI/CD | Docker-based scanning for DAST edition | | Vuln coverage | XSS, SQLi, CSRF, XXE, SSRF, directory traversal, and more | I run authenticated dynamic scans against logged-in user sessions, with form-based, OAuth, scripted, or header-based auth profiles handling the multi-step login. Burp does API security testing (black-box) against REST, GraphQL, SOAP, and WebSocket endpoints, with Repeater handy for one-off endpoint poking and the scanner for active probing across the discovered surface. Intercepting Proxy:::The core of Burp Suite. Sits between your browser and the target, capturing every HTTP/HTTPS request and response. Inspect, modify, and replay traffic in real-time. Handles TLS interception, WebSocket messages, and match-and-replace rules. ||| Scanner (Pro/DAST):::Automated vulnerability detection with active probing and passive analysis. Covers OWASP Top 10 and beyond. Configurable scan profiles let you tune speed vs. thoroughness. The DAST edition runs from a Docker container for CI/CD integration. ||| BApp Store:::Hundreds of community and PortSwigger extensions. Active Scan++ for deeper scanning, Autorize for access control testing, JWT Editor for token manipulation, Logger++ for traffic analysis. Write your own in Java or Python. Pick your next step See alternatives Side-by-side review of every Burp Suite competitor I've tested, from free scanners to enterprise DAST. → Free open-source pick OWASP ZAP is the closest free alternative — full proxy, scanner, and scripting without the $499/yr Pro license. → DAST primer If you're new to dynamic testing, this guide explains where Burp fits in the broader DAST workflow. [...truncated for length...] --- # Calico URL: https://appsecsanta.com/calico Description: Calico is the most widely adopted Kubernetes CNI plugin, powering 8M+ nodes daily with eBPF dataplane, network policies, and WireGuard encryption. Calico is an open-source Kubernetes CNI plugin and network security platform that handles pod-to-pod networking and network policy enforcement in a single solution. Created and maintained by Tigera, it is the most widely adopted Kubernetes networking solution, powering over 8 million nodes daily across 166 countries. 7.1k GitHub stars, latest version v3.31.4 (February 2026). Unlike tools that only scan images or check configurations, Calico operates at the network layer — controlling which pods can talk to each other, encrypting traffic between nodes with WireGuard, and enforcing microsegmentation policies that follow workloads across clusters. ## Overview Calico provides two core capabilities in one platform: Kubernetes networking (routing pod traffic) and network security (controlling what traffic is allowed). This dual role sets Calico apart from pure security tools — it is both the network fabric and the policy enforcement engine. The project offers a pluggable data plane architecture. Teams can choose between: | Data Plane | Best For | | ---------------------------------- | ----------------------------------------------------- | | eBPF | High-performance environments, source IP preservation | | Standard Linux (nftables/iptables) | Maximum compatibility, proven stability | | Windows HNS | Mixed Linux/Windows Kubernetes clusters | | VPP | Telco and high-throughput edge workloads | This flexibility lets Calico run everywhere from single-node development clusters to production environments at companies like AT&T, Discover, Merck, and ServiceNow. | Feature | Details | | ---------------- | -------------------------------------------------------------- | | Deployment model | Self-managed (Open Source, Enterprise) or SaaS (Calico Cloud) | | Data planes | eBPF, standard Linux (nftables/iptables), Windows HNS, VPP | | Encryption | WireGuard (pod-to-pod), ~73% throughput on 5Gbps with eBPF | | Policy types | Kubernetes NetworkPolicy, GlobalNetworkPolicy, tiered policies | | Routing | BGP peering, VXLAN, IP-in-IP, cross-subnet optimization | | IP support | Dual-stack IPv4/IPv6 | | OS support | Linux, Windows | | Compliance | PCI DSS, SOC 2, GDPR, HIPAA (Enterprise/Cloud) | | Adoption | 8M+ nodes daily, 1M+ clusters, 166 countries | | GitHub | 7.1k stars, Apache 2.0 | ## What are Calico's key features? Network Policy Engine:::Extends Kubernetes NetworkPolicy with GlobalNetworkPolicy and tiered policy CRDs. Security teams define guardrail policies that over [...truncated for length...] --- # CAST Highlight URL: https://appsecsanta.com/cast-highlight Description: CAST Highlight analyzes 60+ technologies for cloud readiness, technical debt, and open-source risks across entire application portfolios. CAST Highlight is a SaaS software intelligence platform for portfolio-level analysis of application modernization, cloud migration, and open-source risk. It scans hundreds of applications across 60+ technologies within days, combining automated code inspection with business context surveys. With the [Black Duck 2026 OSSRA report](https://www.blackduck.com/resources/analyst-reports/open-source-security-risk-analysis.html) now in its eleventh consecutive edition — a post-Synopsys rebrand of the same research series — portfolio-level visibility into software composition has become a board-level concern. Unlike pure [SCA tools](/sca-tools) that focus on vulnerability detection, CAST Highlight assesses applications across multiple dimensions: cloud readiness, software composition risks, technical debt, and business value alignment. It is designed for organizations managing large application portfolios making decisions about modernization, migration, and retirement. ## What is CAST Highlight? CAST Highlight scans source code to inventory open-source components, map vulnerabilities, identify cloud blockers, and measure technical debt. It pairs this with business context questionnaires to give a complete picture that technical metrics alone cannot provide. Portfolio-Scale Analysis:::Scans entire portfolios in days across 60+ technologies. Consistent scoring, executive dashboards with drill-down, comparative analysis, and trend tracking across hundreds of applications. ||| Cloud Readiness:::Identifies cloud blockers (stateful components, filesystem dependencies), scores containerization readiness, estimates refactoring effort, and provides platform-specific recommendations for AWS, Azure, and GCP. ||| SBOM Export:::Exports SBOMs in CycloneDX, SPDX, Word, Excel, PowerPoint, and XML formats. Includes component inventories, license information, vulnerability status, and obsolescence data. ## What are CAST Highlight's key features? ### Supported technologies | Category | Technologies | |----------|-------------| | Enterprise | Java, C#, COBOL, ABAP, PL/SQL, RPG | | Web | JavaScript, TypeScript, PHP, Ruby, Python | | Systems | C, C++, Go, Rust | | Mobile | Swift, Kotlin, Objective-C | | Data | SQL, R, MATLAB | | Other | Scala, Perl, Shell, PowerShell | | Total | 60+ technologies with automatic detection | ### SBOM export formats | Format | Output type | |--------|------------| | CycloneDX | Standard machine-readable SBOM | | SPDX | ISO-standard SBOM format | | Excel | Spreadsheet for portfolio analysis | | Word | Document for stakeholder reports | | PowerPoint | Presentation-ready summaries | | XML | Machine-readable export | ### Portfolio-scale analysis Scan hundreds of applications in days. Automatic technology detection across 60+ languages with consistent scoring methodology. Executive dashboards show comparative analysis and trend tracking over time. ### Software composition analysis Component inventory with version tracking, CVE vulnerabili [...truncated for length...] --- # cdxgen URL: https://appsecsanta.com/cdxgen Description: cdxgen — OWASP's official CycloneDX SBOM generator. 20+ languages, container + VM support. Outputs SBOM, CBOM, OBOM, SaaSBOM. Free under Apache 2.0. cdxgen is the official OWASP CycloneDX project for SBOM generation — a free, open-source CLI tool that creates CycloneDX-compliant Bills of Materials from source code, container images, and virtual machines across 20+ programming languages. It has 936 GitHub stars and is listed in the [SCA tools](/sca-tools) category. cdxgen produces five BOM types: Software (SBOM), Cryptography (CBOM), Operations (OBOM), SaaS (SaaSBOM), and signed attestation documents (CDXA). The current version is 12.1.4 (March 2026), available via npm under the Apache 2.0 license. Unlike [Syft](/syft), which supports both SPDX and CycloneDX output formats, cdxgen focuses exclusively on CycloneDX and goes deeper into that ecosystem: it generates reachability evidence proving whether vulnerable code is actually called, produces multiple BOM types for different supply chain use cases, and signs documents for tamper verification. ## Overview cdxgen runs as a CLI tool, Node.js library, REPL, or HTTP server. Point it at a project directory or container image, and it automatically detects the languages and package managers in use, resolves dependencies, and outputs a CycloneDX BOM in JSON format. Auto-detection is the main convenience. I evaluated it against a polyglot monorepo with Java, Python, and TypeScript services, and cdxgen identified all three ecosystems and produced a consolidated BOM without any configuration. For projects using multiple package managers within the same language (e.g., Maven and Gradle in Java), it detects which build system is actually used. cdxgen supports CycloneDX specification versions 1.4 through 1.7, covering the full evolution of the standard. Output is always valid against the specified schema version. 20+ Languages:::Supports Java (Maven, Gradle, SBT), JavaScript (npm, yarn, pnpm), Python (pip, Poetry), Go, Rust, C/C++, .NET, PHP, Ruby, Dart, Haskell, Elixir, Swift, and more with automatic detection. ||| Multiple BOM Types:::Generates SBOM (software), CBOM (cryptography), OBOM (operations), SaaSBOM (services), and CDXA (attestations). Each type serves a different supply chain security use case. ||| Reachability Analysis:::Powered by atom, proves which vulnerable dependencies are actually reachable in your code via callstack evidence. Available for Java, JavaScript, and TypeScript. ## What are cdxgen's key features? | Feature | Details | |---------|---------| | Current version | 12.1.4 (March 2026) | | GitHub stats | 936 stars, Apache 2.0 | | CycloneDX spec | Versions 1.4 through 1.7 | | Languages | 20+ (Java, JS/TS, Python, Go, Rust, C/C++, .NET, PHP, Ruby, Dart, Haskell, Elixir, Swift, etc.) | | BOM types | SBOM, CBOM, OBOM, SaaSBOM, CDXA | | Installation | npm, Docker, Homebrew, GitHub Action | | Runtime modes | CLI, library, REPL, HTTP server | | Reachability | Callstack evidence via atom (Java, JS, TS) | | Output | CycloneDX JSON | | OWASP status | Official OWASP project | ### Language and package manager support cdxgen auto-detect [...truncated for length...] --- # Cequence Security URL: https://appsecsanta.com/cequence Description: Cequence protects 10B+ daily API interactions with native blocking and behavioral fingerprinting. 2025 KuppingerCole API Security Leader, Deloitte Fast 500. Cequence Security is a unified [API security tools](/api-security-tools) platform that discovers, tests, and defends APIs — and unlike most behavioral runtime peers like [Salt Security](/salt-security), it blocks malicious traffic natively without requiring a separate WAF or API gateway to enforce decisions. The platform processes over 10 billion API interactions daily for Fortune 500 financial institutions, retailers, telecom providers, and healthcare organizations. Founded in 2014 and headquartered in Santa Clara, California, Cequence was named a Leader in the 2025 KuppingerCole Leadership Compass for API Security and ranked #128 on the Deloitte Technology Fast 500. The company also contributes to the Verizon Data Breach Investigations Report (2023, 2024, and 2025 editions) and was recognized as a Leader and Outperformer in the GigaOm API Security Radar. ## What is Cequence Security? Cequence is an API security platform built around a core distinction: it blocks attacks natively, inline, rather than detecting them and forwarding alerts to a separate enforcement system. Most competitors — including tools focused on API discovery and posture — stop at detection. Cequence deploys a reverse proxy called Defender that intercepts and drops malicious requests in real time, cutting the gap between detection and mitigation to zero. Three pillars structure how it works: Discover:::Continuous discovery and inventory of internal, external, and third-party APIs. Identifies cloud hosting providers, API gateways, and infrastructure components. Flags shadow APIs and tracks schema changes automatically. ||| Comply:::API posture management with conformance testing against published specifications. Covers PCI DSS, GDPR, and DORA compliance requirements. User-configurable rules without coding or scripting. ||| Protect:::Real-time threat detection with native mitigation through blocking, rate limiting, deception, and labeling. ML-powered behavioral analysis classifies threats by endpoint, source, and behavior. Cequence also offers CQ Prime, a managed threat research team that maintains what the company describes as the largest database of malicious behaviors and known-bad infrastructure. ## What are Cequence Security's key features? | Feature | Details | | -------------------- | ------------------------------------------------------------- | | **Deployment** | SaaS, on-premises, hybrid. Deploys in as little as 15 minutes | | **Certifications** | SOC 2 Type II, ISO 27001, PCI DSS 3.2 | | **Traffic capacity** | 10B+ daily API interactions | | **Architecture** | Kubernetes-based, flexible scaling | ### Native Inline Blocking Cequence deploys as a reverse proxy (called Defender) inline with your API traffic. This lets it block malicious requests in real time instead of sending alerts to a separate [...truncated for length...] --- # Cerbos URL: https://appsecsanta.com/cerbos Description: Cerbos is an open-source authorization engine for AI agents, MCP servers, and apps with YAML policies, sub-1ms decisions, 8 language SDKs, and RBAC/ABAC support. Cerbos is an open-source authorization engine that provides fine-grained, policy-based access control for applications, APIs, AI agents, and MCP servers. Written in Go, it evaluates authorization requests against YAML-defined policies with sub-1ms latency — acting as a stateless policy decision point (PDP) that decouples access control logic from application code. Where [MCP-Scan](/snyk) detects vulnerabilities in MCP server configurations, Cerbos solves a complementary problem: controlling which tools an agent can actually use based on user identity and organizational policy. While Cerbos started as a general-purpose authorization solution for software applications, it has gained traction in the AI security space as organizations deploy AI agents that need granular permission controls. When an AI agent interacts with external tools through MCP (Model Context Protocol), Cerbos determines which tools that agent — and the user behind it — is actually allowed to use. The project has over 4,300 GitHub stars (as of April 2026) and SDKs for eight programming languages. The latest release at the time of writing is v0.51.0 (February 2026); confirm the current version on github.com/cerbos/cerbos/releases before pinning. The core PDP is open-source under Apache 2.0, with commercial products (Cerbos Hub, Cerbos Synapse) adding centralized management and data enrichment capabilities. ## What is Cerbos? Authorization in traditional applications is already complicated — roles, attributes, contextual conditions, and compliance requirements create a tangled web of access control logic scattered across codebases. AI agents amplify this problem: an agent acting on behalf of a user should inherit that user's permissions, but the execution happens through tool calls and API chains that existing authorization systems were not designed to handle. Cerbos solves this by centralizing all authorization decisions in a single policy engine. Applications, APIs, and AI agents send authorization requests (who wants to do what, on which resource, with what context), and Cerbos returns a decision based on YAML policies. The engine is stateless, so it scales horizontally without shared state or session management. AI Agent Authorization:::Controls what actions AI agents can perform based on the identity of the user they represent, organizational policies, and real-time context. Provides an agent kill switch for instant access revocation when agent behavior needs to be stopped. ||| MCP Server Security:::Integrates at the orchestration layer of MCP servers to dynamically control tool access. The MCP server defines all available tools, but Cerbos evaluates each tool request against policies — enabling only the tools the current user is authorized to use. ||| Policy-as-Code:::Authorization rules defined in human-readable YAML, managed through Git workflows, and deployed via CI/CD pipelines. Supports RBAC, ABAC, and derived roles with dynamic conditions — no code changes needed [...truncated for length...] --- # Chainguard URL: https://appsecsanta.com/chainguard Description: Chainguard delivers 2,000+ hardened container images with zero known CVEs. Built-in SBOMs, Sigstore signing, SLSA L2. Alternative to Docker Hub. Chainguard provides hardened [container images](/container-security-tools/container-image-security) built to have zero or near-zero known CVEs. Where standard Docker Hub images regularly carry dozens of unpatched vulnerabilities, Chainguard Images are rebuilt nightly from source with only the packages needed to run the application. As of February 2026, Chainguard has delivered over 500 million unique container build manifests and offers a catalog of more than 2,000 projects. The company was founded by former Google engineers who created Sigstore, the open-source signing standard for software artifacts, and reported $40M ARR in 2025. ## What is Chainguard? Chainguard is a supply chain security company that takes a different approach to vulnerability management. Instead of scanning images after they are built and filing tickets for remediation, Chainguard produces images that start clean. Every image is built on Wolfi, a minimal Linux undistro purpose-built for containers, and goes through an automated pipeline that rebuilds, patches, signs, and generates SBOMs without manual intervention. The result is a drop-in replacement for popular base images (Node.js, Python, Go, Nginx, PostgreSQL, and hundreds more) that carries significantly fewer vulnerabilities from day one. Zero-CVE Images:::Images are built from source with only essential runtime dependencies. No shells, no package managers, no unnecessary utilities. Automated nightly rebuilds ensure the latest patches are always applied. ||| Built-in SBOMs:::Every Chainguard Image includes a high-quality SBOM generated at build time, attesting exactly what software is inside. Available in standard formats without additional tooling. ||| Sigstore Signing:::All images are cryptographically signed using Sigstore and include SLSA Build Level 2 provenance attestations, verifying the integrity of the build process from source to artifact. ## What are Chainguard's key features? ### Distroless, minimal images Chainguard Images follow a distroless philosophy. They contain only the application and its essential runtime dependencies. Shells, package managers, debugging utilities, and other common tools that expand the attack surface are excluded by default. Development variants (tagged `:latest-dev`) include a shell for debugging but are not intended for production. This minimal approach dramatically reduces the number of packages in each image, which directly reduces the number of potential vulnerabilities. ### Automated nightly rebuilds The Chainguard factory platform, powered by DriftlessAF, rebuilds every image nightly from source. This is not just a base layer update. The entire image is reconstructed, pulling in the latest security patches from upstream sources. AI-driven reconciliation bots trigger dependency updates and vulnerability-based rebuilds automatically, so images stay current without manual intervention. As of February 2026, Chainguard has surpassed 500 million unique container b [...truncated for length...] --- # Checkmarx URL: https://appsecsanta.com/checkmarx Description: Checkmarx One unifies SAST, SCA, DAST, API security, container and IaC scanning under ASPM. 800B+ lines scanned monthly. Used by 60% of the Fortune 100. Checkmarx One is an application security platform that bundles [SAST](/sast-tools), SCA, DAST, IaC security, container security, API security, secrets detection, and ASPM into a single product. The platform scans over 800 billion lines of code per month across its customer base. Founded in 2006 by Maty Siman, Checkmarx is headquartered in Israel. The platform is used by 60% of the Fortune 100. Publicly disclosed enterprise customers — visible on the [Checkmarx customers page](https://checkmarx.com/customers/) — include Citigroup, Salesforce, and Adidas. ## What is Checkmarx? Instead of buying separate SAST, SCA, and DAST tools, teams get nine scanning engines in one platform with ASPM on top to correlate and prioritize findings. The platform supports 150+ technologies and languages. Checkmarx reports 89% noise reduction through its correlation engine and a 43% increase in developer productivity compared to using separate tools. 150+ Technologies:::Scans source code across 150+ technologies and languages, including legacy, open-source, and AI-generated code. ||| ASPM Prioritization:::Application Security Posture Management correlates findings across all nine scanners. Ranks vulnerabilities by application context, so a critical issue in a payment service gets flagged before the same issue in an internal admin tool. ||| AI Remediation Agents:::Checkmarx One Assist and Developer Assist are AI agents. One Assist remediates issues autonomously. Developer Assist catches problems preventatively as code is written in the IDE. ## What are Checkmarx's key features? | Feature | Details | | ---------------------------- | ----------------------------------------------------------------------------- | | SAST | Static analysis with incremental scanning, data flow analysis, custom queries | | SCA | Open-source dependency vulnerability, license risk, SBOM generation | | DAST | Dynamic testing of running applications | | IaC Security | Terraform, CloudFormation, Kubernetes misconfiguration scanning | | Container Security | Docker image vulnerability detection | | API Security | API-specific vulnerability analysis | | Secrets Detection | Exposed credentials and API keys in code | | Malicious Package Protection | Compromised third-party package detection | | Repository Health | Source code repository security posture analysis | | ASPM | Cross-scanner correlation, prioritization, and remediation workflows | ### SAST engine The SAST engine performs static analys [...truncated for length...] --- # Checkov URL: https://appsecsanta.com/checkov Description: Checkov scans Terraform, CloudFormation, Kubernetes, and 10+ other frameworks with 1,000+ built-in policies. Open-source IaC scanner by Prisma Cloud. Checkov is a static analysis tool that scans infrastructure-as-code files for misconfigurations before deployment. It covers Terraform, CloudFormation, Kubernetes, Helm, ARM templates, Bicep, Dockerfiles, Serverless framework, Ansible, Kustomize, and OpenTofu. Checkov is the open source policy-as-code engine originally built by Bridgecrew before its acquisition by Palo Alto Networks' Prisma Cloud, so Bridgecrew IaC scanning queries still point here. Palo Alto Networks maintains it as part of Prisma Cloud, under the Apache 2.0 license. Over 80 million downloads since its 2019 launch. The tool runs from the command line. Point it at a directory of IaC files and it returns passed and failed checks with file locations, line numbers, and code snippets for each failure. Non-zero exit codes on failures mean it slots into CI/CD gates without extra scripting. ## What is Checkov? Checkov started as a Terraform-focused scanner and grew into a multi-framework IaC security tool. Bridgecrew built the original version. Palo Alto Networks acquired Bridgecrew in 2021 and folded the project into Prisma Cloud. The open-source CLI stayed free. Three things set Checkov apart from other [IaC security tools](/iac-security-tools): 1,000+ Built-in Policies:::Attribute checks and graph-based checks covering AWS, Azure, GCP, and OCI. Compliance mappings for CIS Benchmarks, SOC 2, HIPAA, and PCI DSS included out of the box. ||| Graph-Based Analysis:::Checks relationships between resources, not just individual attributes. Catches misconfigurations that single-resource scanners miss entirely. ||| Custom Policies in Python or YAML:::Write your own checks using Python classes or declarative YAML syntax. Version 3.0 added 36 new operators and JSON path support. ## What are Checkov's key features? | Feature | Details | | ---------------------------- | ---------------------------------------------------------------------------------------------------------------------- | | **Built-in policies** | 1,000+ checks (attribute + graph-based) | | **Supported IaC frameworks** | Terraform, CloudFormation, Kubernetes, Helm, ARM, Bicep, Ansible, Kustomize, OpenTofu, Serverless, AWS CDK, Dockerfile | | **Cloud providers** | AWS, Azure, GCP, OCI | | **Compliance frameworks** | [CIS Benchmarks](https://www.cisecurity.org/cis-benchmarks), SOC 2, HIPAA, PCI DSS, AWS Foundations Benchmark | | **Custom policy formats** | Python and YAML | | **Output formats** | CLI, JSON, JUnit XML, SARIF, CSV, CycloneDX, GitHub Markdown [...truncated for length...] --- # Cisco DefenseClaw URL: https://appsecsanta.com/cisco-defenseclaw Description: Cisco DefenseClaw is an open-source security governance framework for agentic AI with skill scanning, MCP security, CodeGuard, AIBOM, and sandbox isolation. Cisco DefenseClaw is an open-source security governance framework for agentic AI systems that enforces a strict principle: nothing runs until it has been scanned, and anything dangerous is blocked automatically. While [MCP-Scan](/snyk) focuses specifically on MCP server vulnerability scanning and [Agentic Radar](/agentic-radar) audits agentic workflows across frameworks, DefenseClaw provides a broader governance layer that adds skill scanning, static code analysis, runtime inspection, and sandbox isolation. Released at RSA 2026 by Cisco AI Defense, DefenseClaw provides pre-execution scanning of AI agent skills and MCP servers, static code analysis, runtime inspection of LLM interactions, and enterprise-grade audit logging. The framework serves as a governance layer for OpenClaw, an open-source AI agent framework, but its scanning components work independently. The project is part of Cisco's broader AI Defense portfolio, which addresses security across the AI application lifecycle from development through deployment. ## What is Cisco DefenseClaw? As AI agents gain the ability to execute code, call external APIs, and interact with production systems, the attack surface expands dramatically. A compromised agent skill can exfiltrate data, a poisoned MCP server can hijack agent behavior, and insecure code patterns can introduce vulnerabilities that traditional security tools miss. DefenseClaw addresses this by inserting a mandatory security gate between AI components and execution. Every skill, MCP server, and code artifact is scanned before it runs. Runtime interactions between agents and LLMs are inspected for secrets, PII, and injection patterns. All decisions are logged to an immutable audit store. Component Scanning:::Skill Scanner analyzes AI agent skills before execution. MCP Scanner inspects MCP servers for vulnerabilities. AI Bill of Materials (AIBOM) generates a unified component inventory with severity-ranked findings across all scanned components. ||| CodeGuard Static Analysis:::Detects hardcoded credentials, dangerous code execution patterns (eval, subprocess with shell=True), unsafe deserialization, SQL injection, weak cryptography, and path traversal. Purpose-built for the patterns that appear in AI agent code. ||| Runtime Inspection:::Message Inspection examines LLM prompts and completions for secrets, PII, and injection patterns. Tool Inspection evaluates six threat categories: secrets, commands, sensitive paths, C2 hostnames, cognitive file tampering, and prompt injection disguises. ## What are Cisco DefenseClaw's key features? | Feature | Details | | ------------------ | ------------------------------------------------------------------ | | Skill Scanner | Pre-execution analysis of AI agent skills | | MCP Scanner | Vulnerability scanning for MCP servers | | AIBOM | AI Bill of M [...truncated for length...] --- # Clair URL: https://appsecsanta.com/clair Description: Open-source container image vulnerability scanner powering Quay.io. 11k GitHub stars, 9+ Linux distributions supported. Apache 2.0 licensed. Clair is an open-source static analysis tool for finding vulnerabilities in container images. Developed by Red Hat (originally CoreOS), Clair parses OCI and Docker image layers and matches discovered packages against vulnerability databases covering 9+ Linux distributions. Red Hat Quay and Quay.io container registries use Clair as their scanning backend. 11k GitHub stars, 117 contributors. ## How does Clair scan container images? Clair scans container images through a three-part pipeline: indexing, matching, and notifications. This architecture separates image analysis from vulnerability correlation, allowing Clair to re-evaluate previously scanned images against newly discovered CVEs without re-indexing. During **indexing**, Clair fetches container image layers, examines their contents, and identifies installed packages, language runtimes, and distributions. The output is an IndexReport. Because OCI uses content-addressed layers, Clair skips any layer it has already indexed. During **matching**, Clair checks indexed packages against vulnerability databases that update continuously in the background. Every match request returns results based on the latest security data. Distribution-specific updaters paired with matchers determine how vulnerabilities relate to specific packages. The **notification** service watches for newly discovered vulnerabilities that affect previously indexed manifests and fires alerts through configured webhooks. ## What vulnerability databases does Clair use? Clair pulls vulnerability data from 9+ distribution-specific sources plus the NVD for severity enrichment: | Source | Data Type | | ------------- | ----------------------------------- | | Alpine SecDB | Alpine Linux advisories | | Debian OVAL | Debian security advisories | | Ubuntu OVAL | Ubuntu security advisories | | RHEL OVAL | Red Hat Enterprise Linux advisories | | Oracle OVAL | Oracle Linux advisories | | SUSE OVAL | SUSE Linux advisories | | AWS Linux | Amazon Linux advisories | | VMware Photon | Photon OS advisories | | NVD | CVSS severity enrichment | Each updater polls its source periodically — typically hourly — so vulnerability reports stay current without manual intervention. Clair v4 also added support for language-ecosystem advisories (Python, Java, JavaScript, Go) through the Pyup.io and GitHub Advisory Database feeds, which extends matching beyond OS packages into application dependencies bundled in the image. If an Alpine package vulnerability does not yet have CVSS data in NVD, Clair surfaces it as "Unknown" severity until enrichment catches up. This is a known quirk of Alpine SecDB rather than a Clair limitation, and it shows up most often on the day a fresh CVE drops. ## Architecture Clair v4 wraps the ClairCore library, which handles distribution detection, vulnerability sourc [...truncated for length...] --- # Codacy URL: https://appsecsanta.com/codacy Description: Codacy scans 40+ languages with AI-powered code protection. Free for open-source. Used by 600,000+ developers. Integrates with GitHub, GitLab, and Bitbucket. Codacy is a code quality and security platform that scans 40+ languages for security vulnerabilities, code smells, complexity, and duplication. It is a [SAST](/sast-tools) tool that runs multiple underlying analysis engines — including Semgrep, ESLint, Bandit, Brakeman, and SpotBugs — to provide broad coverage from a single platform. Founded in 2012, Codacy is used by over 600,000 developers. The [Codacy Analysis CLI](https://github.com/codacy/codacy-analysis-cli) is open source under AGPL-3.0. The company has 52 employees across 9 countries. ## What is Codacy? Codacy provides automated code review that catches security issues and quality problems on every commit and pull request. It connects directly to GitHub, GitLab, or Bitbucket and runs analysis automatically without CI configuration for basic usage. The platform wraps 30+ open-source and proprietary analysis tools behind a unified interface. For Python, it runs Bandit, Pylint, Ruff, and Semgrep. For JavaScript, ESLint and Semgrep. For Ruby, Brakeman, RuboCop, and Semgrep. Each language has its own set of tools, all managed through a single dashboard. ## Why Codacy fits the code-quality-plus-security niche Codacy sits in a narrow but useful slot: teams that want a single dashboard for code quality, security, and coverage rather than three separate stacks. Most SAST vendors lead with security and treat quality metrics as a side product. Codacy starts from the opposite end — style, complexity, duplication, and coverage — then layers Semgrep, Bandit, Brakeman, and Gosec on top to add security findings. That positioning suits two audiences. Engineering teams that already think in pull-request gates appreciate the unified annotations: one bot comment instead of one per scanner. Compliance-aware orgs get a single audit trail for every finding category, which matters when SOC 2 or ISO 27001 evidence collection has to span quality and security at the same time. The trade-off is depth: Codacy orchestrates other engines rather than building its own SAST core, so detection ceilings are bounded by the underlying tools. Teams that already run Semgrep + ESLint + Bandit directly may not gain new findings, only a unified UI on top of them. 40+ Languages:::Scans Python, Java, JavaScript, TypeScript, Go, C#, Ruby, Rust, PHP, Kotlin, Swift, Scala, Dart, Elixir, Shell, and more using 30+ underlying analysis tools. ||| AI Code Guardrails:::Scans AI-generated code from Copilot, Cursor, and similar tools for security vulnerabilities in the IDE. AI Risk Hub provides compliance reporting for AI-assisted development. ||| Pull Request Analysis:::Inline issue annotations, coverage summaries, quality gate checks, and suggested fixes on every pull request. AI Reviewer adds AI-powered context to findings on GitHub. Codacy repository dashboard showing code quality metrics, coverage, and issue breakdown ## What are Codacy's key features? ### Security analysis (SAST) Codacy runs security-focused tools like [...truncated for length...] --- # Conftest URL: https://appsecsanta.com/conftest Description: Conftest tests structured configuration files against Open Policy Agent policies. Works with Terraform, Kubernetes, Docker, and any structured data format. Conftest is a policy testing framework that validates structured configuration files against [Open Policy Agent (OPA)](https://www.openpolicyagent.org/) policies. It is part of the [IaC security](/iac-security-tools) toolchain. It works with Terraform, Kubernetes manifests, Dockerfiles, serverless configs, and any other structured data format. Unlike scanners with built-in check libraries, Conftest requires you to define policies in Rego. This gives complete control over what gets tested and how failures are reported. ## What Conftest does Conftest parses configuration files into data structures and evaluates them against Rego policies. Policies define rules like "all S3 buckets must enable encryption" or "container images must not run as root." The tool outputs pass/fail results with custom messages. It runs locally during development, in CI/CD pipelines, and as a pre-commit hook. Format Agnostic:::Supports Terraform, Kubernetes, Docker Compose, JSON, YAML, TOML, HCL, CUE, and custom formats. Parses input, runs policies, reports violations. ||| OPA Rego Policies:::Uses the same policy language as Open Policy Agent. Write custom rules for organization-specific security requirements, compliance standards, or best practices. ||| Policy Distribution:::Pulls policies from OCI registries, Git repositories, or S3 buckets. Centralize policy management and share rules across teams. ## What are Conftest's key features? | Feature | Details | |---------|---------| | Input formats | Terraform HCL/HCL2, Kubernetes YAML, Dockerfiles, JSON, YAML, TOML, CUE, INI, XML, Jsonnet, HOCON, CycloneDX, SPDX, EDN, TextProto, VCL, environment files | | Policy language | Rego (Open Policy Agent) | | Output modes | Standard text, JSON, TAP (Test Anything Protocol), JUnit XML, GitHub Actions annotations | | Policy sources | Local files, OCI registries, Git repos, S3, Azure Blob Storage | | Exit codes | Non-zero exit on policy violations for CI/CD gating | | Namespaces | Organize policies by concern (security, compliance, cost) | | Ignore files | Exclude specific findings with .conftest.ignore | ### Writing policies Policies live in Rego files. Define rules in the `deny`, `warn`, or `violation` namespaces to control failure severity. Example policy for Kubernetes resources: ```rego package main deny[msg] { input.kind == "Deployment" not input.spec.template.spec.securityContext.runAsNonRoot msg = "Deployment must set runAsNonRoot to true" } warn[msg] { input.kind == "Service" input.spec.type == "LoadBalancer" msg = "LoadBalancer services may incur cloud costs" } ``` Run `conftest test deployment.yaml` to evaluate Kubernetes manifests against these policies. ### Testing Terraform Point Conftest at Terraform JSON plan output or HCL source files. Policies check resource configurations before infrastructure changes apply. ```bash # Test Terraform HCL files conftest test terraform/*.tf # Test Terraform plan output terraform plan -out=plan.binary terraf [...truncated for length...] --- # Contrast Security URL: https://appsecsanta.com/contrast-security Description: Contrast Security provides IAST, RASP, SAST, and SCA from runtime instrumentation. Detects vulnerabilities in running code with low false positives. Contrast Security is an application security platform that uses runtime instrumentation to detect and block vulnerabilities. The platform combines [IAST](/iast-tools), [RASP](/rasp-tools), [SAST](/sast-tools), and [SCA](/sca-tools) capabilities under a unified developer-focused interface. Unlike traditional scanners that analyze code statically or test from the outside, Contrast instruments applications with agents that observe code execution in real time. ## Platform components Contrast Security consists of four main products that share a common instrumentation agent and dashboard: **[Contrast Assess](/contrast-security#contrast-assess-iast)** — Interactive Application Security Testing (IAST) that finds vulnerabilities in running code during development and QA testing. **[Contrast Protect](/contrast-security#contrast-protect-rasp)** — Runtime Application Self-Protection (RASP) that blocks attacks in production without code changes. **[Contrast Scan](#contrast-scan-sast)** — Static Application Security Testing (SAST) built for CI/CD pipelines with fast scan times and low false positive rates. **[Contrast SCA](/contrast-security#contrast-sca)** — Software Composition Analysis that identifies vulnerable open-source libraries and prioritizes fixes based on runtime usage. Runtime Instrumentation:::Agents instrument JVM, .NET, Node.js, Python, Ruby, and Go applications. Monitor actual code execution to detect vulnerabilities in reachable paths only. ||| Low False Positives:::IAST reduces false positives by analyzing real data flow through running code. RASP blocks actual exploit attempts, not theoretical attack patterns. ||| Developer Workflow:::Integrates into IDEs, pull requests, and issue trackers. Shows vulnerability context with stack traces and remediation guidance specific to the application. ## How Contrast Security works Contrast Security instruments applications with language-specific agents (Java, .NET, Node.js, Python, Ruby, Go). The agent monitors code execution during normal application usage, automated tests, or production traffic. When vulnerable code paths execute — like unsanitized user input reaching a SQL query — the agent reports the vulnerability with full context: stack trace, data flow, affected endpoints, and fix guidance. This runtime approach identifies vulnerabilities that exist in actual code paths rather than every possible vulnerability in the codebase. Unused functions and dead code don't generate findings. ### Contrast Assess (IAST) Contrast Assess finds vulnerabilities during development and QA testing. Install the agent, run automated tests or manually use the application, and Assess reports security issues it observes. The IAST engine traces data from sources (user input, file reads, external APIs) through the application to sinks (database queries, OS commands, file writes). When tainted data reaches a dangerous operation without proper validation, Assess reports the vulnerability. **Supported langu [...truncated for length...] --- # Corellium URL: https://appsecsanta.com/corellium Description: Corellium provides cloud-based ARM virtual iPhone and Android devices for mobile security testing, pentesting, and vulnerability research. Now part of Cellebrite. Corellium is a virtual hardware platform that creates ARM-native digital twins of iOS and Android devices for [mobile security](/mobile-security-tools) testing, vulnerability research, and app development. It is the only platform in the world that offers virtualized iPhones with instant jailbreak access — without relying on any iOS exploits. Founded in 2017 by Amanda Gorton (CEO) and Chris Wade (CTO), Corellium runs on ARM hardware through its proprietary CHARM (Corellium Hypervisor for Arm) type-1 hypervisor. Unlike Android emulators that translate ARM instructions to x86, Corellium uses ARM-on-ARM virtualization, which means virtual devices behave identically to their physical counterparts at the firmware and kernel level. Cellebrite acquired Corellium in December 2025 for $170 million, with CFIUS (Committee on Foreign Investment in the United States) approving the deal under a national security agreement. Corellium continues to operate its platform and product lines. The MATRIX automated testing engine runs hundreds of OWASP-aligned security checks on mobile apps, covering 7 test categories including authentication, cryptography, and data storage. ## What are Corellium's key features? | Feature | Details | | --------------------------- | ------------------------------------------------------------------------------------------------------------------------ | | **Virtual iOS Devices** | Jailbroken or non-jailbroken iPhones across all iOS versions, typically supported within days of release including betas | | **Virtual Android Devices** | Ranchu-based Android models with root access and permissive SELinux enforcement | | **CHARM Hypervisor** | Type-1 bare-metal hypervisor purpose-built for ARM device virtualization | | **MATRIX Testing** | Automated security testing engine aligned with OWASP MASTG covering 7 test categories | | **Frida Integration** | Pre-installed Frida daemon in all jailbroken iOS and rooted Android VMs | | **HyperTrace** | Kernel execution path mapping for coverage-guided fuzzing and diagnostics | | **CoreTrace** | System call tracing for runtime behavior analysis | | **Network Monitor** | Traffic inspection by process/port/PID with transparent SSL pinning bypass | | **Snapshots** | Save, restore, and clone entire device states for reproducible testing | | **REST API & CLI** | Full automation support for CI/CD integration and [...truncated for length...] --- # Corgea URL: https://appsecsanta.com/corgea Description: Corgea review — AI-native SAST scanner (BLAST) with auto-fix for 20+ languages. YC-backed, integrates with Snyk, Semgrep, Checkmarx, Fortify. Honest pros, cons. Corgea is an AI-native [static application security testing (SAST)](/sast-tools) platform that detects security vulnerabilities and automatically generates code fixes for developer approval. Founded in 2023 and backed by Y Combinator (S23 batch) with $2.6M in seed funding, Corgea takes a fundamentally different approach to static analysis: Instead of relying solely on pattern-matching rules, it uses Large Language Models combined with AST-based static analysis to understand what code is supposed to do and find where it fails to do so securely. The platform works in two modes: as a standalone SAST scanner (BLAST) that reports false positive rates below 5%, and as an auto-remediation layer on top of existing SAST tools like [Snyk](/snyk#snyk-code-sast), [Semgrep](/semgrep), [Checkmarx](/checkmarx), [Fortify](/fortify-static-code-analyzer), and [Coverity](/coverity). Unlike traditional SAST tools that only flag issues, Corgea generates code fixes and delivers them as pull requests for developer review, reducing remediation effort by approximately 80% according to the company. ## Product Screenshots Corgea BLAST scan interface — after uploading a project, you can run an AI-native BLAST scan or upload results from an existing SAST scanner for auto-remediation. Source: docs.corgea.app Corgea's AI-powered false positive detection — the platform identifies that the flagged SQL injection uses parameterized queries with SqliteCommand, marking it as a false positive with a detailed code-level explanation. Source: docs.corgea.app Corgea project setup — four onboarding paths: direct GitHub/GitLab connection, web file upload, CLI integration, or public repository scanning. Source: docs.corgea.app ## Overview Traditional SAST tools find vulnerabilities by matching code against predefined rules. They are fast and deterministic, but they struggle with business logic flaws, generate false positive rates of 20% or higher, and leave the fix entirely to the developer. Corgea approaches the problem differently. Its BLAST scanner uses LLMs to reason about code semantics, understanding not just what the code does but what it is intended to do. This lets it detect vulnerability classes that rule-based scanners like [Semgrep](/semgrep) or [SonarQube](/sonarqube) miss: broken access control patterns, IDOR issues, and authentication logic gaps. The auto-fix capability is what sets Corgea apart from most SAST tools. Rather than just flagging a vulnerability, Corgea writes a security patch and presents it as a PR for the developer to review and merge. According to Corgea, this reduces remediation effort by approximately 80% compared to manual fix implementation. BLAST AI Scanner:::Combines LLMs with AST-based static analysis to detect business logic flaws, broken auth, and IDOR vulnerabilities. Reports false positive rates below 5% compared to 20%+ with traditional SAST. ||| Auto-Fix Generation:::Generates code fixes for detected vulnerabilities and deli [...truncated for length...] --- # Coverity URL: https://appsecsanta.com/coverity Description: Independent Coverity review. Deep interprocedural analysis for 22 languages, used by 51% of Fortune 100. Now under Black Duck. Honest pros, cons. Coverity is an enterprise [SAST](/sast-tools) tool that provides deep static analysis for 22 languages and 200+ frameworks. Its interprocedural dataflow analysis traces issues across function boundaries, execution paths, and calling contexts to find complex vulnerabilities that simpler tools miss. Originally developed from research at Stanford University, Coverity now operates under Black Duck Software and serves over 4,000 organizations including 51% of Fortune 100 companies. Major open-source projects including the Linux kernel, Firefox, and FreeBSD have used Coverity Scan for years. ## What is Coverity? Coverity performs deep static analysis that examines source code for security vulnerabilities, quality defects, and compliance issues without executing the code. The analysis engine uses interprocedural dataflow, path-sensitive analysis, and abstract interpretation to detect issues that pattern-matching tools miss. The tool is particularly strong with C/C++ codebases, embedded systems, and safety-critical applications where the consequences of undetected vulnerabilities are severe. After the acquisition of Synopsys Software Integrity Group, Coverity now operates independently under Black Duck Software. 22 Languages, 200+ Frameworks:::Supports C, C++, Java, JavaScript, TypeScript, C#, Python, Go, Ruby, PHP, Swift, Kotlin, Scala, Dart, Fortran, CUDA, Objective-C, VB.NET, Apex, and more. Framework support includes Angular, React, Spring, Vue.js, Express, and Next.js. ||| Deep Dataflow Analysis:::Interprocedural, path-sensitive, and context-sensitive analysis traces data across function boundaries and execution paths. Finds complex vulnerabilities like buffer overflows and use-after-free errors that surface-level scanners miss. ||| 10 Compliance Standards:::Supports MISRA, AUTOSAR, ISO 26262, PCI DSS, CERT C/C++/Java, DISA STIG, ISO/IEC TS 17961, OWASP Top 10, OWASP Mobile Top 10, and CWE Top 25. ## What are Coverity's key features? ### Deep static analysis engine Coverity's analysis goes beyond pattern matching. The engine builds a program model and traces data flow across function boundaries: - **Interprocedural analysis** — follows code paths across function boundaries - **Path-sensitive analysis** — understands conditions and constraints along execution paths - **Context-sensitive analysis** — tracks values through different calling contexts - **Whole-program analysis** — considers the entire codebase for accurate results ### Vulnerability detection Coverity detects both security vulnerabilities and quality defects: | Category | Issues detected | |----------|----------------| | Memory | Buffer overflows, use-after-free, double-free, null pointer dereferences | | Resources | Memory leaks, file handle leaks, lock leaks | | Injection | SQL injection, command injection, XSS | | Cryptography | Insecure cryptography, SSL verification bypass | | Concurrency | Race conditions, deadlocks | | Integer | Integer overflows and underflows | Not [...truncated for length...] --- # CrowdStrike Falcon AIDR URL: https://appsecsanta.com/crowdstrike-falcon-aidr Description: CrowdStrike Falcon AIDR extends the Falcon platform to secure enterprise AI with 99% prompt attack detection, data protection, and agent security. CrowdStrike Falcon AIDR (AI Detection and Response) is an AI security module that extends the CrowdStrike Falcon platform to detect and block prompt injection, jailbreaks, data leakage, and unsafe AI agent actions across enterprise AI usage. It is listed in the [AI security](/ai-security-tools) category. Falcon AIDR reports 99% prompt attack detection efficacy at 30 milliseconds or less, with findings streaming into Falcon Next-Gen SIEM for unified security operations. CrowdStrike announced the general availability of Falcon AIDR in December 2025. Built by the team that pioneered EDR (Endpoint Detection and Response), AIDR applies the same detection-and-response model to the AI attack surface. The platform secures every layer of enterprise AI — data, models, agents, identities, infrastructure, and interactions. In 2026, CrowdStrike expanded AIDR with coverage for desktop AI applications and Microsoft Copilot agents, as AI usage increasingly moves beyond browser-based tools. ## What is Falcon AIDR? Falcon AIDR addresses the AI security challenge from within an existing security platform rather than as a standalone product. For organizations already running CrowdStrike Falcon for endpoint, cloud, or identity security, AIDR adds AI-specific protections that feed into the same console and SIEM infrastructure. The platform detects prompt injection, jailbreaks, and unsafe content with 99% detection efficacy at 30 milliseconds or less. It inspects both text and image inputs — catching attacks that embed malicious instructions in images — and automatically redacts sensitive information before it reaches AI models. CrowdStrike's research tracks over 180 [prompt injection](/ai-security-tools/prompt-injection-guide) techniques (per CrowdStrike Falcon AIDR product documentation). The company reports that 45% of employees use AI tools without IT knowledge, 61% of organizations with AI governance policies cannot enforce them, and 62% of organizations are testing or scaling AI agent deployments — figures cited in CrowdStrike's 2025 State of AI in Cybersecurity research. CrowdStrike's 2025 Global Threat Report also documents an 89% increase in attacks by AI-enabled adversaries in 2025. Falcon AIDR closes these gaps through automated detection and policy enforcement. In 2026, CrowdStrike announced the acquisition of Seraphic to extend browser-based security protections, further strengthening Falcon AIDR's ability to monitor AI usage across browser-based tools. Prompt Attack Detection:::Blocks prompt injection, jailbreaks, and model manipulation with 99% detection efficacy at 30ms or less. Inspects both text and image inputs to catch invisible attacks embedded in visual content. ||| Data Protection:::Automatically detects and blocks credentials, PII, regulated data, and source code before exposure to AI systems. Supports multiple redaction methods including replacement, masking, partial masking, hash, and format-preserving encryption. ||| AI Agent Secur [...truncated for length...] --- # CrowdStrike Falcon ASPM URL: https://appsecsanta.com/crowdstrike-falcon-aspm Description: CrowdStrike Falcon ASPM uses runtime application analysis instead of static package scanning, with built-in shadow AI detection and sensitive data flow mapping. CrowdStrike Falcon ASPM is the [ASPM](/aspm-tools) module of the CrowdStrike Falcon platform — a runtime-driven approach to application security posture, with built-in shadow AI detection and sensitive data flow mapping. ## What is Falcon ASPM? CrowdStrike's bet on ASPM goes the opposite direction from most of the field. Where standalone ASPM platforms aggregate static scanner output and try to deduce exploitability after the fact, Falcon ASPM builds its picture from runtime behaviour. The product page tagline — _"Secure the applications that drive your business"_ — undersells the architectural choice. The actual differentiator is that Falcon ASPM watches what applications do in production and uses that telemetry as the primary prioritization signal. Static package lists become a secondary input, not the foundation. ## Three runtime-led capabilities Runtime application analysis:::Maps microservices, APIs, data flows, and dependencies as a live graph. Surfaces exploitable vulnerabilities based on how code actually executes rather than which packages happen to be present. ||| Shadow AI detection:::Detects unsanctioned AI services your applications call, monitors external AI integrations, and assesses what AI-enabled applications can access. This is a growing problem most pure ASPM tools have not built native coverage for yet. ||| Sensitive data flow:::Automatically identifies PII, PCI, and PHI flowing through deployed applications. Lets security and compliance teams scope data exposure without instrumenting every service by hand. ## Why runtime context changes the prioritization model The traditional ASPM model: ingest scanner findings, layer in some intelligence (CISA KEV, EPSS, reachability heuristics), produce a ranked queue. The runtime-led model is different in kind — vulnerabilities that never execute in production never make it into the high-priority queue, no matter what their CVSS says. | Static-led ASPM | Runtime-led ASPM (Falcon) | | ----------------------------------- | ------------------------------------- | | Findings start from scanner output | Findings start from runtime telemetry | | Reachability is inferred statically | Reachability is observed | | Strong on dev-time prevention | Strong on production-risk reduction | | Works without runtime deployed | Requires runtime instrumentation | Both models have legitimate use cases. The choice depends on whether your bigger problem is "we ship things we should not have shipped" (lean static) or "we have a sea of findings and no way to know which ones are real" (lean runtime). ## Analyst recognition | Source | Recognition | | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------ [...truncated for length...] --- # Cycode URL: https://appsecsanta.com/cycode Description: Cycode is an AI-native ASPM platform with 94% fewer SAST false positives on OWASP Benchmark and 100+ ConnectorX integrations for supply chain security. Cycode is an AI-native [ASPM](/aspm-tools) platform that combines native scanning (SAST, SCA, IaC, secrets, container security) with ConnectorX, an integration marketplace with 100+ connectors for third-party tools. Customers include NielsenIQ, Cribl, UBS, and Elastic. Cycode acquired Bearer in April 2024, adding AI-powered SAST and privacy scanning to the platform. ## What is Cycode? Cycode takes a dual approach: it runs its own native scanners and aggregates findings from your existing tools through ConnectorX. The Context Intelligence Graph (CIG) ties everything together with code-to-runtime context. Native scanning:::Built-in SAST, SCA, IaC, secrets detection, and container scanning. The SAST engine (from the Bearer acquisition) hits 94% fewer false positives on the OWASP Benchmark with 75% recall. ||| ConnectorX:::100+ integrations for third-party SAST, DAST, SCA, CNAPP, and DevOps tools. Aggregate findings from your existing security investments into one view. ||| Context Intelligence Graph:::Maps code-to-runtime context across your SDLC. Supports natural language queries so security teams can ask questions and get immediate, contextualized answers. ## What are Cycode's key features? ### Next-generation SAST Cycode's SAST engine came from the Bearer acquisition in April 2024. It uses cross-file dataflow tracking and Code Context Analysis (CCA) to understand how data moves through your application, not just pattern matching. | Metric | Cycode SAST | | ------------------------ | ------------------------------------------- | | False positive reduction | 94% fewer vs. competitors (OWASP Benchmark) | | Recall rate | 75% | | Analysis type | Cross-file dataflow with CCA | | Fix generation | Automated via Cycode AI | Change Impact Analysis (CIA) detects risky material changes early in the development process. When a developer modifies authentication logic, payment processing, or data handling code, Cycode flags it for security review before it reaches production. ### Software supply chain security This is one of Cycode's strongest areas: | Capability | What it covers | | ------------------- | ----------------------------------------------------------------------- | | Secrets detection | Scans repositories, pipelines, and DevOps tools for exposed credentials | | CI/CD security | Detects pipeline misconfigurations and injection vulnerabilities | | Source code leakage | Monitors for proprietary code appearing in public repositories | | SCA | Dependency analysis with known vulnerability matching | | Container scanning | Image vulnerability and misconfiguration detection | ### Compliance automation Cycode maps security controls to compliance [...truncated for length...] --- # Cylake URL: https://appsecsanta.com/cylake Description: Cylake is an AI-native cybersecurity platform for on-premises deployment with unified threat detection and full data sovereignty for regulated industries. Cylake is an AI-native cybersecurity platform that delivers unified threat detection and response exclusively through on-premises and private cloud deployment, ensuring all security data stays within the customer's perimeter. Product status (April 2026) Cylake launched in March 2026 and is currently working with design partners only. General product availability is anticipated in early 2027. You cannot deploy Cylake today — join the design-partner program at cylake.com. It is an [AI security](/ai-security-tools) platform built for government agencies, critical infrastructure operators, and regulated enterprises where data sovereignty is a hard requirement, not a preference. Cylake launched in March 2026, founded by three cybersecurity veterans: [Nir Zuk](https://en.wikipedia.org/wiki/Nir_Zuk), who founded Palo Alto Networks in 2005 and served as its CTO for over two decades; Wilson Xu, who spent more than a decade building Palo Alto Networks' engineering organization; and Ehud (Udi) Shamir, [a co-founder of SentinelOne](https://en.wikipedia.org/wiki/SentinelOne). The company raised $45 million in seed funding led by [Greylock Partners](https://greylock.com/), with partner Asheem Chandna (who led Greylock's Palo Alto Networks investment) leading the deal. This ranks among the largest seed rounds in cybersecurity history, reflecting investor confidence in the founding team and the unaddressed market gap for sovereign AI-native security. ## What is Cylake? There is a real tension in enterprise cybersecurity: the best security platforms require sending data to vendor cloud infrastructure. But government agencies, critical infrastructure operators, and heavily regulated enterprises often cannot send security telemetry outside their perimeter. Cylake combines hardware and software into a single system that collects operational and security data from network infrastructure, endpoints, cloud workloads, and existing security tools. All of it feeds into one data foundation processed entirely within the customer's environment. ML models and automated workflows run locally, analyzing patterns, correlating events across sources, and generating alerts without any data leaving the organization. Cylake calls this "agentic protection": AI-driven security analysis that operates autonomously inside the customer's own infrastructure. Data Sovereignty Built In:::Every component — data collection, storage, analysis, and alerting — runs on-premises or in private cloud. Zero dependency on public cloud infrastructure. No security telemetry leaves the customer's perimeter. ||| Unified Data Foundation:::Collects telemetry from networks, endpoints, cloud workloads, and existing security tools into a single data layer. No more juggling multiple disconnected security products. ||| AI-Native Analytics:::Machine learning models process security data locally, detecting abnormal patterns and correlating events across multiple sources. Automated investigation wor [...truncated for length...] --- # Dastardly URL: https://appsecsanta.com/dastardly Description: Dastardly review — PortSwigger's free DAST scanner using Burp Suite's engine. Under 10 minutes, JUnit output, zero config. What it catches and what it misses. Dastardly is a free DAST scanner from PortSwigger that runs the Burp Suite scanning engine in a Docker container. Give it a URL, get JUnit XML results in under 10 minutes. No API keys, no configuration files, no account required. PortSwigger built Dastardly for one purpose: fast, high-confidence security checks in CI/CD pipelines. It does not try to be a full DAST scanner. It finds a focused set of vulnerabilities with minimal false positives. ## What are Dastardly's key features? | Feature | Details | | ------------- | -------------------------------- | | Price | Free, no limits | | Scan engine | Burp Suite scanner core | | Scan time | Under 10 minutes (hard cap) | | Output | JUnit XML | | Deployment | Docker container | | Configuration | Zero — just provide a target URL | | Auth scanning | Not supported | | API keys | Not required | Burp Scanner Engine:::Same detection logic that powers Burp Suite Professional, refined through PortSwigger's decades of web security research and the Web Security Academy program. ||| 10-Minute Cap:::Every scan finishes within 10 minutes regardless of site size. This hard limit keeps Dastardly from becoming a bottleneck in your build pipeline. ||| Zero Configuration:::No config files, API keys, or account setup. Run the Docker container with a target URL and get results. That is the entire workflow. Dastardly is a black-box web vulnerability scanner — it tests a running application from the outside without source-code access. It does not perform authenticated dynamic scans, full SQL injection / XSS probing across every parameter, or API security testing against REST or GraphQL endpoints. For those broader DAST capabilities — authenticated scans against logged-in user sessions, payload mutation across input vectors, and protocol-level API testing — I cover commercial scanners further down. ## Vulnerability Coverage Dastardly checks for a focused set of high-confidence vulnerability types. Reflected XSS appears in the OWASP Top 10 under injection flaws, and the Verizon DBIR consistently identifies web application attacks as one of the top breach vectors — making even this narrow coverage valuable as a CI/CD safety net. - Reflected cross-site scripting (XSS) - CORS misconfigurations - Vulnerable JavaScript dependencies - Content-type mismatches - Multiple content types specified - HTML does not specify charset - Duplicate cookies set The limited scope is intentional. Every reported issue is a real problem worth fixing. Dastardly will not flood your pipeline with noise. Dastardly does not attempt full DAST coverage. It finds the most common, highest-confidence web vulnerabilities in under 10 minutes. For deeper scanning with authenticated testing, see [Burp Suite](/burp-suite) DAST edition. ## CI/CD Integration ### GitHub Actions ```yaml [...truncated for length...] --- # Data Theorem Mobile Secure URL: https://appsecsanta.com/data-theorem Description: In-depth Data Theorem review. Full-stack iOS and Android security: SAST, DAST, SCA, and runtime protection across apps serving 2.8B+ users. Data Theorem Mobile Secure is a commercial mobile application security platform that combines SAST, DAST, SCA, and runtime protection in a single analyzer — covering iOS and Android apps from source code through deployed behavior. Data Theorem protects applications serving over 2.8 billion users worldwide, including 7 of the top 10 largest banks. Unlike point tools that handle only static or dynamic analysis, Data Theorem runs all four testing types — SAST, DAST, SCA, and runtime — in a single pipeline. ## What is Data Theorem? Data Theorem Mobile Secure is a full-stack mobile AppSec platform built specifically for iOS and Android. Its Analyzer Engine processes mobile app binaries through static analysis, dynamic testing, app store blocker checks, third-party code analysis, and compliance review — all in one pass. You can upload apps directly, pull them from the Apple App Store or Google Play, or push binaries through CI/CD plugins and the upload API. Findings are auto-triaged, with P1 alerts for critical issues and remediation suggestions that include secure code examples. Results come back through a web portal, a results API, or Jira/Slack integrations. Data Theorem also scans the backend APIs that mobile apps talk to, and performs runtime behavioral analysis through its Active Protection layer. Unlike static-only scanners, Active Protection watches real behavior: what data an app collects, how it communicates, and whether it stores sensitive information properly. Customers include Cisco Duo, Zoom, Coinbase, and eBay. Data Theorem also holds kidSAFE certification for its Mobile Protect solution. ## What are Data Theorem Mobile Secure's key features? | Feature | Details | | ------------------ | ----------------------------------------------------------------------- | | Testing Types | SAST, DAST, SCA, runtime analysis | | Platforms | iOS, Android | | App Sources | Direct upload, App Store/Play Store, CI/CD, API | | SDK Analysis | Third-party code firewall for embedded SDKs | | Runtime Protection | Device integrity, jailbreak/root detection, hostile traffic observation | | Integrations | Jenkins, Jira, Slack, CI/CD plugins, results API | | Compliance | One-click reports, kidSAFE certified | | Output | Web portal, auto-triage with P1 alerts, secure code suggestions | Analyzer Engine:::Runs static analysis, dynamic testing, third-party code analysis, and compliance review on every binary. Processes apps from uploads, app stores, or CI/CD pipelines. ||| Third-Party SDK Firewall:::Identifies and evaluates all embedded SDKs for known vulnerabilities, privacy violations, and malicious behavior. Flags risky [...truncated for length...] --- # Datadog Application Security URL: https://appsecsanta.com/datadog-asm Description: Datadog ASM (now App and API Protection) embeds RASP via APM tracing libraries across 7 languages. In-app WAF, shadow API discovery, account takeover detection. Datadog Application Security (now branded App and API Protection) provides runtime application protection integrated with Datadog's observability platform. It uses the same tracing libraries as Datadog APM to embed [RASP](/rasp-tools) capabilities directly into application code across 7 languages. ## What is Datadog Application Security? Datadog ASM embeds security protection into applications using the same tracing libraries that power Datadog APM. If you already run Datadog APM, enabling ASM typically requires only a configuration flag change — no separate agent or network appliance. The RASP capabilities come from [Datadog's 2021 acquisition of Sqreen](https://www.datadoghq.com/blog/datadog-acquires-sqreen/). The technology operates inside the application runtime, with visibility into how requests flow through code. It blocks attacks before they reach vulnerable code paths. When an attack is detected, security teams see the attack signature alongside the full distributed trace, the services affected, the user responsible, and the code paths involved. In-App WAF:::Operates inside the application runtime rather than at the network perimeter. Sees requests after TLS termination and understands application context like user sessions. ||| APM Integration:::Links every security event to a distributed trace. Follow a malicious request from ingress through every microservice it touched. ||| API Discovery:::Continuously discovers all API endpoints including undocumented and shadow APIs. Detects OWASP API Top 10 risks. ## What are Datadog Application Security's key features? | Feature | Details | | -------------- | ------------------------------------------------------------------- | | Languages | Java, .NET, Node.js, Python, Go, Ruby, PHP | | Deployment | In-app (tracer-based) or perimeter (edge WAF/CDN) | | Detection | OWASP Top 10: SQLi, XSS, command injection, SSRF, path traversal | | Blocking | Real-time blocking of requests, users, or IPs at edge or in-app | | API security | Shadow API discovery, OWASP API Top 10 detection | | Business logic | Account Takeover and Credential Stuffing detection | | Observability | Security events linked to distributed traces, logs, and APM metrics | | Enablement | `DD_APPSEC_ENABLED=true` flag on existing APM tracing libraries | ### In-app WAF The in-app WAF operates inside your application rather than at the network perimeter. This positioning provides several advantages: - Sees requests after TLS termination without additional decryption - Understands application context like user sessions and business logic - Blocks attacks that network WAFs miss due to encoding or evasion techniques - Works in environments where network-based WAFs are impractical (microservices, serverless) Detection rules cover the OWASP Top 10 includi [...truncated for length...] --- # Datadog Code Security (IAST) URL: https://appsecsanta.com/datadog-iast Description: Datadog IAST scores 100% on the OWASP Benchmark with zero false positives. Reuses APM tracing libraries for runtime code analysis in Java, .NET, and Node.js. Datadog Code Security provides runtime code analysis ([IAST](/iast-tools)) that detects vulnerabilities in running applications using the same tracing libraries that power Datadog APM. It supports Java, .NET, Python, and Node.js. The tool achieves [100% on the OWASP Benchmark](https://owasp.org/www-project-benchmark/) with over twenty additional detection rules. Because it reuses your existing Datadog tracing setup, enabling IAST is a configuration flag away — no new agent to deploy. Datadog IAST is part of the broader Code Security suite alongside Static Code Analysis (SAST), Software Composition Analysis (SCA), Infrastructure as Code security, and Secret Scanning. ## What is Datadog Code Security (IAST)? Datadog's IAST monitors live applications by tracking how data flows through code at runtime. It instruments applications through the same tracing libraries used for APM. As requests move through your application, the tracer monitors data sources (user input, external APIs) and sinks (database queries, file operations, system commands). When untrusted data reaches a sink without proper validation, Datadog flags the vulnerability with the exact code location and data flow. 100% OWASP Benchmark:::Correctly identifies all test vulnerabilities with zero false positives. This accuracy comes from analyzing actual runtime behavior rather than guessing from code patterns. ||| APM-Native Integration:::Uses the same tracing libraries as Datadog APM. If you already run Datadog, enabling IAST is one environment variable. No new agent needed. ||| Datadog Severity Score:::Prioritizes findings using environment context and real-time threat activity. See which vulnerabilities affect production services versus staging. ## What are Datadog Code Security (IAST)'s key features? | Feature | Details | |---------|---------| | Supported Languages | Java (tracer 1.15.0+), .NET, Node.js (tracer 4.18.0+ / 5.0.0+), Python (preview) | | OWASP Benchmark | 100% true positive rate, zero false positives | | Agent Requirement | Datadog Agent 7.41.1+ | | Enable Flag | `DD_IAST_ENABLED=true` | | Deployment | Docker, Kubernetes, Amazon ECS, AWS Fargate | | Vulnerability Types | SQL injection, command injection, path traversal, LDAP injection, XSS, insecure deserialization | | Code Security Suite | IAST + SAST + SCA + IaC + Secret Scanning | | Source Integration | GitHub (code view, blame, issue creation) | ### Runtime Vulnerability Detection IAST detects vulnerabilities that need runtime context to identify. For each finding, Datadog provides the specific file name, method name, and line number where the vulnerability exists, plus the complete data flow from source to sink. Detected vulnerability types include: - **SQL Injection** — tracks user input through string concatenation to database queries - **Command Injection** — identifies external input reaching system command execution - **Path Traversal** — detects unsanitized input in file system operations - **LDAP Inj [...truncated for length...] --- # OpenText Core SCA (Debricked) URL: https://appsecsanta.com/debricked Description: OpenText Core SCA uses ML-powered vulnerability analysis with dependency health scoring and native Fortify SSC integration for unified AppSec. OpenText Core SCA (formerly Debricked) is a developer-friendly [SCA platform](/sca-tools) that uses machine learning to prioritize vulnerabilities and assess dependency health. Acquired by Micro Focus in 2022 and now part of OpenText, it integrates natively with the Fortify portfolio for unified SAST+SCA management. Its ML-based approach addresses a real gap: the [Sonatype 2026 State of the Software Supply Chain report](https://www.sonatype.com/state-of-the-software-supply-chain/introduction) frames open-source malware as a nation-state-scale threat, and Sonatype has continued to log tens of thousands of malicious packages across public registries year after year — so intelligent prioritization stays essential. ML models predict exploit likelihood, estimate time-to-fix, and identify patterns beyond what CVSS scores alone provide. A dependency health scoring system flags risky packages even without known vulnerabilities. ## What is OpenText Core SCA? Debricked was founded to make SCA accessible to developers without sacrificing depth. After acquisition, it became OpenText Core SCA while keeping its developer-focused approach. The Fortify SSC and Fortify on Demand integration means organizations can manage SAST and SCA findings in a single dashboard. ML-Powered Analysis:::Machine learning models predict exploit likelihood, estimate time-to-fix, and identify vulnerability patterns. Prioritizes based on actual risk rather than CVSS scores alone. ||| Dependency Health:::Each dependency gets a health score based on maintenance activity, community size, release frequency, and security track record. Low scores flag risky packages before CVEs exist. ||| Fortify Integration:::Native integration with Fortify SSC and Fortify on Demand. SCA findings appear alongside SAST results with consistent policies across scan types. ## What are OpenText Core SCA (Debricked)'s key features? | Feature | Details | |---------|---------| | ML-powered analysis | Predicts exploit likelihood and time-to-fix beyond CVSS | | Dependency health scoring | Maintenance activity, community size, release frequency assessment | | Automated fix PRs | Version updates with breaking change warnings | | License compliance | Hundreds of license types including custom and uncommon | | SBOM generation | SPDX and CycloneDX formats with transitive dependencies | | Ecosystems | npm, yarn, pnpm, pip, Poetry, Maven, Gradle, Go, Composer, Bundler, NuGet, Cargo | | Fortify SSC | Native integration for unified SAST+SCA management | | Pricing | Free tier for open-source; Premium and Enterprise plans | ### ML-powered vulnerability analysis Machine learning models enrich vulnerability data beyond CVE databases. The system predicts exploit likelihood, estimates time-to-fix, and identifies disclosure patterns to help teams prioritize based on actual risk. ### Dependency health scoring Each dependency receives a health score based on maintenance activity, community size, release frequency, and sec [...truncated for length...] --- # DeepSource URL: https://appsecsanta.com/deepsource Description: DeepSource provides AI-powered SAST with Autofix AI. Free tier available. 20+ analyzers. Used by 6,000+ companies including NASA and Ancestry. DeepSource is a code quality and security platform with 20+ analyzers covering [SAST](/sast-tools), SCA, secrets detection, and code coverage. It integrates natively with GitHub, GitLab, Bitbucket, and Azure DevOps to analyze every commit and pull request without CI configuration. Founded in 2018 in San Francisco, DeepSource is used by 6,000+ companies including NASA, Ancestry, and Babbel. The platform is SOC 2 Type II certified. Backed by Y Combinator and 645 Ventures. ## What is DeepSource? DeepSource runs static analysis on every commit and pull request. According to NIST's guidelines on secure software development, automated analysis on every code change catches vulnerabilities before they accumulate. DeepSource scans for security vulnerabilities, code quality issues, duplicated code, and hardcoded secrets. The platform also provides SCA for dependency vulnerabilities and code coverage tracking. The standout feature is Autofix AI, which generates fixes for detected issues using LLMs. The legacy deterministic Autofix handled about 30% of issues. Autofix AI expands that to nearly all issues by analyzing surrounding context, imports, and project patterns. ![DeepSource AI review leaving an inline PR comment about an API key timing attack vulnerability with code context and remediation advice](/images/tools/deepsource/autofix-pr-comment.webp) 20+ Analyzers:::GA support for Python, JavaScript, Java, Go, C#, Rust, Ruby, PHP, Scala, Docker, Shell, SQL, Terraform, Ansible, Dart, and Secrets. Beta support for C/C++, Swift, and Kotlin. ||| Autofix AI:::Generates fixes for nearly all detected issues using LLMs. Analyzes surrounding context, imports, related functions, and project coding patterns. Proposed fixes appear as diffs in pull requests. ||| 97% Precision Secrets:::Two-stage secrets detection: fast pattern matching followed by AI classification using the open-source Narada model. 93% reduction in false positives compared to regex-only approaches. ![DeepSource team overview dashboard showing code health metrics across repositories](/images/tools/deepsource/team-overview.webp) ## What are DeepSource's key features? ### Security analysis DeepSource detects security vulnerabilities across its supported languages. The SCA module scans dependencies for known vulnerabilities using reachability analysis to determine whether your code actually calls the vulnerable function. For JavaScript and Python, SCA includes full reachability analysis and automated remediation. For Go, Rust, Java, C#, PHP, Ruby, and Kotlin, it provides vulnerability scanning. ### Secrets detection The secrets analyzer uses a two-stage approach: fast pattern matching identifies potential secrets, then AI-powered classification distinguishes real credentials from false positives. DeepSource reports 97% precision, 96.3% recall, and a 93% reduction in false positives compared to pattern-only detection. The classification is powered by Narada, an open-source secrets classific [...truncated for length...] --- # DeepTeam URL: https://appsecsanta.com/deepteam Description: Hands-on DeepTeam review. Open-source LLM red teaming with 40+ vulnerability types and 10+ attack methods. OWASP Top 10 for LLMs coverage. Free, Apache 2.0. DeepTeam is an open-source LLM red teaming framework by [Confident AI](https://www.confident-ai.com/) that tests language model applications for security vulnerabilities and safety risks. It's part of the [AI security](/ai-security-tools) category. The project has 1,277 GitHub stars and 187 forks with 22 contributors (as of April 2026). Jeffrey Ip at Confident AI leads development — the same team behind DeepEval, a widely used LLM evaluation framework. DeepTeam is licensed under Apache 2.0 and supports Python 3.9 through 3.13. ## What is DeepTeam? DeepTeam automates adversarial testing of LLM-based applications. You define a target model callback, pick vulnerability types and attack methods, and the framework generates adversarial inputs to probe your model for weaknesses. The framework covers 40+ vulnerability types across categories like bias, PII leakage, toxicity, and misinformation. It uses 10+ adversarial attack methods split into single-turn attacks (prompt injection, Leetspeak, ROT-13, math problem encoding) and multi-turn attacks (linear jailbreaking, tree jailbreaking, crescendo jailbreaking). 40+ Vulnerability Types:::Covers bias (race, gender, political, religion), PII leakage, toxicity, misinformation, and robustness issues. Mapped to [OWASP Top 10 for LLMs](https://owasp.org/www-project-top-10-for-large-language-model-applications/) and [NIST AI RMF](https://www.nist.gov/itl/ai-risk-management-framework). ||| 10+ Attack Methods:::Single-turn attacks (prompt injection, Leetspeak, ROT-13, math problem) and multi-turn attacks (linear, tree, and crescendo jailbreaking). ||| Custom Vulnerabilities:::Define your own vulnerability types beyond the built-in 40+ using the CustomVulnerability class for domain-specific testing. ## What are DeepTeam's key features? | Feature | Details | | ---------------------- | -------------------------------------------------------------- | | Vulnerability Count | 40+ built-in types | | Attack Methods | 10+ (single-turn and multi-turn) | | Single-Turn Attacks | Prompt injection, Leetspeak, ROT-13, math problem | | Multi-Turn Attacks | Linear jailbreaking, tree jailbreaking, crescendo jailbreaking | | Standards Coverage | OWASP Top 10 for LLMs, NIST AI RMF | | Custom Vulnerabilities | Supported via CustomVulnerability class | | Configuration | Python API and YAML config files | | CLI Commands | `deepteam run`, `deepteam set-api-key` | | Dependencies | deepeval, openai, aiohttp, grpcio, pyyaml | | Python Support | 3.9 to 3.13 | ### Vulnerability categories DeepTeam organizes its 40+ vulnerabilities by category. Bi [...truncated for length...] --- # DefectDojo URL: https://appsecsanta.com/defectdojo Description: DefectDojo aggregates findings from 200+ security tools with 4.5k GitHub stars and 45M+ downloads. OWASP Flagship Project with intelligent deduplication. DefectDojo is a widely adopted open-source [ASPM](/aspm-tools) platform, with 45M+ downloads, 4.5k GitHub stars, 487 contributors, and 10K+ organizations using it. It is an OWASP Flagship Project that aggregates vulnerability findings from 200+ security tools into a single source of truth. The project runs on Django with PostgreSQL, Celery, and Redis. Latest release is v2.55.1 (February 2026). Licensed under BSD 3-Clause. **GitHub:** [DefectDojo/django-DefectDojo](https://github.com/DefectDojo/django-DefectDojo) ## What is DefectDojo? DefectDojo sits between your security scanners and your remediation workflow. It ingests scan results, deduplicates findings, assigns risk scores, and tracks remediation — all without requiring you to replace your existing tools. 200+ tool parsers:::Import results from SAST, DAST, SCA, infrastructure, and container scanners. Bandit, Semgrep, ZAP, Burp Suite, Trivy, Checkov — if it produces a report, DefectDojo probably parses it. ||| Deduplication engine:::Same vulnerability found by multiple scanners shows up once. Deduplication uses CWE, file path, endpoint, and custom hash algorithms. 500 findings from 5 tools typically become ~150 unique issues. ||| Open source:::BSD 3-Clause license with 487 contributors and 278 releases. Self-host on Docker, Kubernetes, or bare metal. No vendor lock-in. A commercial Pro edition adds DefectDojo Sensei (the AI triage module), advanced reporting, and enterprise support. The community edition is fully functional for most teams. ## What are DefectDojo's key features? ### 200+ tool integrations DefectDojo parses results from tools across every security category: | Category | Tools | | -------------- | --------------------------------------------------------------------------- | | SAST | Bandit, Semgrep, SonarQube, Checkmarx, Fortify, Veracode, CodeQL, Snyk Code | | DAST | OWASP ZAP, Burp Suite, Acunetix, Nessus, Nuclei, Nikto | | SCA | OWASP Dependency-Check, Snyk, npm audit, Trivy, Grype | | Infrastructure | Trivy, Checkov, KICS, AWS Inspector, ScoutSuite | | Containers | Trivy, Grype, Docker Scout | Upload scan files through the web UI, push them via the REST API from CI/CD pipelines, or use the reimport endpoint to update existing test results without creating duplicates. ### Deduplication engine DefectDojo automatically deduplicates findings based on: - Vulnerability type and CWE classification - File path and line number - Endpoint and parameter - Custom hash algorithms for tool-specific matching A real-world example: 500 raw findings from 5 different scanners typically reduce to about 150 unique vulnerabilities after deduplication. ### Risk-based prioritization Risk scores factor in CVSS severity, business criticality of the affected [...truncated for length...] --- # GitHub Dependabot URL: https://appsecsanta.com/dependabot Description: Dependabot is 100% free on every GitHub repo (public + private). 30+ ecosystems, grouped PRs, compatibility scores. Most-adopted SCA per Octoverse. Dependabot is GitHub's built-in dependency security tool. It's free for every GitHub repository, public or private, and requires no external services or API tokens. According to the 2025 GitHub Octoverse report, Dependabot is the most widely adopted [SCA tool](/sca-tools/what-is-sca) among open-source projects. It operates across three layers: **alerts** tell you when a dependency has a known vulnerability, **security updates** open PRs to fix those vulnerabilities, and **version updates** keep all your dependencies current. Over 846,000 repositories have Dependabot configured, with 137% year-over-year adoption growth according to the 2025 GitHub Octoverse report. GitHub acquired the original Dependabot project in 2019 and integrated it directly into the platform. It now covers 30+ package ecosystems and draws from the GitHub Advisory Database (28,000+ reviewed advisories). ## What is Dependabot? Dependabot monitors your repository's dependency manifests and lock files. When a new vulnerability appears in the GitHub Advisory Database or a newer package version is released, Dependabot opens a pull request with the update. For security fixes, it upgrades to the minimum patched version (not the latest) to minimize the risk of breaking changes. Each PR includes a compatibility score showing the CI pass rate from public repositories that applied the same update. Security Updates:::Automatically creates PRs to fix vulnerable dependencies. Updates to the minimum safe version with compatibility scores showing CI pass rates from public repos. Grouped security updates consolidate fixes per ecosystem. ||| Version Updates:::Keeps all dependencies current on a configurable schedule. Supports daily, weekly, monthly, or cron-based timing. Group updates by name pattern, dependency type, or semver level to reduce PR noise. ||| Auto-Triage Rules:::Preset rules auto-dismiss low-impact alerts on development dependencies. Custom rules filter by severity, package name, and CWE. Reduces alert fatigue without losing coverage. ## What are GitHub Dependabot's key features? ### Vulnerability alerts When a dependency in your repository matches a vulnerability in the GitHub Advisory Database, Dependabot creates an alert. Each alert includes the CVE details, severity rating, affected versions, and patched version. You can filter by ecosystem, severity, package name, and scope (development vs. production). Note: The GitHub Advisory Database contains 28,000+ reviewed advisories sourced from NVD, security advisories published by package maintainers, and community contributions. Only advisories reviewed by GitHub trigger Dependabot alerts, which reduces false positives compared to raw NVD feeds. ### Security updates When a vulnerability has a fix, Dependabot creates a PR that bumps the dependency to the minimum patched version. The PR includes release notes, changelog entries, and a compatibility score. Grouped security updates bundle multiple fixes per ecosyst [...truncated for length...] --- # OWASP Dependency-Track URL: https://appsecsanta.com/dependency-track Description: OWASP Dependency-Track continuously monitors SBOMs against NVD, GitHub Advisories, and OSS Index for portfolio-wide vulnerability management. OWASP Dependency-Track is an open-source platform for continuous component analysis across software portfolios. With 3.6k GitHub stars and 167 contributors, it is an established open-source solution for SBOM-based vulnerability management. Unlike [SCA scanners](/sca-tools) that run at build time and produce point-in-time reports, Dependency-Track maintains a persistent inventory of all components across your applications. With Executive Order 14028 requiring [SBOM generation](/sca-tools/what-is-sbom) for federal software, platforms that track SBOMs continuously have become increasingly relevant. When a new CVE is published, the platform immediately identifies every affected project without requiring rescans. ## What is OWASP Dependency-Track? Dependency-Track ingests SBOMs in CycloneDX or SPDX format and continuously correlates components against NVD, GitHub Advisories, Sonatype OSS Index, OSV, and optionally Snyk. It tracks component versions, licenses, and security posture across projects, giving you a unified view of organizational risk. SBOM Lifecycle Management:::Ingests SBOMs as living documents. Tracks versions over time, maintains history of component changes, and supports CycloneDX and SPDX formats from any generation tool. ||| Continuous Monitoring:::Correlates your component inventory against updated vulnerability feeds around the clock. When a new CVE affects a library you use, alerts fire across all affected projects automatically. ||| Portfolio Risk Tracking:::Dashboards show risk trends, vulnerable component counts, and policy violations across your entire application portfolio. Filter by project, team, tag, or component. ## What are OWASP Dependency-Track's key features? ### Vulnerability data sources | Source | Coverage | |--------|----------| | NVD (NIST) | All CVEs in the National Vulnerability Database | | GitHub Security Advisories | Community-reviewed advisories for GitHub ecosystems | | Sonatype OSS Index | Java, JavaScript, .NET, and Go vulnerability data | | OSV | Open Source Vulnerabilities across multiple ecosystems | | Snyk (optional) | Additional vulnerability intelligence with API key | | VulnDB (optional) | Commercial vulnerability intelligence | ### Supported SBOM formats | Format | Support | |--------|---------| | CycloneDX JSON | Full support (preferred) | | CycloneDX XML | Full support | | SPDX JSON | Import and export | | SPDX tag-value | Import only | ### Continuous vulnerability monitoring Rather than scanning on-demand, Dependency-Track continuously correlates your component inventory against updated vulnerability feeds. When a new CVE affects a library you use, alerts fire automatically across all affected projects. No rescan needed. ### Multi-source vulnerability intelligence The platform aggregates data from NVD, GitHub Security Advisories, Sonatype OSS Index, OSV, and optionally Snyk. This multi-source approach catches vulnerabilities that any single database might miss. ### Component inv [...truncated for length...] --- # detect-secrets URL: https://appsecsanta.com/detect-secrets Description: Yelp's detect-secrets uses a baseline approach to prevent new secrets while accepting existing ones. Enterprise-friendly secret detection with plugin. detect-secrets is Yelp's enterprise-friendly secret scanner that uses a baseline approach to prevent new credential leaks. According to OWASP's [Secrets Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html), preventing secrets from entering version control is a foundational security practice. Unlike scanners that report all secrets, detect-secrets accepts existing secrets in a baseline file while blocking any new ones from being committed. This pragmatic approach makes detect-secrets ideal for brownfield projects and large organizations that need immediate protection without requiring massive remediation efforts upfront. I pair detect-secrets with pre-commit on any repo that accepts third-party contributions. Its baseline file lets me mark known-safe strings as reviewed so the scan stays quiet day to day. It does not verify secrets against live services the way TruffleHog does, but it is faster, has fewer runtime dependencies, and covers a broader pattern library out of the box. ## What is detect-secrets? detect-secrets scans git repositories and files to identify hardcoded credentials, API keys, and other secrets. The tool's distinguishing feature is its baseline system: you create a baseline file containing hashes of all current secrets, then detect-secrets allows those secrets to pass while flagging anything new. The scanner works by analyzing git diffs rather than scanning entire repositories on each run. This differential approach minimizes overhead and provides fast feedback in pre-commit hooks and CI pipelines. You see only what changed, not repeated warnings about historical issues. detect-secrets uses a plugin architecture for secret detection. Each plugin targets specific secret patterns—AWS keys, private keys, Slack tokens, etc. You can enable built-in plugins or write custom regex-based detectors for proprietary credentials. Baseline Management:::Accept existing secrets in a baseline file while blocking new ones, enabling immediate protection without full historical remediation ||| Differential Scanning:::Scan git diffs instead of entire repositories to minimize overhead and provide fast feedback on changes ||| Plugin Architecture:::Extensible detection system with built-in plugins for common secrets plus custom regex support for proprietary credentials ## Why secret detection in source code matters Leaked credentials in source repositories are one of the most exploited initial-access patterns. GitHub's secret scanning regularly catches AWS keys, Slack tokens, and API credentials in public commits within seconds of push, and historical scans against the public commit graph routinely surface millions of valid secrets per year. Once a credential lands in git history, rotation is the only fix — removal from a single commit does not erase it from clones, forks, or mirrors. The practical problem is brownfield: most established codebases already contain old credentials buried [...truncated for length...] --- # Detectify URL: https://appsecsanta.com/detectify Description: Detectify review — crowdsourced DAST from 400+ ethical hackers with 1,765+ vulnerability modules. Built-in attack surface management. Worth the price? Detectify is a cloud-based DAST platform that pairs automated vulnerability scanning with crowdsourced intelligence from 400+ ethical hackers. It covers both web application scanning and external attack surface management in one product. The platform runs 1,765+ vulnerability modules built from real-world research. New modules go live within 15 minutes of validation — most DAST vendors take weeks or months to ship comparable updates. Used by 10,000+ organizations including Grammarly, Trustly, and New Relic. ## Key Features at a Glance | Feature | Detail | | --------------------- | -------------------------------------------------- | | Vulnerability Modules | 1,765+ from crowdsourced research | | Zero-Days Discovered | 300+ across the program's lifetime | | Testing Method | 100% payload-based (reduces false positives) | | Researcher Community | 400+ ethical hackers | | Cloud Connectors | AWS, Azure, GCP, DigitalOcean, Cloudflare, Alibaba | | API Version | REST API v2 | | Authentication | API key via Authorization header | | SPA Support | React, Angular, Vue.js, AJAX-heavy apps | | Compliance Reports | PCI DSS, OWASP Top 10, SOC 2 | | Trial | Free 2-week trial | ## What is Detectify? Detectify splits into two main modules: Surface Monitoring for attack surface management and Application Scanning for DAST. What makes it different from most [DAST tools](/dast-tools) is the crowdsourced research model. Ethical hackers from around the world submit vulnerability modules through the Crowdsource platform, earning bounties for accepted research. This means Detectify often catches new vulnerability types days after public disclosure, well before vendors relying on internal research teams update their scanners. The platform has processed research that uncovered over 240,000 vulnerabilities across customer assets. Ethical hackers submit vulnerability modules, Detectify validates them, and the scanning engine picks them up within 15 minutes. Most traditional DAST tools ship detection updates on quarterly or monthly cycles. Surface Monitoring:::Discovers subdomains, exposed services, and configuration drift across your external attack surface. Monitors for exposed files, data leakage, and infrastructure misconfigurations continuously. ||| Application Scanning:::Crawls and tests web applications with an advanced engine that handles React, Angular, Vue.js, and AJAX-heavy SPAs. Includes fuzzing, authenticated scanning, and API testing for REST and GraphQL. ||| Crowdsource Research:::400+ ethical hackers contribute real-world attack techniques and vulnerability modules. New findings deploy within 15 minutes of validation. Most vendors take weeks. ## [...truncated for length...] --- # Docker Scout URL: https://appsecsanta.com/docker-scout Description: Docker Scout is Docker's built-in security scanner. SBOM generation, vulnerability detection from 23 advisory sources, and policy evaluation. Docker Scout is Docker's built-in security analysis tool for container images. It scans images for vulnerabilities, generates SBOMs, and suggests fixes. It works inside Docker Desktop, Docker Hub, and the Docker CLI with no extra setup. Scout builds an inventory of every package and dependency inside a container image (the Software Bill of Materials), then matches those components against a vulnerability database that pulls from 23 advisory sources. ## How does Docker Scout scan images? Docker Scout scans container images by decomposing image layers, identifying OS packages and application dependencies, and matching them against 23 advisory database sources. Results include CVE IDs, severity scores (CVSS v4 when available), affected versions, and remediation steps. The scanning happens automatically when you push an image to Docker Hub, or on-demand through the CLI and Docker Desktop. Most scanners rely on broad CPE (Common Product Enumeration) matching, which produces false positives when package names overlap. Scout uses Package URLs (PURLs) instead, which ties vulnerabilities to specific packages more precisely. In practice, this means fewer false positives compared to CPE-based scanners. Vulnerability Detection:::Scans container image layers and dependencies against 23 advisory sources including NVD, GitHub Advisory Database, CISA KEV catalog, and distribution-specific security trackers. ||| SBOM Generation:::Produces Software Bill of Materials in CycloneDX and SPDX formats for compliance, audit, and supply chain visibility purposes. ||| Policy Evaluation:::Defines and enforces security policies across images. Evaluate compliance before deployment and track policy violations across your image portfolio. ## What are Docker Scout's key features? | Feature | Details | | ------------------ | ------------------------------------------------------------------------------------- | | Advisory sources | 23 databases including NVD, GitHub, GitLab, CISA KEV, EPSS, and distribution trackers | | SBOM formats | CycloneDX, SPDX | | Severity scoring | CVSS v4 preferred, falls back to v3, vendor scores prioritized over NIST | | Matching method | Package URL (PURL) matching instead of broad CPE matching | | VEX support | Vulnerability Exploitability eXchange for suppressing non-applicable findings | | Integration points | Docker Desktop, Docker Hub, Docker CLI, CI/CD platforms, third-party registries | | Free tier | 1 repo with continuous analysis (Docker Personal) | ### Docker Desktop integration Scout is built into Docker Desktop. Pull or build an image, and vulnerability information shows up in the Desktop UI without any extra setup. CVEs, affected packages, and remedia [...truncated for length...] --- # Drozer URL: https://appsecsanta.com/drozer Description: Drozer is an open-source Android security framework by Reversec. Test IPC endpoints, content providers, exported components, and permission abuse on devices. Drozer is an open-source Android security assessment framework that tests an app's attack surface by simulating what a malicious application could do through Android's inter-process communication (IPC) mechanisms. Originally developed by MWR Labs (acquired by F-Secure, later WithSecure), Drozer is now maintained by Reversec with 4,400+ GitHub stars. The main difference between Drozer and automated scanners like [MobSF](/mobsf) is the testing approach. MobSF finds common vulnerabilities through pattern matching. Drozer works differently: it installs a lightweight agent on the target device and lets you interact with apps the way a malicious application would — testing exported components, content providers, and IPC endpoints hands-on. **GitHub:** [ReversecLabs/drozer](https://github.com/ReversecLabs/drozer) | **Stars:** 4.4k+ | **Latest Release:** v3.1.0 (August 2024) | **License:** BSD 3-Clause Drozer specializes in finding vulnerabilities that static analysis misses: exported components without proper permission checks, content providers vulnerable to SQL injection, broadcast receivers that accept untrusted data, and privilege escalation paths through intent chains. Importantly, Drozer does not require root access — it tests what a zero-permission malicious app could achieve, which is the most realistic Android threat model. For [mobile security](/mobile-security-tools) pentesters, Drozer sits between automated scanning and manual reverse engineering. It answers a specific question: "what can a malicious app actually do to this target?" | Feature | Details | | ------------------ | ------------------------------------------------------------ | | Core function | Interactive Android IPC attack surface testing | | Architecture | Client (workstation) + Agent (Android app on device) | | Connection methods | USB via ADB port forwarding, Wi-Fi network | | Component testing | Activities, Services, Content Providers, Broadcast Receivers | | Injection testing | SQL injection, path traversal on content providers | | Root required | No — tests from unprivileged app perspective | | Device support | Physical devices and emulators | | Extensibility | Python modules, community module repository | | Protocol | Protocol Buffers (client-agent communication) | | License | BSD 3-Clause (fully open source) | ## Overview Drozer uses a client-agent architecture. The **Drozer Agent** is an Android app installed on the test device (physical or emulator). The **Drozer Console** runs on your workstation and connects to the agent, either via USB port forwarding with ADB or over a network connection. Once connected, you interact with the target device through a command-line console. Drozer assumes the i [...truncated for length...] --- # Dynatrace URL: https://appsecsanta.com/dynatrace Description: Dynatrace Application Security combines APM with runtime protection in one OneAgent. Davis AI prioritizes vulnerabilities based on actual exposure. Dynatrace Application Security is a runtime protection module built into the Dynatrace observability platform. It uses the same OneAgent that handles APM to detect vulnerabilities and block attacks in running applications. No separate security agent needed. Davis AI correlates security findings with performance data, topology maps, and runtime context to prioritize vulnerabilities based on actual exposure rather than theoretical severity scores. | Feature | Details | | ----------------- | --------------------------------------------------------- | | Platform | Dynatrace Software Intelligence Platform | | Agent | OneAgent (shared with APM) | | Languages | Java, .NET, Node.js, PHP, Go | | Detection | Runtime vulnerability detection + attack blocking | | AI Engine | Davis AI for risk prioritization | | Deployment | SaaS, Managed, On-premises | | Compliance | CIS, NIST, DORA mapping | | Attack types | SQLi, command injection, JNDI (Log4Shell), path traversal | | Container support | Kubernetes, OpenShift, ECS | ## What is Dynatrace Application Security? Dynatrace Application Security uses the same OneAgent technology that powers performance monitoring to detect security issues in running applications. One agent handles APM, infrastructure monitoring, and security — no separate deployment. The platform continuously monitors application code, third-party libraries, container images, and Kubernetes configurations for known vulnerabilities. When it finds something, Davis AI checks whether the vulnerable component is actually reachable at runtime and exposed to the internet, then adjusts the priority accordingly. Beyond detection, Dynatrace can block attacks in real time. SQL injection, command injection, JNDI injection (the Log4Shell vector), and path traversal attacks are caught and stopped at the application layer. Davis AI Prioritization:::Correlates security findings with topology, runtime context, and actual exposure. A critical CVE in a library that is loaded but never called gets deprioritized. One that sits in a public-facing code path gets flagged immediately. ||| OneAgent Architecture:::Single agent for APM, infrastructure monitoring, and security. Deploy once, get vulnerability detection and attack blocking alongside performance data. No additional agents or network appliances. ||| Runtime Attack Blocking:::Detects and blocks SQL injection, command injection, JNDI injection (Log4Shell), and path traversal at the application runtime level. Works inside the process, not at the network perimeter. Dynatrace is one of the few platforms where security and observability share the same agent and data model. Security t [...truncated for length...] --- # Endor Labs URL: https://appsecsanta.com/endor-labs Description: Endor Labs 2026 review. AI-native SCA with 97% noise reduction. Pricing tiers, function-level reachability, 40+ languages. 8 competitors compared inside. Endor Labs is an AI-native [SCA platform](/sca-tools) that uses function-level reachability analysis to cut through alert noise. The platform reports up to 97% reduction in SCA alerts by filtering out vulnerabilities in code paths your application never calls. It covers SAST, SCA, container scanning, secrets detection, and malware detection across 40+ languages. The platform is used by OpenAI, Cursor, Snowflake, Netskope, and Atlassian. ## What is Endor Labs? Most SCA tools report every vulnerability in every dependency. Endor Labs analyzes which vulnerable code paths are actually reachable from your application. A dependency might have a known CVE, but if your code never calls the affected function, it gets deprioritized. Function-Level Reachability:::Traces call graphs from your application code to vulnerable functions in dependencies. Coverage back to 2005 for most vulnerabilities. Combines with EPSS scoring for risk ranking. ||| 97% Noise Reduction:::Filters out vulnerabilities in unreachable code paths. Reduces hundreds of findings to the handful that actually matter, letting teams focus remediation effort where it counts. ||| AI-Native Platform:::Covers SAST, SCA, container scanning, secrets detection, and malware detection in one platform. Consolidates vulnerability data from NVD, GHSA, and OSV sources. ## What are Endor Labs's key features? ### Scan capabilities | Capability | Coverage | | ------------------ | ------------------------------------------ | | SCA | 40+ languages, function-level reachability | | SAST | AI-native static analysis | | Secrets detection | API keys, credentials, tokens | | Container scanning | Docker, OCI images | | Malware detection | Typosquatting, dependency confusion | | SBOM | CycloneDX, SPDX generation | ### Reachability analysis Endor Labs builds call graphs from your application code and traces data flow to vulnerable methods in dependencies. If a vulnerable function is buried in dead code or behind a code path your application never exercises, the finding gets deprioritized. This is function-level analysis, not just package-level. ### Dependency lifecycle management Beyond vulnerabilities, Endor Labs tracks version freshness, maintainer activity, license compliance, and security posture scoring for each dependency. This helps teams make informed decisions about which packages to trust. ### SBOM management Generates SBOMs in CycloneDX and SPDX formats with continuous updates. The dependency graph visualization shows direct and transitive dependencies and their risk status. ### Malware detection Endor Labs scans for malicious packages in addition to vulnerable ones, catching supply chain attacks like typosquatting and dependency confusion. ### Dependency update automation and Endor Patches On top of alert prioritization, Endor [...truncated for length...] --- # Escape URL: https://appsecsanta.com/escape Description: Escape review — API-native DAST with BOLA/IDOR detection and native GraphQL support. 140+ security tests, AI-powered scanning. How it compares to Burp Suite. Escape is an API-native DAST platform built for teams that ship REST and GraphQL APIs. It runs 140+ security tests with a focus on business logic flaws — the BOLA, IDOR, and access control bugs that traditional web scanners were never designed to catch. The platform is agentless. No traffic monitoring, no proxy setup. Point it at your API schema or let it crawl, and it generates intelligent attack payloads using AI. Founded in 2020 and Y Combinator backed. SOC 2 Type II compliant, used by 2,000+ security teams. ## Key features at a glance | Feature | Detail | | -------------------- | --------------------------------------------------------------------- | | Attack Scenarios | 140+ covering injection, auth, access control, data exposure | | API Support | REST, GraphQL (native), gRPC | | Authentication | OAuth 2.0, AWS Cognito, Basic, Digest, JWT, browser-based, MFA | | CI/CD Integrations | GitHub Actions, GitLab CI, Jenkins, Azure DevOps, Bitbucket, CircleCI | | Scan Mode | Agentless — no agents, no traffic monitoring | | Compliance Reports | OWASP Top 10, SOC 2, PCI-DSS | | Open Source | GraphQL Armor (100,000+ weekly npm downloads) | | Deployment | Cloud SaaS, private locations with mTLS support | | Incremental Scanning | Yes — tests only changed endpoints in CI/CD | ## What is Escape? Most [DAST tools](/dast-tools) started as web crawlers that send payloads to HTML forms. Escape took a different path — it was built from day one for APIs. The scanner reads your OpenAPI spec or GraphQL schema and generates test cases that understand your API's data model. Instead of blindly fuzzing parameters, it reasons about what should and shouldn't be allowed, then crafts requests to check those assumptions. This matters most for authorization testing. BOLA (Broken Object Level Authorization) sits at #1 on OWASP's API Security Top 10, and it's the kind of bug that generic scanners consistently fail to find. Escape creates multiple user sessions, generates resources as one user, and tries to access them as another. Escape's BLST engine goes beyond signature-based detection. It identifies resources that should be isolated between users, operations that should require elevated privileges, and data that should be filtered by ownership. These tests need context about how the API works, which Escape builds from schemas and observed behavior. BOLA & IDOR Detection:::Creates resources as one user, attempts access as another. Catches the authorization flaws that top OWASP's API Security Top 10 and that traditional scanners consistently miss. ||| Native GraphQL Testing:::Introspects schemas, generates type-aware payloads, tests nested re [...truncated for length...] --- # esChecker URL: https://appsecsanta.com/eschecker Description: esChecker by eShard performs DAST and IAST security testing on Android and iOS mobile apps with OWASP MASVS alignment and actionable remediation checklists. esChecker is a Mobile Application Security Testing (MAST) solution built by eShard, a French cybersecurity company based in Pessac, France. The platform performs static, dynamic, and stress testing on Android and iOS mobile app binaries. eShard describes esChecker as "the fastest and most effective way to prevent security regressions" across mobile application releases. ## What is esChecker? esChecker is powered by a DAST (Dynamic Application Security Testing) engine with IAST (Interactive Application Security Testing) capabilities. You upload your Android or iOS binary, and the platform runs security diagnostics aligned with OWASP MASVS and MASTG test cases. The platform is designed for pre-production verification — teams run security tests before each release to catch regressions and new vulnerabilities. Results come with actionable remediation checklists. eShard is primarily known for hardware security testing (chip side-channel attacks, fault injection) and binary analysis. esChecker brings that binary analysis expertise to mobile application security. Their customer base includes organizations like Thales, Visa, NXP Semiconductors, and DBS Bank, though it's unclear which customers specifically use esChecker versus eShard's hardware security products. ## What are esChecker's key features? | Feature | Details | | -------------- | ----------------------------------- | | Testing Types | DAST engine with IAST capabilities | | Analysis Modes | Static, dynamic, and stress testing | | Platforms | Android, iOS (binary upload) | | Standards | OWASP MASVS, OWASP MASTG test cases | | Output | Remediation checklists, PDF reports | | Collaboration | Multi-user platform | | Trial | Free trial available on request | DAST + IAST Engine:::Combines dynamic application security testing with interactive analysis. Tests mobile apps through both automated scanning and instrumented runtime analysis. ||| OWASP MASVS Alignment:::Tests are mapped to OWASP Mobile Application Security Verification Standard requirements and MASTG (Mobile Application Security Testing Guide) test cases. ||| Security Regression Prevention:::Designed to run before each release, catching new vulnerabilities and verifying that previously fixed issues haven't reappeared. ||| Collaborative Platform:::Multiple team members can work on security assessments together, sharing results and remediation progress. ### OWASP MASVS Testing The screenshot from eShard's official site shows esChecker's OWASP view, where each MASTG test case (like MSTG-STORAGE-1, MSTG-STORAGE-2, etc.) is evaluated against MASVS levels L1 (Standard Security) and L2 (Defense-in-Depth). Results show clear pass/fail/action-required status for each test. ### Interactive Application Security Testing (IAST) for Mobile esChecker's differentiator is IAST analysis for compiled mobile binaries. Where pure DAST exercises an app from the [...truncated for length...] --- # Falco URL: https://appsecsanta.com/falco Description: CNCF graduated runtime threat detection for Kubernetes, containers, and cloud. eBPF-based kernel monitoring with 8.7k GitHub stars. Apache 2.0. Falco is a CNCF graduated runtime security tool that detects threats in Kubernetes, containers, and cloud environments by monitoring kernel-level events. Originally created by Sysdig and donated to the CNCF in 2018, Falco reached graduated status in 2024 and has 8.7k GitHub stars with 208 contributors. The tool runs as a DaemonSet in Kubernetes clusters, capturing system calls through eBPF or a kernel module. It enriches those events with container and Kubernetes metadata, then evaluates them against YAML-based detection rules. Adopters include Shopify, GitLab, Skyscanner, and Booz Allen Hamilton. ## What is Falco? Falco intercepts system calls at the kernel level and checks them against detection rules in real time. Unlike static analysis tools that scan images before deployment, Falco catches threats during execution — containers spawning unexpected shells, processes attempting privilege escalation, applications reading sensitive files like `/etc/shadow`. The latest release is v0.43.0 (January 2026). Falco runs on x86_64 and aarch64 architectures and deploys via an official Helm chart. It works with GKE, EKS, and AKS. Real-time Detection:::Monitors kernel events and alerts on threats as they happen rather than after-the-fact analysis ||| Plugin Architecture:::Extensible data source system supports AWS CloudTrail, GitHub, Okta, and custom integrations beyond kernel events ||| Forensic Integration:::Works with Stratoshark for deep forensic analysis triggered by Falco alerts during incident investigation ## What are Falco's key features? | Feature | Details | |---------|---------| | Detection engine | eBPF-based kernel syscall monitoring (preferred) or kernel module | | Rule format | Declarative YAML with macros, lists, and boolean logic | | Platforms | x86_64 and aarch64 Linux, GKE, EKS, AKS | | Alert outputs | stdout, files, syslog, program execution, HTTPS endpoints | | Plugin sources | AWS CloudTrail, GitHub audit logs, Okta events | | Deployment | Kubernetes DaemonSet via Helm chart | | CNCF status | [Graduated](https://www.cncf.io/projects/falco/) (2024) | | License | Apache 2.0 | ### Detection Rules Falco's rules engine uses YAML with conditions, outputs, and priority levels. Rules fire on specific syscall patterns — for example, detecting when a container spawns a shell process or when someone modifies files in `/etc`, `/usr/bin`, or `/usr/sbin`. The rule syntax supports macros (reusable condition fragments), lists (sets of values), and complex boolean logic. Teams can tune rules to reduce false positives or add detection logic specific to their applications. ### Kubernetes Context Falco enriches kernel events with Kubernetes metadata like pod names, namespaces, labels, and service accounts. When a rule fires, the alert includes which pod triggered it, what namespace it runs in, and who owns it. This context makes incident response faster because you immediately know the blast radius. Note: Falcosidekick is a companion [...truncated for length...] --- # Faraday URL: https://appsecsanta.com/faraday Description: Faraday orchestrates 80+ security tools with 6.2k GitHub stars. Free open-source vulnerability management with Agents Dispatcher for remote scanning. Faraday is an open-source [vulnerability management](/aspm-tools) platform with 6.2k GitHub stars and 1k forks. It orchestrates 80+ security tools, normalizes their output, and deduplicates findings into a single management interface. The company behind Faraday, Infobyte, has been around since 2004. Headquartered in Miami with a research lab in Buenos Aires. Customers include Accenture, Volkswagen, Telefonica, Santander, BBVA, HSBC, KPMG, Lufthansa, AT&T, and Vercel. **GitHub:** [infobyte/faraday](https://github.com/infobyte/faraday) | **Latest Release:** v5.19.0 (January 2026) I open Faraday when I am running a multi-tool pentest and need one shared workspace. It ingests output from Nmap, Nessus, Burp, and a few dozen other scanners, deduplicates findings, and lets the team collaborate on the same target list. The community edition is free and self-hosted, which is the main reason it stays in my rotation for internal engagements. ## What is Faraday? Faraday started as a tool for penetration testers who needed a single place to collect results from multiple scanners. It has since grown into a vulnerability management platform used by security operations teams, red teams, and managed security service providers. 80+ tool integrations:::Normalizes output from vulnerability scanners, DAST/SAST tools, network scanners, and pentesting frameworks. Data is deduplicated automatically across tools. ||| Agents Dispatcher:::Lightweight remote agents run scheduled or triggered scans across distributed environments. Results flow back to the central Faraday instance automatically. ||| Open source core:::GPL-3.0 licensed with 46+ contributors and 103 releases. Self-host via Docker, PyPI, or binary packages. REST API for full automation. ## What are Faraday's key features? ### Tool integrations Faraday normalizes data from 80+ security tools: | Category | Tools | | ---------------------- | ------------------------------ | | Vulnerability scanners | Nessus, OpenVAS, Qualys | | SAST/DAST | OWASP ZAP, Burp Suite, Semgrep | | Network | Nmap, Masscan | | Pentesting | Metasploit, Nuclei | | Cloud/containers | Trivy, AWS tools | All findings get normalized into a common format with automatic deduplication. ### Agents Dispatcher For large or distributed environments, Agents Dispatcher runs remote scans without installing the full Faraday stack on every machine: - Lightweight agents for scheduled or on-demand scanning - Horizontal scaling across multiple environments - Automatic result import back to the central instance - Works with any supported scanner Note: Unlike most ASPM tools that focus on development pipeline security, Faraday comes from the offensive security world. It's built for pentesting teams, red teams, and vulnerability assessors who need to manage findings from hands-on security testing alongside automate [...truncated for length...] --- # Fluid Attacks URL: https://appsecsanta.com/fluid-attacks Description: Fluid Attacks combines DAST, SAST, SCA and PTaaS with human expert verification. Near-zero false positives. CVE Numbering Authority. CASA tier 2 approved. Fluid Attacks combines DAST, SAST, SCA, and penetration testing in a single platform. Automated scanners find the bugs. Their team of ethical hackers confirms the critical ones are real. This two-layer approach — machine scanning plus human verification — is the main selling point. False positive rates stay very low because a person has actually validated exploitability before the finding reaches your dashboard. The company is based in Colombia, became a CVE Numbering Authority in 2021, and their CLI tool is CASA tier 2 approved for Google Play compliance. ## Key features at a glance | Feature | Detail | | ----------------------- | -------------------------------------------------------------------- | | Testing Methods | DAST, SAST, SCA, PTaaS, secure code review | | SAST Languages | Java, Python, JS, TS, Go, Ruby, PHP, C#, C/C++, Kotlin, Swift, Scala | | False Positive Approach | Deterministic detection + human expert verification | | CVE Authority | CNA status since 2021 — can assign CVE identifiers | | CASA Compliance | Tier 2 approved for Google Play requirements | | AI Fix Suggestions | Language and framework-aware remediation guidance | | API | GraphQL-based API for programmatic access | | IDE Plugins | VS Code, IntelliJ, Cursor | | Connectivity | Cloud (HTTPS/SSH), Egress (static IP), Connector (Cloudflare ZTNA) | | Severity Scoring | CVSSF (proprietary metric beyond standard CVSS) | ## What is Fluid Attacks? Most [DAST tools](/dast-tools) are fully automated — you point them at a target, they scan, they report. Fluid Attacks takes a different approach by adding human verification on top of automated scanning. The automated layer runs DAST against running applications, SAST against source code in 13 languages, and SCA against your dependency tree. Findings from all three scanners land in one dashboard with deduplication built in. The human layer is where it gets interesting. Fluid Attacks' team of certified ethical hackers reviews critical findings, confirms exploitability, and weeds out false positives. They also run continuous penetration testing alongside the automated scans. Fluid Attacks has been a CNA since 2021, meaning they can assign CVE identifiers to vulnerabilities they discover during research and testing. This is unusual for a testing vendor and reflects active involvement in vulnerability disclosure. Automated + Human:::Automated scanners (DAST, SAST, SCA) run continuously. Ethical hackers verify critical findings and perform manual testing that automated tools can't replicate. ||| Low False Positives:::Deterministic detection patterns trigger only on con [...truncated for length...] --- # OpenText Fortify URL: https://appsecsanta.com/fortify-static-code-analyzer Description: Independent Fortify Static Code Analyzer review. 33 languages, 1,700 vulnerability categories, two decades of enterprise deployments. Now under OpenText. Fortify Static Code Analyzer is OpenText's enterprise [SAST](/sast-tools) solution. It detects 1,700+ categories of vulnerabilities across 33+ programming languages and covers over one million individual APIs. Fortify is one of the longest-running commercial SAST tools on the market, with a two-decade track record in government, defense, and financial services. OpenText acquired Micro Focus (the previous Fortify owner) in 2023. I see Fortify SCA in enterprise environments where procurement decided years ago. It supports a wide language list including COBOL and ABAP, and the rule packs cover compliance frameworks like PCI-DSS and FedRAMP. Scans are slow compared to newer tools, and the output typically goes through Fortify SSC for triage rather than straight to a developer. ## What is Fortify SCA? Fortify SCA is a static code analysis tool that performs source code static analysis to find security vulnerabilities before code reaches production. As a static code analyzer, it covers a broad range of languages — from modern (Java, Go, Kotlin, Swift) to legacy (COBOL, ABAP, Visual Basic) — and extends source code static analysis to infrastructure as code scanning for Terraform, Docker, Kubernetes, and serverless configurations. The category sometimes goes by "tool for static code analysis" or simply "static analysis tool", but the canonical name in compliance frameworks is **static code analysis**, and Fortify is one of the longest-running commercial implementations of it. The tool includes Fortify Aviator, an AI-powered feature for automated code fix suggestions. 33+ Languages:::Covers ABAP, C/C++, C#, COBOL, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Swift, and more. 350+ frameworks supported with 1M+ API coverage. ||| 1,700+ Vulnerability Categories:::Broad vulnerability detection covering injection, XSS, authentication, cryptography, and many more security issue types. ||| Fortify Aviator:::AI-powered automated code fix suggestions for detected vulnerabilities, reducing remediation time for developers. ## How Fortify static code analysis works A Fortify static code analysis run is a two-step pipeline rather than a single command. First, the **translation step** converts source code into Fortify's internal intermediate representation: ```bash sourceanalyzer -b MyProject -translate src/main/java/**/*.java ``` The `-b` flag names the build session — every translation invocation that targets the same name accumulates into one logical project. Translation handles language-specific compilation context: Java needs the classpath, C/C++ needs preprocessor flags, .NET needs assembly references. Without an accurate translation step the analyzer cannot resolve cross-file dataflow in source code, which is one reason Fortify scans require build integration rather than working off raw filesystem reads. Second, the **analysis step** runs the actual static code analysis against the translated build session: ```bash sourceanalyzer -b MyProject -sc [...truncated for length...] --- # Fortify WebInspect Agent (IAST) URL: https://appsecsanta.com/fortify-webinspect-agent Description: Fortify WebInspect Agent enriches DAST scans with IAST code-level details — file names, line numbers, and stack traces. Included free with WebInspect licenses. Fortify WebInspect Agent adds [IAST](/iast-tools) capabilities to the Fortify WebInspect DAST scanner. It instruments Java and .NET applications during dynamic scans to provide file names, line numbers, and stack traces for each vulnerability. The agent is included free with WebInspect and WebInspect Enterprise licenses. It is also available through Fortify on Demand SaaS. ## What is Fortify WebInspect Agent? The WebInspect Agent transforms Fortify WebInspect from a pure DAST scanner into a hybrid DAST+IAST solution. While WebInspect attacks the application externally, the agent monitors code execution internally. This combination means developers get specific file-and-line references rather than generic HTTP-level descriptions. Code-Level Reporting:::Captures source file names, line numbers, full stack traces, and variable values at the point of exploitation. Turns vague DAST findings into precise remediation targets. ||| Attack Validation:::Confirms that WebInspect's attack payloads actually reach vulnerable code. If a WAF or input validation blocks the attack, the agent drops the false positive. ||| CAPTCHA Bypass:::Intercepts CAPTCHA validation at the application level during scanning. WebInspect scans proceed automatically without manual intervention. ## What are Fortify WebInspect Agent (IAST)'s key features? | Feature | Details | |---------|---------| | Supported Languages | Java, .NET | | Licensing | Included with WebInspect and WebInspect Enterprise | | SaaS Option | Available through Fortify on Demand | | Java Deployment | JVM agent argument | | .NET Deployment | IIS module or Windows installer | | Attack Validation | Confirms payloads reach vulnerable code paths | | CAPTCHA Handling | Bypasses CAPTCHA at application level | | Cross-Tool Correlation | Integrates with Fortify SCA static findings | ### Code-Level Vulnerability Reporting When the agent detects a vulnerability during a scan, it captures the complete execution context: source file name and path, line number where the vulnerability occurs, full stack trace showing the call chain, and variable values at the point of exploitation. This detail eliminates the guesswork that typically follows DAST-only scans. ### Attack Validation The agent validates that attacks launched by WebInspect actually reach vulnerable code paths. If a potential vulnerability is blocked by a web application firewall, input validation, or other defensive layer before it reaches vulnerable code, the agent confirms the finding is a false positive. Organizations using Fortify SCA for SAST can correlate static findings with runtime observations from the WebInspect Agent. This cross-referencing confirms which statically-detected vulnerabilities are actually reachable during execution. ### Integration with Fortify Ecosystem Fortify is now part of [OpenText](https://www.opentext.com/products/fortify-webinspect), following the acquisition of Micro Focus in 2023. The agent works within the broader Ope [...truncated for length...] --- # Fortify WebInspect URL: https://appsecsanta.com/fortify-webinspect Description: Fortify WebInspect review — enterprise DAST for React, Angular, Vue SPAs. Kubernetes scaling, FAST testing, PCI DSS, NIST 800-53 compliance. Worth it? Fortify WebInspect is an enterprise DAST scanner from OpenText that tests running web applications and APIs for security vulnerabilities. It has been through three owners — HP, then Micro Focus, then OpenText — but remains one of the more established enterprise DAST tools on the market. The scanner handles modern SPAs (React, Angular, Vue) and includes Kubernetes-based horizontal scaling for organizations with large scan workloads. Pre-configured compliance policies for PCI DSS, NIST, HIPAA, and ISO 27K ship out of the box. I associate WebInspect with large-enterprise DAST scans that have to produce compliance-ready reports. It handles authenticated crawls of legacy Java and .NET web apps that newer tools sometimes stumble on, and the FAST agent lets it see runtime state during the scan. The setup is heavier than Burp, but for teams with hundreds of regulated apps the workflow is built for that scale. ## Key features at a glance | Feature | Detail | | ------------------- | -------------------------------------------------------- | | SPA Support | React, Angular, AngularJS, Vue, GWT, Dojo, Backbone | | Web Technologies | HTML5, JSON, AJAX, JavaScript | | FAST Testing | Functional + security testing combined | | Scaling | Kubernetes horizontal scaling for parallel JS processing | | Compliance Policies | PCI DSS, DISA STIG, NIST 800-53, ISO 27K, OWASP, HIPAA | | API Testing | REST, SOAP endpoints | | Deployment | On-premises, SaaS, managed service | | Reporting | Line-of-code details with stack traces | | Platform | Part of Fortify suite (SAST + DAST + SCA) | | Ownership | OpenText (acquired from Micro Focus, 2023) | ## What is Fortify WebInspect used for? Fortify WebInspect is an enterprise DAST scanner used to find vulnerabilities in running web applications and APIs without source code access. Security teams deploy it for compliance-driven assessments where findings must map directly to PCI DSS, NIST 800-53, HIPAA, or ISO 27K controls. WebInspect crawls and attacks the live application, finding SQL injection, cross-site scripting, authentication bypass, and insecure direct object references across traditional web apps and modern React, Angular, and Vue SPAs. Its FAST (Functional Application Security Testing) mode integrates with functional test suites to extend scan coverage beyond what the crawler reaches on its own. Kubernetes-based horizontal scaling allows parallel scanning of large application portfolios. The scanner is part of the OpenText Fortify suite alongside Fortify Static Code Analyzer for SAST — the DAST component for organizations already invested in the Fortify platform. It is available on-premises, as SaaS via Fortify on Demand, or [...truncated for length...] --- # FOSSA URL: https://appsecsanta.com/fossa Description: FOSSA provides enterprise SCA with 99.8% license scanning accuracy, 20+ build systems, SBOM generation, reachability analysis, and policy automation across. FOSSA is an enterprise [SCA platform](/sca-tools) that treats [license compliance](/sca-tools/open-source-license-compliance) as a first-class concern, not an afterthought. While most SCA tools focus on vulnerability detection and tack on license checking, FOSSA was built around the compliance workflow from the start. The platform scans 17+ languages across 20+ build systems and claims 99.8% accuracy on license detection. Its policy engine was designed with Heather Meeker, one of the leading open-source licensing attorneys. Companies like Uber, Verizon, and Atlassian use it to manage open-source risk across their portfolios. FOSSA also handles vulnerability scanning, SBOM generation, binary composition analysis, and reachability-based prioritization. The CLI is open-source (written in Haskell) with over 5.8 million downloads. ## What is FOSSA? FOSSA sits between your codebase and your legal/compliance team. It scans dependencies, detects licenses, flags conflicts, generates attribution reports, and enforces policies. The vulnerability scanning layer adds reachability analysis and multi-source intelligence (NVD, GitHub Advisories, OSV, plus FOSSA's own database). License Compliance:::Scans all dependencies with 99.8% license detection accuracy. Finds non-standard and modified licenses through full-text analysis. Generates attribution reports that legal teams can actually use. ||| SBOM Portal:::Generates SBOMs in SPDX and CycloneDX formats. The SBOM Portal provides centralized distribution with access tokens, version control, and searchable archives for regulatory compliance. ||| Policy Automation:::Three rule types: Deny (block), Flag for Review (pause), Approve (allow). Pre-built standard policies plus custom rules. Applied per license, per project, or across the organization. ## What are FOSSA's key features? ### License compliance This is where FOSSA stands apart. The platform does full-text license analysis, not just filename matching. It detects modified licenses, dual-licensed components, and non-standard terms that simpler tools miss. The claimed accuracy rate is 99.8%. ![FOSSA security issues view showing vulnerability details with reachability tags, EPSS scores, and CVE identifiers](/images/tools/fossa/reachability-tag.webp) You can define organizational policies around which licenses are acceptable. The policy engine supports three rule types: - **Deny** -- Block the build if a dependency uses this license - **Flag for Review** -- Pause for manual approval - **Approve** -- Allow automatically ![FOSSA policy management interface showing Deny, Flag for Review, and Approve rule categories](/images/tools/fossa/policy-management.webp) FOSSA ships with pre-built standard policies and lets you create custom ones. Rules can target specific licenses, projects, or the entire organization. If you distribute commercial software that includes GPL-licensed components, you may be obligated to release your source code. FOSSA catches the [...truncated for length...] --- # Frida URL: https://appsecsanta.com/frida Description: Frida is a dynamic instrumentation toolkit for developers and security researchers. Hook functions, intercept API calls, and manipulate app behavior at runtime. Frida is a dynamic instrumentation toolkit developed by Ole André Vadla Ravnås. With over 19,700 GitHub stars, it is widely used for runtime [mobile application security](/mobile-security-tools) testing and reverse engineering — see my [mobile app pentesting guide](/mobile-security-tools/mobile-app-pentesting-guide) for the broader workflow Frida slots into, and pair it with [Objection](/objection) when you want a higher-level CLI on top. The framework works by injecting the QuickJS JavaScript engine into running processes, enabling powerful inspection and manipulation capabilities. Security researchers rely on Frida for mobile pentesting because it provides deep visibility into app internals. You can hook any function, spy on cryptographic operations, trace private application code, and bypass security controls—all without needing the app's source code. ## What is Frida? Frida is a free and open source dynamic code instrumentation framework that allows developers, reverse engineers, and security researchers to analyze and modify the behavior of running applications. At its core, Frida injects a JavaScript engine into the target process, letting you write scripts that interact with the app at runtime. The toolkit supports multiple platforms including Android, iOS, Windows, macOS, Linux, FreeBSD, and even embedded systems like QNX. This cross-platform capability makes it an essential tool for mobile security professionals who need to test apps across different operating systems. Function hooking is one of Frida's most powerful features. You can intercept calls to specific functions, examine or modify their arguments, change return values, or completely replace the function's behavior by rewriting machine code at runtime. This enables techniques like bypassing root detection, intercepting encrypted API calls, and manipulating memory to expose hidden functionality. Runtime Injection:::Inject JavaScript into running processes without recompilation or app modification ||| Function Hooking:::Intercept and modify any function call, examine arguments, and change return values ||| Memory Manipulation:::Read and write process memory, dump objects from the heap, and patch binary code ||| Cross-Platform:::Works on iOS, Android, Windows, macOS, Linux, and embedded systems ||| Scriptable API:::Powerful JavaScript API with extensive community scripts and examples ||| SSL Pinning Bypass:::Circumvent certificate pinning to intercept HTTPS traffic during security testing ## What are Frida's key features? ### Dynamic Analysis Capabilities Frida excels at runtime manipulation, letting you observe live application behavior that static analysis cannot reveal. You can trace function calls as they happen, monitor API interactions, and identify vulnerabilities that only surface during execution. This includes uncovering insecure data storage, weak encryption implementations, and authentication bypasses. ### Mobile Pentesting Applications For Android testin [...truncated for length...] --- # FuzzyAI URL: https://appsecsanta.com/fuzzyai Description: FuzzyAI is CyberArk's open-source LLM fuzzing framework with 18 attack techniques including jailbreaks, prompt injection, and guardrail bypass. Apache 2.0 licensed. FuzzyAI is an open-source LLM fuzzing framework from CyberArk Labs that tests large language models for jailbreak vulnerabilities using 18 built-in attack techniques. Released in December 2024 under the Apache 2.0 license, it is listed in the [AI security](/ai-security-tools) category and has earned approximately 1,300 GitHub stars (as of April 2026 — confirm the current count on github.com/cyberark/FuzzyAI before pinning). CyberArk Labs reports that FuzzyAI bypassed every major model in their internal testing — claims of model-by-model jailbreak success are vendor-attributed, and results vary depending on the model version, system prompt, and guardrail configuration evaluated. The framework implements 18 attack techniques — ranging from ASCII art obfuscation (ArtPrompt) to multi-turn conversational escalation (crescendo) and genetic algorithm prompt mutation — designed to help security teams identify guardrail bypass vulnerabilities before attackers exploit them. Unlike fixed test suites, FuzzyAI uses mutation-based fuzzing to discover novel jailbreak paths. ## Key Features at a Glance | Feature | Details | | ---------------------------- | ------------------------------------------------------------------------------------------------------------------- | | **Attack Techniques** | 18 built-in methods including ArtPrompt, DAN jailbreaks, crescendo, genetic algorithm mutation, and ASCII smuggling | | **Target Providers** | OpenAI, Anthropic, Gemini, Azure OpenAI, AWS Bedrock, Hugging Face, Ollama, and custom REST APIs | | **Fuzzing Approach** | Mutation-based fuzzing generates novel jailbreak paths rather than relying on fixed test cases | | **GUI + CLI** | Web-based GUI for interactive testing and CLI for automation and CI/CD integration | | **Extensibility** | Custom attack method framework for domain-specific vulnerability testing | | **System Prompt Extraction** | Tests whether system prompts can be leaked through adversarial queries | | **Guardrail Regression** | Re-run attacks after updates to verify previously blocked techniques stay blocked | | **License** | Apache 2.0 open-source, free to use | ## Overview FuzzyAI takes a fuzzing approach to LLM security testing. Rather than checking for known vulnerabilities with fixed test cases, it generates mutated attack prompts using algorithmic techniques (genetic algorithms, conversational escalation, encoding tricks) to discover previously unknown jailbreak paths. Compared to broader LLM scanners like [Garak](/garak) that c [...truncated for length...] --- # Galileo AI URL: https://appsecsanta.com/galileo-ai Description: Galileo AI provides evaluation intelligence for GenAI apps and agents. Luna-2 models deliver 20+ metrics with sub-200ms latency. $68M funded. Galileo AI is an evaluation intelligence platform for generative AI applications and agents that turns offline evaluation metrics into production guardrails using purpose-built Luna-2 small language models. It is listed in the [AI security](/ai-security-tools) category. Founded in San Francisco, Galileo raised $45M in Series B funding in 2024 led by Scale Venture Partners, with participation from Premji Invest, bringing total funding to $68M as of the 2024 Series B announcement. The company reported 834% revenue growth since the beginning of 2024 and quadrupled its enterprise customer count, bringing on six Fortune 50 companies including Comcast and Twilio (vendor-reported figures from Galileo's 2024 Series B announcement; verify the latest funding total on galileo.ai/about for any post-Series-B rounds). Galileo's core thesis, per the vendor's published Luna-2 benchmarks, is that generic LLM-as-a-judge evaluators score below 70% F1 on many production evaluation tasks, and that purpose-built evaluation models can close that gap while keeping costs low enough to monitor 100% of production traffic. ## What is Galileo AI? Galileo takes a different approach from typical guardrail tools. Rather than just blocking or allowing individual requests, it builds an evaluation layer across the full AI lifecycle — from offline testing through production monitoring. The platform centers on Luna-2, a family of small language models fine-tuned specifically for evaluation tasks. These models score AI outputs across 20+ metrics simultaneously, running at sub-200ms latency so they can operate as real-time guardrails without adding noticeable delay. The evaluation-to-guardrail pipeline means teams can develop metrics during testing and deploy the same metrics as production safeguards. When a metric detects a violation — hallucination, prompt injection, PII leak, policy breach — the platform can block the response before it reaches the user. Luna-2 Evaluation Models:::Fine-tuned small language models (3B and 8B variants) that run 20+ evaluation checks simultaneously. Achieve 0.95 accuracy with 152ms average latency on L4 GPUs. ||| Agent Reliability:::Agentic-specific metrics including tool error rate, tool selection quality, action advancement, and action completion. Catches problematic agent actions before tool execution — such as unauthorized transactions or policy-violating operations. ||| Insights Engine:::Analyzes agent behavior patterns across production traffic to spot failure modes, edge cases, and drift. Auto-tunes metrics from live feedback to improve evaluation accuracy over time. ## What are Galileo AI's key features? | Feature | Details | | ------------------ | ------------------------------------------------------------------------------------------------------------------------------- | | Evaluation Metrics | 20+ bui [...truncated for length...] --- # Garak URL: https://appsecsanta.com/garak Description: NVIDIA's open-source LLM security scanner. 50+ probe modules test for prompt injection, jailbreaks, hallucinations, and data leaks. Free under Apache 2.0. NVIDIA Garak is an open-source LLM vulnerability scanner from NVIDIA's AI Red Team, listed in the [AI security](/ai-security-tools) category. It has 6,938 GitHub stars, 777 forks, and 71 contributors. The name comes from the Star Trek character — fitting for a tool described as "the LLM vulnerability scanner" in the same way nmap scans networks or Metasploit tests exploits. NVIDIA released it under Apache 2.0 and actively maintains it with 3,500+ commits. The latest release is v0.14.0 (February 2026), which introduced redesigned HTML reports and JSON config support. ## What is Garak? Garak systematically probes language models for security weaknesses and safety failures. You point it at a model endpoint, pick which probe modules to run, and it generates adversarial inputs, feeds them to the model, and analyzes responses using detector modules. Everything in Garak is a plugin. Probes generate test inputs. Detectors analyze responses. Generators interface with target LLMs. Evaluators compile results. Harnesses structure test workflows. Buffs modify probe behavior. Because of this modular design, you can test any model accessible via API. 50+ Probe Modules:::Covers prompt injection, DAN jailbreaks, encoding bypasses, data leakage, package hallucination, malware generation, toxicity, XSS, and more. ||| 23 Generator Backends:::Connects to OpenAI, Hugging Face, AWS Bedrock, Cohere, Groq, LiteLLM, Mistral, NIM, Ollama, Replicate, and custom REST endpoints. ||| Plugin Architecture:::Extensible system of probes, detectors, generators, evaluators, harnesses, and buffs. Write custom modules for domain-specific testing. ## What are Garak's key features? | Feature | Details | | ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------- | | Probe Modules | 50+ (promptinject, dan, encoding, goodside, lmrc, malwaregen, packagehallucination, leakreplay, snowball, tap, visual_jailbreak, xss, and more) | | Detector Types | 28 built-in | | Generator Backends | 23 (openai, huggingface, azure, bedrock, cohere, groq, litellm, mistral, nim, nvcf, ollama, replicate, rest, watsonx, and more) | | Output Formats | JSONL reports, HTML reports (redesigned in v0.14.0), hit logs, debug logs | | Python Support | 3.10 to 3.12 | | License | Apache 2.0 [...truncated for length...] --- # Ghidra URL: https://appsecsanta.com/ghidra Description: Ghidra is the NSA's free reverse engineering framework with 67k+ GitHub stars. Disassemble, decompile, and debug binaries across multiple architectures. Ghidra is a free, open-source [software reverse engineering](/mobile-security-tools) framework built by the US National Security Agency and released publicly in March 2019 at the RSA Conference. It disassembles and decompiles compiled binaries across x86, ARM, MIPS, PowerPC, and dozens more architectures. With over 67,300 GitHub stars, it is the most-used open-source alternative to IDA Pro. The framework is distributed under the Apache License 2.0, runs locally on Windows, macOS, and Linux, and ships with a scriptable decompiler, integrated debugger, and collaborative server. The NSA developed Ghidra over decades for internal use before making it available to the public. That background shows up in its analysis algorithms, architecture coverage, and collaborative features. Version 11.3, released in 2025, added kernel-level debugging, JIT p-code emulation, Visual Studio Code integration, and new function graph layouts. Note: Some older Ghidra tutorials predate the 11.3 integrated debugger. If you follow a 2023 guide and can't find the Debugger menu, you're probably on 10.x — upgrade before troubleshooting. I open Ghidra when I need to reverse a stripped binary and the project is too large for a quick look in radare2. The decompiler turns unfamiliar assembly into pseudo-C that I can annotate, and the scripting API in Python or Java lets me automate repetitive patching across a batch of binaries. It is free, maintained by the NSA, and the only open-source reverse-engineering suite that feels close to IDA Pro. ## What is Ghidra? Ghidra is a software reverse engineering suite, developed by the NSA and released in 2019, that disassembles and decompiles compiled binaries into human-readable C-like pseudocode. Ghidra analyzes executables across Windows, macOS, Linux, Android, iOS, and embedded systems without sending any data off the analyst's machine. Ghidra covers x86, x86-64, ARM, ARM64, MIPS, PowerPC, SPARC, RISC-V, and dozens more processor families via its SLEIGH processor-spec language. The decompiler converts assembly into C-like pseudocode that is usually readable and accurate, which cuts reverse engineering time compared to working from raw assembly. The intermediate representation (p-code) is what makes cross-architecture analysis work (more on that below). Ghidra's collaborative features let multiple analysts work on the same project at once, sharing annotations, function names, and analysis results in real time without duplicating each other's work. Powerful Decompiler:::Converts assembly to readable C-like pseudocode across multiple architectures ||| Multi-Architecture:::Supports x86, ARM, MIPS, PowerPC, SPARC, and 50+ processor families ||| Interactive Debugger:::Integrated debugging with GDB, LLDB, and WinDbg for dynamic analysis ||| Collaborative Analysis:::Real-time multi-user projects with shared annotations and findings ||| Extensible Platform:::Python and Java scripting API plus plugin architecture for custom tools ||| [...truncated for length...] --- # Giskard URL: https://appsecsanta.com/giskard Description: Giskard is an open-source Python library for testing LLMs and ML models. Detects hallucinations, prompt injection, bias, and data leakage. RAGET for RAG eval. Giskard is an open-source Python library for automated AI testing that detects security vulnerabilities, bias, and quality issues in LLMs, RAG applications, and traditional ML models. Its autonomous red teaming agents run multi-turn attacks across 40+ probes, while the RAGET toolkit auto-generates test cases for RAG evaluation. Giskard has 5,200+ GitHub stars and is listed in the [AI security](/ai-security-tools) category. The company was founded in 2021 in Paris by Alex Combessie and Jean-Marie John-Mathews. The name comes from R. Giskard Reventlov, a positronic robot in Isaac Asimov's novels. Giskard offers a free open-source SDK (Apache 2.0) and a commercial Enterprise Hub for team collaboration and continuous testing. Enterprises like AXA, BNP Paribas, and Michelin use the platform. ![Giskard LLM scan results showing detected issues across robustness, harmfulness, sensitive information, and stereotypes](/images/tools/giskard/scan-results.webp) ## Overview Most [AI security tools](/ai-security-tools) focus on either LLM-specific threats or traditional ML quality issues. Giskard handles both in a single framework: prompt injection, hallucinations, and jailbreaks on one side; bias, data leakage, and performance degradation on the other. Same library, same API. For LLM and RAG applications, Giskard deploys autonomous red teaming agents that run multi-turn attacks across 40+ probes. These agents adapt their strategies during the conversation. If one approach gets blocked, they escalate or pivot to a different technique. Static single-prompt testing misses these multi-turn attack paths. For traditional ML models, Giskard automatically scans for performance issues, bias across protected groups, data leakage, and robustness problems. It works with scikit-learn, XGBoost, CatBoost, LightGBM, and other popular frameworks. LLM Vulnerability Scanner:::Autonomous red teaming agents run 40+ probes for prompt injection, hallucination, harmful content, PII disclosure, and stereotypes. Adapts attack strategies dynamically across multi-turn conversations. ||| RAGET (RAG Evaluation):::Auto-generates test questions from your knowledge base. Evaluates retrieval accuracy, context relevance, answer correctness, and hallucination rates without manual test case creation. ||| ML Model Testing:::Scans tabular models for bias, performance regression, data leakage, and robustness issues. Supports scikit-learn, XGBoost, CatBoost, and other frameworks with automatic issue detection. ## What are Giskard's key features? | Feature | Details | | ---------------- | -------------------------------------------------------------- | | GitHub stats | 5.2k stars, Apache 2.0 (OSS), commercial Hub | | LLM probes | 40+ covering security and business failures | | Red teaming | Autonomous multi-turn agents with adaptive strategies | | RAG evaluation | RA [...truncated for length...] --- # GitGuardian URL: https://appsecsanta.com/gitguardian Description: GitGuardian — #1 GitHub Marketplace secret scanner. 450+ secret types across GitHub, GitLab, Bitbucket, Slack in real-time. Pricing, limits inside. GitGuardian is the #1 security app on the GitHub Marketplace. It monitors source code repositories for exposed secrets in real-time, detecting API keys, hardcoded passwords, certificates, and other credentials that developers accidentally commit to version control. Secret exposure is a leading [supply chain attack](/application-security/supply-chain-attacks-guide) vector, and GitGuardian treats it as a first-class problem. The platform ships 450+ specific detectors plus generic secret detectors, and scans across GitHub, GitLab, Bitbucket, and collaboration tools like Slack, Jira, and Confluence. GitGuardian validates whether detected secrets are still active, so teams can prioritize live credentials over expired ones. ## What is GitGuardian? GitGuardian catches secrets before they become incidents. When a developer commits an AWS key, database password, or API token to a repository, GitGuardian detects it within seconds and triggers an alert. The platform also scans git history, catching secrets that were committed and later deleted but remain in the repository's commit log. Beyond detection, GitGuardian now offers Non-Human Identity (NHI) governance and honeytoken intrusion detection. The ggshield CLI tool runs as a pre-commit hook to block secrets before they ever reach the remote repository. 450+ Secret Types:::Detects API keys, database credentials, private keys, OAuth tokens, certificates, and custom patterns using regex and validation checks. Validates whether secrets are still active. ||| Pre-Commit Protection:::The ggshield CLI runs as a pre-commit hook or CI/CD gate. Blocks secrets before they reach the remote repository, preventing incidents rather than just detecting them. ||| NHI Governance:::Tracks machine identities (service accounts, API keys, tokens) across your organization. Maps which secrets are used where, by whom, and flags over-privileged or stale credentials. ## What are GitGuardian's key features? ### Secret categories | Category | Examples | | --------------- | ---------------------------------------- | | Cloud providers | AWS, Azure, GCP keys and credentials | | Version control | GitHub, GitLab, Bitbucket tokens | | Databases | PostgreSQL, MySQL, MongoDB, Redis URIs | | Payment | Stripe, PayPal, Square API keys | | Communication | Slack, Twilio, SendGrid tokens | | Infrastructure | Docker, Kubernetes, Terraform secrets | | Authentication | JWT secrets, OAuth tokens, SAML keys | | Certificates | Private keys, TLS certificates, SSH keys | | Custom | Organization-defined patterns via regex | ### Secrets detection engine GitGuardian uses pattern matching combined with validation to detect 450+ specific secret types plus generic credentials. Each finding is checked against the issuing service when possible to confirm the secret is still valid. This reduces false positives and helps teams focus on credentia [...truncated for length...] --- # GitHub CodeQL URL: https://appsecsanta.com/github-codeql Description: GitHub CodeQL treats code as queryable data with semantic analysis. Free for open-source. Native GitHub integration with security alerts in pull requests. GitHub CodeQL is a semantic code analysis engine that treats code as queryable data. It is a [SAST](/sast-tools) tool that builds a database representation of your codebase, enabling queries that track data flow across functions, files, and modules. Natively integrated into GitHub Advanced Security, CodeQL powers code scanning for millions of repositories. According to GitHub's Octoverse reports, code scanning has identified and helped fix millions of vulnerabilities across public repositories since CodeQL's launch. It is free for public repositories on GitHub. ## What is CodeQL? CodeQL works differently from pattern-matching SAST tools. Rather than searching for text patterns, CodeQL compiles source code into a relational database that captures the semantic structure: variables, functions, control flow, data flow, and type information. Security researchers write queries in the CodeQL query language to find vulnerabilities by describing the characteristics of insecure code. The query language resembles SQL with object-oriented extensions. For example, CodeQL can trace user input from an HTTP request through multiple transformation functions to a SQL query, identifying injection vulnerabilities that pattern-based tools miss. 12 Languages:::Supports C, C++, C#, Go, Java, Kotlin, JavaScript, TypeScript, Python, Ruby, Swift, and Rust. Each language has a dedicated extractor that builds the database. ||| Semantic Queries:::Queries describe vulnerability characteristics rather than matching text patterns. The database captures ASTs, control flow graphs, data flow graphs, type hierarchies, and call graphs. ||| GitHub Native:::Runs automatically through GitHub Actions on push and pull request events. Results appear as inline annotations and security alerts in pull requests. ## What are GitHub CodeQL's key features? ### Data flow and taint tracking The taint tracking engine follows potentially dangerous data through your codebase. Starting from sources (user input, file reads, network data) and ending at sinks (database queries, command execution, file writes), CodeQL identifies paths where untrusted data reaches sensitive operations without sanitization. ### Custom query development Security teams can write custom CodeQL queries for organization-specific requirements: - Detecting use of banned functions or deprecated APIs - Enforcing authentication checks on sensitive endpoints - Finding missing input validation patterns - Identifying violations of internal security standards ### GitHub integration On GitHub repositories, CodeQL runs automatically through GitHub Actions. Results appear directly in pull requests as security alerts. The integration includes automatic analysis on push and PR events, inline annotations showing vulnerability locations, suggested fixes, and security overview dashboards for organizations. Note: CodeQL ships with two security query suites. The security-and-quality suite covers common vulnerabilities and code [...truncated for length...] --- # GitLab DAST URL: https://appsecsanta.com/gitlab-dast Description: Honest GitLab DAST review. Browser-based SPA scanning, REST/GraphQL/SOAP API testing, merge request results. Requires Ultimate — here's what you get and miss. GitLab DAST is the built-in dynamic application security testing tool for GitLab Ultimate. It runs as a CI/CD pipeline job, scans your deployed application for vulnerabilities, and shows results directly in merge requests. No external tool to configure. No separate dashboard to manage. Add a CI template, set a target URL, and DAST runs alongside your existing pipeline. Requires GitLab Ultimate. Not available on Free or Premium tiers. ## Key features at a glance | Feature | Detail | | ---------------- | --------------------------------------------------------------- | | GitLab Tier | Ultimate only (GitLab.com, Self-Managed, Dedicated) | | Analyzer Version | DAST v5 (browser-based, unified) | | Legacy Analyzer | Proxy-based removed in GitLab 17.3 | | Web Scanning | Browser-based for SPAs (React, Vue, Angular) | | API Scanning | REST (OpenAPI/Swagger), GraphQL, SOAP | | Results Location | Merge request widget, pipeline security tab, security dashboard | | Authentication | Form-based login, token/header auth, OAuth | | On-Demand Scans | Yes — via UI or API, outside CI/CD pipelines | | Scan Modes | Quick scan and full scan | | Output | DAST report artifact (JSON) | ## What is GitLab DAST? GitLab DAST is part of GitLab's DevSecOps platform. The scanner runs as a standard CI/CD job, testing deployed applications for SQL injection, XSS, CSRF, security misconfigurations, and other runtime flaws. According to the [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/), dynamic testing against a running application is essential for catching vulnerabilities that static analysis cannot reach, such as authentication and session management issues. The tool is language-agnostic — it examines applications externally, so it doesn't matter what language or framework the app is built with. Note: The legacy proxy-based analyzer was deprecated in GitLab 16.9 and removed in 17.3. DAST version 5 uses a unified browser-based approach for all scanning. If you're on an older version, GitLab provides migration guides for both proxy-based and browser-based v4 analyzers. Results flow into GitLab's security features automatically. Vulnerabilities appear in the merge request widget (highlighting new issues introduced by the MR), the pipeline security tab, and the project-level security dashboard. Developers can review, dismiss, or create issues for findings without leaving GitLab. Merge Request Integration:::New vulnerabilities introduced by a merge request are highlighted in the MR widget. Developers dismiss false positives or create issues directly from the MR page. ||| Browser-Based Scanning:::DAST v5 executes [...truncated for length...] --- # GitLab SAST URL: https://appsecsanta.com/gitlab-sast Description: GitLab SAST provides automated security scanning in CI/CD pipelines with AI-powered false positive detection, multi-core scanning, and automatic fix. GitLab SAST provides built-in static application security testing for GitLab repositories. Unlike external [SAST tools](/sast-tools) that require integration, GitLab SAST runs automatically in your CI/CD pipelines with minimal configuration. For teams already using GitLab, SAST offers a zero-friction security scanning solution with AI-powered features in Ultimate tier. ## What is GitLab SAST? GitLab SAST scans source code for security vulnerabilities on every commit. According to GitLab's DevSecOps surveys, organizations that shift security left by integrating scanning into CI/CD pipelines detect vulnerabilities significantly earlier in the development lifecycle. The system uses analyzer containers — Docker images that wrap third-party scanners like Semgrep — to detect issues across multiple programming languages. When a scan completes, GitLab displays findings directly in merge requests, security dashboards, and vulnerability reports. Developers see security issues alongside other code review feedback without switching tools or platforms. GitLab Advanced SAST represents the next generation of GitLab's scanning technology. It provides faster scanning with multi-core support, more accurate detection, and is gradually replacing the legacy Semgrep-based analyzers for all supported languages. Zero-Config Scanning:::Enable SAST by including a template in .gitlab-ci.yml—no external tools, API keys, or complex configuration required ||| AI False Positive Detection:::GitLab Duo automatically identifies likely false positives in Critical and High severity findings (Ultimate tier) ||| Automated Fix Generation:::Agentic SAST creates merge requests with context-aware code fixes for High and Critical vulnerabilities (Ultimate tier) ## What are GitLab SAST's key features? | Feature | Details | | ------------------------- | ------------------------------------------------------------ | | Languages (Advanced SAST) | C, C++, C#, Go, Java, JavaScript, Python, Ruby, TypeScript | | Languages (Standard) | Apex, Elixir, Groovy, Kotlin, Objective-C, PHP, Scala, Swift | | Analyzers | Advanced SAST, Semgrep, SpotBugs, Kubesec, PMD Apex, Sobelow | | CI template | `include: template: Jobs/SAST.gitlab-ci.yml` | | Default excluded paths | spec, test, tests, tmp | | Search depth | 20 (Semgrep), 4 (others) | | Runner requirement | Linux (Docker or Kubernetes executor, amd64 only) | | FIPS support | Available via `-fips` image suffix | ### Automatic scanning on every commit Add GitLab SAST to your project by including the `SAST.gitlab-ci.yml` template in your `.gitlab-ci.yml` file. GitLab automatically runs scans on every commit and merge request. The scanner detects which languages exist in your repo [...truncated for length...] --- # Gitleaks URL: https://appsecsanta.com/gitleaks Description: Gitleaks is a widely popular open-source secret scanner with 25.9k GitHub stars and built-in support for JSON, CSV, JUnit, and SARIF reporting formats. Gitleaks is an open-source secret scanner designed to detect and prevent hardcoded secrets in git repositories. Maintained by Zach Rice and the Gitleaks community, it has over 25,900 GitHub stars and is one of the most widely adopted [SAST tools](/sast-tools) for secret detection. According to the 2025 Verizon Data Breach Investigations Report, stolen credentials remain one of the top initial access vectors for breaches. Security teams pick Gitleaks for its speed, accuracy, and low false positive rate compared to entropy-only scanners. ## What is Gitleaks? Gitleaks scans git repositories, files, directories, and stdin to find exposed API keys, passwords, tokens, and other sensitive data. The tool uses regex patterns and entropy detection to identify secrets that developers accidentally commit to version control. Unlike full-featured SAST platforms, Gitleaks focuses exclusively on secret detection. This specialization makes it faster and easier to integrate into existing development workflows. You can run it locally as a pre-commit hook, in CI/CD pipelines, or as a GitHub Action to scan pull requests automatically. Gitleaks generates reports in multiple formats including JSON, CSV, JUnit, and SARIF. The SARIF output integrates with GitHub Advanced Security, allowing you to view findings directly in GitHub's security tab and block pull requests that introduce secrets. Git History Scanning:::Scans entire git history or specific commits to find secrets introduced at any point in your repository's lifetime ||| Flexible Reporting:::Generate reports in JSON, CSV, JUnit, or SARIF formats, or create custom templates using Go text/template ||| CI/CD Integration:::Official GitHub Action plus Docker images for easy integration with GitLab CI, Jenkins, and other automation platforms ## What are Gitleaks's key features? | Feature | Details | |---------|---------| | CLI commands | `git` (scan repos), `dir` (scan directories), `stdin` (pipe input) | | Configuration | TOML format (`.gitleaks.toml`), env vars, or `--config` flag | | Output formats | JSON, CSV, JUnit, SARIF, custom Go templates | | Installation | Homebrew, Docker (DockerHub + ghcr.io), binary releases, from source | | Composite rules | Primary + auxiliary rules with proximity constraints (v8.28.0+) | | Baseline support | Skip known findings via baseline reports | | License | MIT | | GitHub Action | `gitleaks/gitleaks-action@v2` | ### Configurable detection rules Gitleaks ships with built-in rules for common secret patterns (AWS keys, GitHub tokens, Slack webhooks, etc.). Customize rules or add your own regex patterns in a `.gitleaks.toml` configuration file. The tool supports allowlists at both rule-specific and global levels to exclude false positives. Since v8.28.0, composite rules let you combine a primary rule with auxiliary rules that must match within a specified proximity (`withinLines`, `withinColumns`). This reduces false positives for patterns that only matter when they appear [...truncated for length...] --- # gosec URL: https://appsecsanta.com/gosec Description: Gosec is the standard Go security linter with 50+ rules. Free and open-source. AI-powered fixes via Claude, Gemini, OpenAI. SARIF output for GitHub. Gosec is the go-to security linter for Go applications. The SecureGo community maintains it, and with over 8,700 GitHub stars, it has become the most adopted [SAST](/sast-tools) scanner in the Go ecosystem. It scans Go source code using AST and SSA analysis to find security vulnerabilities before they ship. The project has CII Best Practices certification and ships with 50+ rules that cover the OWASP Top 10, each mapped to CWE identifiers. It also has AI-powered fix suggestions through Gemini, Claude, and OpenAI-compatible APIs, so you get remediation guidance right in your terminal. It runs through the Go module system. No external dependencies, no build server. Install via `go install`, Homebrew, or Docker and point it at your codebase. ## What is Gosec? Gosec inspects Go source code for security problems by analyzing both structure and data flow. According to the OWASP Go Security Cheat Sheet, Go's standard library provides strong defaults, but developers still introduce vulnerabilities through improper use of SQL, crypto, and HTTP packages — exactly the patterns gosec targets. Unlike generic linters, it focuses on security patterns that lead to exploitable vulnerabilities. AST + SSA Analysis:::Parses Go code into an Abstract Syntax Tree, then performs Static Single Assignment analysis to trace data flow across function boundaries. Catches issues that pattern matching alone misses. ||| 50+ Security Rules:::Rules organized into categories covering credentials, injection, cryptography, file permissions, network exposure, and memory safety. Each maps to CWE identifiers. ||| AI Fix Suggestions:::Sends findings to Gemini, Claude, or OpenAI-compatible APIs and returns fix suggestions in the terminal. ## What are gosec's key features? ### Static analysis engine Gosec parses Go source code into an Abstract Syntax Tree, then performs Static Single Assignment analysis to track how data flows through your program. This two-pass approach catches security issues that pattern matching alone would miss. Tainted user input reaching a SQL query through several function calls triggers G201 or G202. A direct `fmt.Sprintf` piped into an `exec.Command` triggers G204. SSA represents each variable assignment exactly once, letting gosec trace values across function boundaries. That's what separates it from syntactic linters like `go vet`. Note: Most Go linters only look at syntax. SSA lets gosec follow a variable from where it enters your program (say, an HTTP request parameter) through assignments and function calls until it reaches a dangerous sink like a SQL query or shell command. ### Security rules The 50+ rules break down into seven categories: | Category | Rule IDs | What they detect | | --------------------- | ---------------------- | ------------------------------------------------------------ [...truncated for length...] --- # Graudit URL: https://appsecsanta.com/graudit Description: Graudit is a lightweight grep-based SAST tool with 26+ signature databases. Free and open-source. Minimal dependencies. PHP, Python, Java, and more. Graudit is a lightweight [SAST](/sast-tools) tool built on grep and POSIX regular expressions. It scans codebases for security vulnerabilities using signature databases that match dangerous function calls and insecure patterns. A long-standing community-maintained scanner, Graudit has earned its place as a reconnaissance tool for security researchers. It is included by default in Kali Linux. ## What is Graudit? Graudit takes a simple approach to source code static analysis: rule-based pattern matching with grep. It runs on any POSIX system without compilation or setup, requires only standard utilities (grep, sed, awk, bash), and processes large codebases at near-disk speed. The tool ships with 26+ signature databases for common web languages. Security researchers can create and modify rules using familiar regular expression syntax — each database is a plain-text list of patterns that flag dangerous function calls (`eval`, `system`, `exec`), known weak crypto APIs, and credential-shaped strings. The trade-off is depth: Graudit treats source as text, so it cannot perform taint analysis on proprietary code, track variable bindings, or follow data flow across function boundaries the way semantic analyzers do. That makes it a fast triage layer, not a primary CI gate. 26+ Signature Databases:::Curated patterns for PHP, Python, Java, C, Ruby, JavaScript, Perl, ASP, JSP, and more. Each database targets language-specific security issues like SQL injection, XSS, and command execution. ||| Zero Dependencies:::Requires only standard POSIX utilities available on any Unix-like system. No package managers, no compilation, no runtime environments. Copy and scan. ## What are Graudit's key features? | Feature | Details | | ------------------- | --------------------------------------------------------------- | | Signature databases | 26 language/pattern databases | | Detection method | POSIX extended regular expressions via grep | | Dependencies | Standard POSIX utilities (grep, sed, awk, bash) | | Installation | git clone, apt (Kali Linux), brew (macOS), make install | | Output modes | Color, colorblind (`-b`), vim-friendly (`-L`), no-banner (`-B`) | | Latest version | v4.0 (December 2025) | | License | GPL-3.0 | | Contributors | 13 | ### Signature databases All 26 databases included with Graudit: | Category | Databases | | ----------------------- | -------------------------------------------------------- | | Web languages | php, python, ruby, perl, js, typescript, asp, jsp | | Compiled languages | c, java, dotnet, go, scala, [...truncated for length...] --- # Anchore Grype URL: https://appsecsanta.com/grype Description: Grype is Anchore's free OSS vulnerability scanner. 11.5k GitHub stars. Scans containers + SBOMs against NVD + GHA. SARIF, JSON, Table output. Grype is a free, open-source vulnerability scanner for [container images](/container-security-tools/container-image-security) and filesystems. Built by Anchore and released under Apache 2.0, it has 11.5k GitHub stars and over 50 million combined downloads across the Anchore open-source suite (Syft, Grype, Grant). It matches packages against NVD, GitHub Security Advisories, and distribution-specific feeds. You point it at a container image, a directory, or an SBOM file, and it returns a list of known vulnerabilities sorted by risk. Grype is a single Go binary. No daemon, no server, no account required. Install it, run it, get results. Grype v0.109.1 fixed a bug where a known CVE was not being detected for a vulnerable JAR file — a critical accuracy fix for teams scanning Java projects in CI. ## What is Anchore Grype? Grype scans container images, filesystems, and SBOMs to find packages with known security vulnerabilities. It covers 20+ language ecosystems (Go, Python, JavaScript, Java, Rust, Ruby, PHP, .NET, and more) plus major Linux distributions (Alpine, Debian, Ubuntu, RHEL, Amazon Linux, Oracle Linux, SUSE, Arch, Gentoo). As part of the Anchore open-source ecosystem, Grype pairs with [Syft](https://github.com/anchore/syft) for SBOM generation. Generate an SBOM once with Syft, then rescan it with Grype as vulnerability databases update, without needing the original image. Risk-Based Scoring:::Combines CVSS severity, EPSS exploit probability, and KEV catalog status into a single 0-10 risk score. Sort results by what actually matters instead of raw severity alone. ||| 20+ Ecosystems:::Scans OS packages (APK, DEB, RPM) and language dependencies (npm, pip, Maven, Go, Cargo, Composer, NuGet, and more) against multiple vulnerability databases. ||| SBOM-First Workflow:::Accepts CycloneDX, SPDX, and Syft JSON formats. Scan an SBOM file instead of re-analyzing the original image every time the database updates. ## What are Anchore Grype's key features? ### Risk scoring and prioritization Grype goes beyond raw CVSS scores. Each finding includes an EPSS score (30-day exploitation probability with percentile ranking), KEV catalog status, and a composite risk score from 0.0 to 10.0. Default sorting puts the most actionable findings first. You can also sort by `severity`, `epss`, `kev`, `package`, or `vulnerability` depending on your workflow. CVSS measures how bad a vulnerability could be. EPSS measures how likely it is to be exploited in the next 30 days. A critical-severity CVE with a low EPSS score is less urgent than a high-severity CVE that's actively exploited. Grype's risk score combines both signals. ### Supported ecosystems | Ecosystem | Package types | |-----------|--------------| | JavaScript | npm, yarn | | Python | pip, Poetry, Pipenv, wheel | | Java | Maven (JAR, WAR, EAR), Gradle | | Go | Go modules | | Rust | Cargo | | Ruby | Bundler (Gemfile) | | PHP | Composer | | .NET | NuGet, dotnet | | Dart | Pub | | Haskell | Cabal, Stac [...truncated for length...] --- # Guardrails AI URL: https://appsecsanta.com/guardrails-ai Description: Guardrails AI is an open-source Python framework for LLM input/output validation. 6.6k GitHub stars, 65+ validators via Guardrails Hub. Apache 2.0 licensed. Guardrails AI is an open-source Python framework for validating LLM inputs and outputs using composable validators from Guardrails Hub, covering risks like toxicity, PII leaks, hallucinations, and bias. It is listed in the [AI security](/ai-security-tools) category with 6.6k GitHub stars and 561 forks. The framework is Apache 2.0 licensed and maintained by the Guardrails AI team. The latest release is v0.9.2 (March 2026). The project also offers a partnership course with Andrew Ng on building production-ready, failure-resistant AI applications. Guardrails AI follows a dual model: a free open-source core for self-hosting, and Guardrails Pro as a commercial managed service with hosted validation, observability, and enterprise support. The project has recently evolved with a new product called **Snowglobe** for synthetic data generation and dynamic evaluation datasets. Snowglobe is Guardrails AI's newer product for synthetic data generation. It creates realistic user personas for fine-tuning and evaluation, dynamic evaluation datasets targeting edge cases, and runtime guardrails detecting policy violations and data leakage. Masterclass (Head of AI Aman Gupta) describes the synthetic user personas as notably realistic compared to other synthetic data approaches. ## What is Guardrails AI? Guardrails AI intercepts LLM inputs and outputs, running configurable validation checks called "validators" to catch risks before they reach users. The design principle is composability — individual validators handle specific risks, and multiple validators combine into guards that run checks together. The Guardrails Hub is the validator library. It contains pre-built validators covering toxicity detection, PII anonymization, hallucination detection, profanity filtering, bias detection, logical consistency checks, and more. Each validator is independently testable and deployable, and the hub continues to grow with community contributions. Beyond safety, the framework handles structured data generation. When you need an LLM to produce valid JSON, XML, or data matching a specific schema, Guardrails AI validates the output structure and re-prompts the model when validation fails. This cuts down on the brittle parsing code that usually surrounds LLM integrations. Input/Output Guards:::Guards intercept LLM traffic and run validator chains on inputs and outputs. Input guards block risky prompts before they reach the model. Output guards catch problematic responses before they reach users. Guards are composable — stack as many validators as needed. ||| Guardrails Hub:::A growing library of pre-built validators for specific risk types: toxicity, PII, hallucination, profanity, bias, logical consistency, and more. Each validator is independently configurable and can be combined with others into multi-validator guards. ||| Structured Output:::Validates LLM outputs against JSON schemas, data types, and custom constraints. When validation fails, the framework can automatic [...truncated for length...] --- # Guardsquare URL: https://appsecsanta.com/guardsquare Description: Guardsquare protects Android (DexGuard) and iOS (iXGuard) apps with multilayered code obfuscation, RASP, and app shielding. Creators of ProGuard. Guardsquare is a [mobile application security](/mobile-security-tools) company that provides code obfuscation, app shielding, and runtime protection for Android and iOS apps. The company is best known as the creator of ProGuard, the open-source Java bytecode optimizer originally included in the Android SDK (R8 is now the default), and its commercial products DexGuard and iXGuard that extend ProGuard with advanced security features. The platform takes a build-level approach to mobile protection. Rather than wrapping compiled binaries, Guardsquare's tools integrate into the compilation process itself, applying obfuscation and hardening at the code level. This produces protection that is structurally embedded in the application rather than layered on top. ## What is Guardsquare? Guardsquare provides a complete mobile security lifecycle: test with AppSweep, protect with DexGuard/iXGuard, and monitor in production. The tools integrate into standard build systems (Gradle for Android, Xcode for iOS) and fit into existing CI/CD pipelines without requiring changes to application architecture. DexGuard (Android):::Multilayered, polymorphic obfuscation with control flow randomization, string encryption, code virtualization, and built-in RASP for native and cross-platform Android apps. ||| iXGuard (iOS):::Obfuscation and runtime protection for native iOS (Objective-C, Swift) and cross-platform apps. Applies name obfuscation, string encryption, and anti-tampering checks. ||| AppSweep (Free):::Developer-friendly mobile application security testing that identifies vulnerabilities in your app and its dependencies. Free tier available for individual developers. ## What are Guardsquare's key features? ### DexGuard (Android Protection) DexGuard is Guardsquare's commercial Android protection tool. It applies multiple layers of obfuscation and hardening during the build process: - **Control flow obfuscation**: Restructures code logic so decompiled output is difficult to follow - **Name obfuscation**: Renames classes, methods, and fields to meaningless identifiers - **String encryption**: Encrypts hardcoded strings so they cannot be read from decompiled code - **Code virtualization**: Converts critical code sections into custom bytecode that runs on an embedded virtual machine - **Asset and resource encryption**: Protects app resources from extraction - **RASP protections**: Root detection, tamper detection, debugger detection, and emulator detection at runtime DexGuard builds on ProGuard, so teams already using ProGuard can upgrade without reworking their build configuration. The tool integrates as a Gradle plugin and runs during the standard Android build process. ### iXGuard (iOS Protection) iXGuard provides equivalent protections for iOS apps built with Objective-C, Swift, or cross-platform frameworks. It integrates into Xcode build workflows and applies obfuscation at compile time. The tool covers name obfuscation, string encryption, control flow ob [...truncated for length...] --- # Harbor URL: https://appsecsanta.com/harbor Description: Harbor is a CNCF graduated open-source container registry with built-in vulnerability scanning, image signing, RBAC, and multi-registry replication. Harbor is an open-source cloud native container registry that stores, signs, and scans container images and OCI artifacts. It is a CNCF graduated project (since June 2020) and the most widely adopted open-source container registry, with 30.5k GitHub stars and 5.1k forks. ## What is Harbor? Harbor is a self-hosted container registry that adds vulnerability scanning, content trust, multi-registry replication, and role-based access control on top of the Docker Distribution registry. VMware open-sourced it in 2016, it joined the CNCF in July 2018, and it graduated in June 2020 — making it the first open-source registry to reach CNCF graduated status. Organizations run Harbor when they need a private container registry with security controls that hosted registries charge for or simply do not offer. Air-gapped environments, regulated industries, and multi-cloud setups are the typical use cases. ## How does Harbor scan for vulnerabilities? Harbor scans container images for known vulnerabilities using pluggable scanner backends. [Trivy](/trivy) is the default scanner since Harbor v2.2 (it replaced Clair as the default in 2021). [Clair](/clair) and Anchore Enterprise also work through Harbor's scanner adapter framework, letting organizations choose the scanning engine that fits their existing toolchain. Scanner choice is set per project, so different teams on the same Harbor instance can use different engines. Scan-on-push policies automatically scan every image when it hits the registry. Reports show CVE IDs, severity levels, affected packages, and fixed versions, all aligned to the project's selected scanner. Projects can set a CVE allowlist to ignore known-but-accepted vulnerabilities, plus a severity threshold (e.g. "Critical") that blocks pulls when the threshold is exceeded. That turns the registry into a deploy-time gate — vulnerable images never make it out of Harbor and into a running cluster. ## Does Harbor support image signing? Harbor supports artifact signing through Cosign (part of the Sigstore project) and Notation. The legacy Notary v1 path is deprecated — Cosign + Sigstore is the recommended stack on modern Harbor. When content trust is enabled on a project, only signed artifacts can be pulled. Unsigned or tampered images get blocked, preventing compromised images from reaching production. Signing policies live at the project level, so different projects can enforce different verification rules. Cosign supports keyless signing through OIDC and Sigstore Fulcio, which lets CI pipelines sign images using short-lived workload identities instead of long-lived signing keys checked into a vault. Signatures replicate alongside their associated artifacts. When a replication rule covers a signed image, Harbor copies the signature too, so the chain of trust holds across registries. Verification on pull is typically enforced via a Kubernetes admission controller (Cosign policy controller, Kyverno, or OPA Gatekeeper) so untrusted images c [...truncated for length...] --- # HCL AppScan (DAST) URL: https://appsecsanta.com/hcl-appscan-dast Description: Independent HCL AppScan DAST review. FIPS 140-3 certified for federal use. AI-powered RapidFix triage. On-prem and cloud. Honest assessment. HCL AppScan DAST is an enterprise dynamic application security testing tool and the scanning core of the AppScan 360° platform. It evolved from IBM AppScan, one of the oldest enterprise DAST products on the market. The tool evolved from IBM AppScan, which HCL acquired in 2019. Since then, HCL has added AI-enabled scanning, agentic triage (RapidFix), API security testing, and a cloud-native deployment option alongside the traditional on-premises install. FIPS 140-3 compliance makes it one of the few DAST tools approved for US federal government use. ## Key features at a glance | Feature | Detail | | ------------------ | ----------------------------------------------------------------------------------- | | Platform | AppScan 360° (DAST, SAST, IAST, SCA, API, IaC) | | AI Features | AI-enabled scanning + RapidFix agentic triage | | Federal Compliance | FIPS 140-3 certified | | Regulatory Reports | PCI DSS, HIPAA, GDPR, SOC 2 | | API Testing | REST, SOAP, OpenAPI/Swagger, GraphQL schema import | | Deployment | Cloud (AppScan on Cloud), on-premises (Standard/Enterprise), AppScan 360 (anywhere) | | Presence Agent | Docker container for hybrid cloud/on-prem scanning | | CI/CD | GitHub Actions, Jenkins, Azure DevOps (official actions) | | Origin | IBM AppScan → HCL (acquired 2019) | ## What is HCL AppScan DAST? AppScan performs black-box security testing by crawling and attacking running web applications. It targets SQL injection, XSS, authentication flaws, and other runtime vulnerabilities that static analysis can't find. According to the OWASP Testing Guide, dynamic testing is the only way to detect certain classes of runtime vulnerabilities such as authentication bypass and session management flaws. The AI engine learns application behavior patterns to focus testing on high-risk areas. Smart crawling adapts to application structure, which helps reduce scan time on large apps without sacrificing coverage. AI-Enabled Scanning:::Machine learning optimizes test coverage and reduces scan times. The AI engine identifies high-risk application areas and reduces redundant test cases. Smart crawling adapts to each app's structure. ||| AppScan 360° Platform:::DAST sits alongside SAST, IAST, SCA, IaC security, and API testing. Findings from all scanners correlate in a single dashboard. Deploy on cloud or on-premises. ||| FIPS 140-3 Compliance:::The FIPS-compliant option meets US federal cryptographic security requirements. Necessary for government agencies and federal contracto [...truncated for length...] --- # HCL AppScan IAST URL: https://appsecsanta.com/hcl-appscan-iast Description: HCL AppScan IAST uses patented algorithms for Java and .NET to eliminate false positives. Hot attach/detach and auto-correlation across SAST, DAST, IAST. HCL AppScan IAST monitors application runtime behavior during functional and QA testing to detect security vulnerabilities. It uses patented algorithms for Java and .NET to track data flow and validate findings, reducing false positives compared to traditional [IAST](/iast-tools) scanners. The technology originated from IBM Security AppScan before [HCL Technologies acquired the product line from IBM in 2019](https://www.hcl-software.com/appscan). It is available through AppScan on Cloud (SaaS) and AppScan Enterprise (on-premises). ## What is HCL AppScan IAST? The IAST agent deploys on your application's web server and monitors traffic passively. As system tests or DAST scans send requests, the agent watches what happens inside the application — requests, call stacks, variables — and reports vulnerabilities it finds. Unlike a DAST scanner that only sees HTTP responses, the agent sees inside the application, providing code locations, URLs, and specific vulnerable entities like parameters, headers, or cookies. Sessions run indefinitely until manually stopped or the agent disconnects. Patented Algorithms:::Uses patented algorithms for Java and .NET to trace data flow from input sources to dangerous sinks. Validates whether tainted data actually reaches vulnerable operations without sanitization. ||| Hot Attach/Detach:::Java agent supports attaching to running applications without restart. Enable instrumentation during test windows, detach when done. Reduces disruption in shared staging environments. ||| Auto-Issue Correlation:::Uses heuristics to find correlations between IAST, DAST, and SAST findings. Groups related vulnerabilities into single issues to cut the remediation count. ## What are HCL AppScan IAST's key features? | Feature | Details | |---------|---------| | Java Support | Tomcat 7+, WebSphere 8.5+, JBoss/WildFly 10+, WebLogic 12+, Jetty, Quarkus (JRE 1.8.144+) | | Java Frameworks | Spring 5/6, Struts, Resteasy, Vert.x 3/4 | | .NET Support | Framework 4.5-4.8, .NET 5-9, Core 3.1 on IIS 7+ or Kestrel | | Node.js Support | Express 4 with ECMAScript 6 | | PHP Support | 7.4, 8.1, 8.2, 8.3 | | System Requirements | Minimum 2 CPUs, 8 GB RAM (recommended: 4 CPUs) | | Deployment Models | AppScan on Cloud (SaaS) and AppScan Enterprise (on-premises) | | Session Duration | Indefinite (runs until manually stopped) | ### Passive Runtime Monitoring The agent monitors traffic sent to the application and reports vulnerabilities as they occur. It doesn't generate its own test traffic. You drive the application through system tests, manual exploration, or DAST scans, and the agent catches vulnerabilities in the code paths exercised. This means IAST adds no extra time to your testing. The security monitoring happens alongside whatever testing you already do. ### Managed Code Execution for .NET The .NET agent runs entirely in managed code without disabling JIT optimizations. This keeps performance impact low while maintaining full visibility in [...truncated for length...] --- # HCL AppScan URL: https://appsecsanta.com/hcl-appscan Description: HCL AppScan is an enterprise SAST platform with 30+ languages. Free CodeSweep IDE extension. AppScan 360° platform for enterprise security. HCL AppScan is an enterprise application security platform that includes [SAST](/sast-tools), DAST, IAST, SCA, and API security testing. It supports 30+ languages and is one of the longest-running enterprise AppSec platforms, with the free CodeSweep IDE extension as a unique offering in the enterprise tier. AppScan V10x deployment architecture — Enterprise Console, Dynamic Scan agents, and SQL Server connected via HTTP/TCP ports. ## What is HCL AppScan? AppScan is a suite of security testing tools offered in cloud, on-premises, and desktop variants. The SAST component (AppScan Source) scans source code for vulnerabilities. AppScan CodeSweep provides a free VS Code extension with the same detection engine, limited to single-file scanning. 30+ Languages:::Covers Java, .NET, C/C++, JavaScript, Python, PHP, Go, Ruby, Kotlin, Swift, COBOL, ABAP, Apex, Dart, Scala, Perl, and more. ||| Free CodeSweep:::Free VS Code plugin with detection capabilities equivalent to AppScan Source. Single-file scanning for developers who want to try AppScan SAST. ||| AI-Powered Features:::RapidFix for remediation suggestions, Intelligent Code Analytics (ICA) for automated setup, and Intelligent Findings Analytics (IFA) for finding consolidation. ## Product components ### AppScan on Cloud Cloud-based scanning for teams wanting managed infrastructure. ### AppScan Enterprise On-premises solution with DAST scanning, a dashboard console that consolidates static scan data and IAST results, and the ability to distribute scanning across multiple servers. AppScan on Cloud dashboard — current-state overview with risk ratings, 963 active issues by severity, and top vulnerability types. ### AppScan Source The SAST component for static code analysis on desktop systems or within CI/CD pipelines. AppScan Source findings view — 162 findings grouped by vulnerability class, with severity, classification, and API source columns. ### AppScan CodeSweep Free VS Code extension with detection capabilities equivalent to AppScan Source, limited to single-file scanning. CodeSweep in VS Code — security issues flagged inline with severity labels directly in the Problems panel, no separate scan step required. Intelligent Code Analytics (ICA) automates onboarding setup in minutes instead of days. Intelligent Findings Analytics (IFA) groups and consolidates hundreds of findings into manageable categories, reducing ticket volume. ## How do I get started with HCL AppScan? **Try CodeSweep** — Install the free AppScan CodeSweep extension in VS Code to test the SAST detection engine on your code. ||| **Choose deployment** — Select between AppScan on Cloud, AppScan Enterprise (on-premises), or AppScan Source (desktop). Contact HCL for pricing. ||| **Configure scanning** — Connect repositories and configure which languages and frameworks to scan. ICA automates initial setup. ||| **Review and triage** — Use IFA to consolidate findings into manageable groups. RapidFix provides AI-powered [...truncated for length...] --- # HiddenLayer AISec URL: https://appsecsanta.com/hiddenlayer Description: HiddenLayer AISec is an ML model security platform with supply chain scanning (35+ formats), runtime prompt injection defense, and adversarial red teaming. HiddenLayer AISec is an enterprise [AI security](/ai-security-tools) platform built specifically for ML model security — covering supply chain scanning, runtime defense, and adversarial red teaming across the full model lifecycle, from training to production deployment. Unlike traditional cybersecurity tools, which were designed for code and infrastructure, HiddenLayer operates on model artifacts and inference behaviors without requiring access to weights, training data, or prompts. HiddenLayer was co-founded in 2022 by Chris "Tito" Sestito, Tanner Burns, and James Ballard. Sestito spent years leading threat research at Cylance, where attackers exploited the company's Windows executable AI model using an inference attack. That breach — which let binary files evade detection across Cylance's entire customer base — became the founding motivation. In September 2023, HiddenLayer raised $50M in Series A funding led by M12 (Microsoft's Venture Fund) and Moore Strategic Ventures, with participation from Booz Allen Ventures, IBM Ventures, and Capital One Ventures. ## What is HiddenLayer? HiddenLayer AISec is an ML security platform designed for the threats that traditional cybersecurity tools cannot address — adversarial attacks on model inference, backdoors embedded in model weights, and supply chain compromise through poisoned model artifacts. The AISec Platform 2.0, unveiled in April 2025 ahead of RSAC, covers four areas: AI discovery, supply chain security, runtime defense, and attack simulation. The platform is model-agnostic and agentless — no access to model weights, training data, or prompts required. HiddenLayer's research team has disclosed 48+ CVEs in ML frameworks such as PyTorch and TensorFlow, and holds 25 granted patents (with 56 pending) in adversarial detection, model protection, and AI threat analysis. AI Discovery:::Identifies AI assets across environments to eliminate shadow AI. Provides visibility into how and where models are used, by whom, and with what level of access. ||| Supply Chain Security:::ModelScanner detects malicious code injections, pickle deserialization attacks, and architectural backdoors across 35+ model formats before models enter production. ||| Runtime Defense:::Real-time monitoring protects deployed models from adversarial attacks, prompt injection, and inference manipulation without introducing latency or requiring model modifications. ## What are HiddenLayer AISec's key features? | Feature | Details | | ------------------- | --------------------------------------------------------------------------------------------------------------------- | | ModelScanner | Scans 35+ formats (PyTorch, TensorFlow, ONNX, Keras, GGUF, pickle, safetensors) for malware, tampering, and backdoors | | AI Discovery | Shadow AI detection across cloud and on-prem environments [...truncated for length...] --- # Holistic AI URL: https://appsecsanta.com/holistic-ai Description: Holistic AI is an enterprise AI governance platform with 100+ automated tests for bias, hallucinations, red teaming, and EU AI Act/ISO 42001/NIST AI RMF compliance. Holistic AI is an enterprise AI governance platform that unifies AI system discovery, automated testing, continuous monitoring, and regulatory compliance into a single system. The platform provides 100+ automated tests — covering red teaming, bias detection, hallucination testing, and adversarial probing — with built-in compliance mapping to the EU AI Act, NIST AI RMF, and ISO 42001. It is listed in the [AI security](/ai-security-tools) category. The platform addresses a real challenge: as AI adoption grows, organizations struggle to keep track of all their AI systems, test them consistently, and prove compliance with shifting regulations. ## What is Holistic AI? Holistic AI operates across four stages of AI governance: Connect (integrate with existing tech environments), Identify (maintain a continuously updated AI inventory), Protect (enforce guardrails through automated testing and monitoring), and Enforce (align AI initiatives with business priorities and regulatory requirements). The AI discovery engine is often the starting point. Many organizations do not have a complete inventory of their AI systems — shadow AI, unclear ownership, and unmanaged data flows create blind spots. Holistic AI automatically identifies and catalogs these systems, giving all subsequent governance activities a solid foundation. AI Discovery & Inventory:::Automatically finds and inventories all AI systems in the organization, including shadow AI, unmanaged data flows, and systems with unclear ownership. Maintains a continuously updated catalog with metadata and risk classifications. ||| 100+ Automated Tests:::Integrated testing suite covering red teaming, jailbreak detection, hallucination testing, adversarial probes, bias and fairness analysis, security vulnerability assessment, privacy testing, and robustness evaluation. ||| Compliance Automation:::Maps risk to EU AI Act, NIST AI RMF, and ISO 42001 frameworks. Generates audit-ready evidence, maintains compliance documentation, and enforces policy-as-code guardrails that AI systems cannot bypass. ## What are Holistic AI's key features? | Feature | Details | | ------------------------- | ------------------------------------------------------------------------------- | | **AI Discovery** | Shadow AI detection, ownership mapping, data flow analysis | | **Test Suite** | 100+ automated tests across safety, bias, security, privacy, robustness | | **Red Teaming** | Dynamic adversarial prompts with static and dynamic test generation | | **Bias Detection** | Fairness testing across demographic subgroups with quantified metrics | | **Hallucination Testing** | Detects factual inaccuracies, fabrications, and inconsistencies | | **Safety Metric** | Defense Success Rate (DSR) — proportion of safe responses to total evaluate [...truncated for length...] --- # Hopper Disassembler URL: https://appsecsanta.com/hopper Description: Independent review of Hopper Disassembler for macOS/iOS binary analysis. Covers Mach-O decompiling, scripting, and how it compares to Ghidra and IDA Pro. Hopper Disassembler is a powerful binary analysis tool built specifically for macOS and iOS reverse engineering. Developed with a focus on Apple platforms, it has become a favorite among iOS [mobile security](/mobile-security-tools) researchers and macOS developers who need deep insight into compiled applications. The tool provides a polished, Mac-native experience that feels at home in the Apple ecosystem. Unlike cross-platform tools that support many architectures, Hopper specializes in the formats and conventions used by Apple: Mach-O binaries, Objective-C runtime structures, and Swift metadata. This specialization translates to faster analysis, better automatic recognition of Apple framework calls, and a workflow optimized for iOS app security testing. I use Hopper when I need to disassemble a macOS or iOS binary and read the control flow visually. The pseudo-code panel is what I open first — it converts ARM and x86 assembly into a C-like view that makes tracing functions across the binary manageable. It is not free, but the single-user license is cheaper than the alternatives and the UI feels faster than IDA on Apple Silicon. ## What is Hopper Disassembler? Hopper is a disassembler, decompiler, and debugger for macOS that handles x86, x86_64, and ARM binaries. The tool excels at transforming compiled iOS apps and macOS executables into readable assembly and pseudocode, enabling security researchers to understand implementation details without source code access. The disassembler recognizes Objective-C classes, methods, and protocols automatically, reconstructing the object-oriented structure of the original code. For Swift binaries, it parses metadata to recover type information and function signatures. This automatic recognition significantly accelerates the analysis process compared to generic disassemblers. Hopper's decompiler generates pseudocode that closely resembles the original C, Objective-C, or Swift code. The output quality is excellent for understanding control flow, identifying vulnerabilities, and locating security-relevant code sections like authentication routines or encryption implementations. Mach-O Expertise:::Deep understanding of Apple's binary format with automatic framework recognition ||| Decompiler:::Generates readable pseudocode from ARM and x86 assembly for faster comprehension ||| Objective-C/Swift:::Parses runtime metadata to reconstruct classes, methods, and type information ||| Mac-Native UI:::Polished interface designed specifically for macOS with keyboard-driven workflow ||| Python Scripting:::Automate analysis tasks and extend functionality with Python API ||| AI Integration:::Enhanced with AI capabilities through integrated MCP server for advanced analysis ## What are Hopper Disassembler's key features? ### iOS App Analysis For iOS security testing, Hopper is invaluable. Load an IPA's Mach-O executable to examine authentication logic, find hardcoded secrets, analyze jailbreak detection routines [...truncated for length...] --- # Horusec URL: https://appsecsanta.com/horusec Description: Horusec orchestrates 20+ security tools for multi-language scanning. Free and open-source by ZupIT. Web dashboard included. Apache 2.0 license. Horusec is an open-source [SAST](/sast-tools) orchestration tool that coordinates 20+ security engines into a unified vulnerability report. Created by ZupIT, it supports 18+ languages and includes a web dashboard for vulnerability management. Horusec provides multi-language scanning by orchestrating established tools like Bandit, Brakeman, GoSec, and SpotBugs rather than building its own analysis engine. The orchestration model means Horusec inherits each underlying scanner's strengths — taint analysis paths through wrapped Bandit and Brakeman engines, rule-based pattern matching for CWEs from each tool's signature set, and limited cross-file dataflow that depends on the depth of the specific scanner Horusec invokes. Horusec Manager dashboard — vulnerability counts by severity, trends over time, and per-repository breakdown ## What is Horusec? Rather than implementing its own analysis engine, Horusec runs established security tools and consolidates their findings. OWASP recommends using multiple static analysis tools for broader coverage, since each tool has different strengths and detection capabilities. Horusec automates this by detecting languages in your repository and selecting the appropriate scanners. Results merge into a single report with deduplication and unified severity ratings. 20+ Security Tools:::Orchestrates Bandit (Python), Brakeman (Ruby), GoSec (Go), SpotBugs (Java), Checkov (IaC), and many more. Language auto-detection selects the right tools. ||| Secrets Detection:::Built-in scanner identifies hardcoded API keys, database credentials, private keys, and cloud provider credentials across all file types. ||| Web Dashboard:::Horusec Manager provides centralized vulnerability management, workspace organization, false positive tracking, trend analysis, and role-based access control. ## What are Horusec's key features? ### Multi-tool orchestration | Language | Tools used | | --------------------- | -------------------------- | | Python | Bandit, Safety | | Go | GoSec, Nancy | | JavaScript/TypeScript | npm-audit, ESLint security | | Java/Kotlin | SpotBugs, Dependency-Check | | Ruby | Brakeman, Bundler-audit | | C# | Security Code Scan | | Infrastructure | Checkov, TFSec, Trivy | Horusec Manager vulnerability list — severity labels (CRITICAL → UNKNOWN), triage status dropdowns, and hash-based deduplication Horusec's detection quality depends on the security tools it orchestrates. For Python, you get Bandit's detection capabilities. For Ruby, Brakeman's. The value is in unified reporting and management, not deeper analysis than individual tools provide. ## Horusec maintenance status (2026) Horusec's release cadence has slowed visibly. The most recent tagged release on github.com/ZupIT/horusec landed in 2024, and commit activity on the default branch has been inte [...truncated for length...] --- # Imperva API Security URL: https://appsecsanta.com/imperva-api-security Description: Imperva API Security provides ML-based API discovery, runtime BOLA detection, and bot protection. Now part of Thales, recognized as a KuppingerCole API security leader. Imperva API Security is a commercial [API security](/api-security-tools) platform that uses machine learning to automatically discover, classify, and protect APIs across cloud and on-premises environments. It combines API discovery, schema enforcement, runtime BOLA detection, and bot protection in a single platform. Thales Group acquired Imperva in December 2023 for $3.6 billion. The combined operation now has 5,800+ security experts across 68 countries. The Imperva brand and product line continue under Thales's cybersecurity division, with active API security development. Unlike tools that only monitor API traffic at the gateway level, Imperva analyzes traffic patterns using ML to find shadow and zombie APIs that organizations did not know existed. ## Key Features at a Glance | Feature | Details | | ----------------------- | ---------------------------------------------------------------------------------------------------------- | | **API Discovery** | ML-powered continuous discovery of shadow, zombie, internal, and third-party APIs across cloud and on-prem | | **Data Classification** | Automatic identification of PII, payment data, and credentials flowing through each endpoint | | **Schema Enforcement** | Security gap analysis of OpenAPI/Swagger definitions with runtime enforcement | | **BOLA Detection** | Behavioral baselining and ML-driven Broken Object Level Authorization detection in real time | | **Bot Protection** | Native integration with Imperva Advanced Bot Protection for credential stuffing and API abuse | | **OWASP API Top 10** | Coverage across all OWASP API Security Top 10 threat categories | | **Deployment Options** | Cloud-managed, self-managed, agent-based, and agentless deployment models | | **Compliance** | Sensitive data flow auditing for GDPR, PCI DSS, and CCPA requirements | ## Overview Imperva API Security bundles discovery, risk assessment, and runtime defense in a single platform, sitting in the broader [API security tools](/api-security-tools) landscape. Compared to point solutions that require stitching together separate discovery, testing, and protection tools, Imperva covers the full API security lifecycle in one product, and I have [compared it head-to-head with Salt Security](/api-security-tools/imperva-api-vs-salt-security) for buyers weighing the WAF-extension model against pure-play API behavioral runtime. The platform handles four stages: discovering all APIs (including shadow and zombie endpoints), classifying the data flowing through them, assessing schemas for security gaps, and blocking threats in real time. ML-Powered API Discovery:::Continuously discovers internal, external [...truncated for length...] --- # Imperva RASP URL: https://appsecsanta.com/imperva-rasp Description: Imperva RASP shares threat intelligence with Imperva WAF for coordinated blocking across network and application layers. Zero tuning required. Imperva RASP embeds security directly into Java and .NET applications, protecting them from the inside. The main draw is the two-way integration with Imperva's WAF — attack patterns detected by RASP feed into WAF rules, and vice versa. Imperva is now part of [Thales Group](https://www.thalesgroup.com/en/group/journalist/press_release/thales-imperva-acquisition) (acquisition closed December 2023). Imperva has communicated an end-of-sale and end-of-support path for the standalone RASP product through its customer community ([RASP EOS notice on community.imperva.com](https://community.imperva.com/discussion/rasp-eos)). Existing customers should review the alternatives section before renewing or expanding deployments. Net-new buyers: I would not start a procurement on this product in 2026 — review [Contrast Protect](/contrast-security#contrast-protect-rasp), [Datadog Application Security](/datadog-asm), or [Dynatrace](/dynatrace) instead. The product evolved from [Imperva's acquisition of Prevoty in 2018](https://www.imperva.com/blog/imperva-to-acquire-dev-ops-security-leader/). It requires no code changes and no tuning. Deploy the agent, and it starts blocking attacks based on behavioral analysis rather than pattern matching. | Feature | Details | | ----------------- | ---------------------------------------------------- | | Languages | Java, .NET | | WAF integration | Two-way threat intelligence sharing with Imperva WAF | | Deployment | Cloud, on-premises, hybrid | | Tuning | Zero tuning required | | Detection | ML-based behavioral analytics | | Attack types | SQLi, XSS, RCE, auth bypass, business logic | | File integrity | Built-in file integrity monitoring | | Container support | Kubernetes and containers | | Origin | Prevoty acquisition | ## What is Imperva RASP? Imperva RASP sits inside the application runtime, monitoring how requests flow through code. When it spots an attack pattern — SQL injection, XSS, remote code execution, or business logic abuse — it blocks the request before it reaches vulnerable code. What makes it different from standalone RASP products is the WAF integration. RASP sees attacks that bypass the WAF (encryption, encoding tricks, zero-days). The WAF sees network-level threats RASP cannot. Together, they share threat intelligence and coordinate blocking across both layers. WAF + RASP Coordination:::Attack patterns detected by RASP automatically inform WAF rules. The WAF feeds network-level threat intelligence back to RASP. Both share a single dashboard for security visibility across network and application layers. ||| Zero-Tuning Protection:::ML-based behavioral analytics detect attacks without rul [...truncated for length...] --- # Infer URL: https://appsecsanta.com/infer Description: Infer is Meta's open-source static analyzer for Java, C, C++, and Objective-C. Catches null dereferences, memory leaks, and data races via separation logic. Infer is an open-source static analyzer developed by Meta that detects null dereferences, memory leaks, resource leaks, and data races in Java, C, C++, and Objective-C code using separation logic. It is a [SAST](/sast-tools) tool that performs inter-procedural analysis, also supporting Erlang and Hack. What makes Infer different from pattern-matching analyzers is its foundation in **separation logic** — a mathematical framework for reasoning about programs that use shared mutable data structures. This lets it analyze each procedure independently and compose the results, scaling to codebases with millions of lines of code without sacrificing depth. Meta deploys Infer internally across Facebook, Instagram, WhatsApp, and Messenger. Over 100,000 issues reported by Infer have been fixed by developers before code reached production. The project has 15,500+ GitHub stars and is licensed under MIT with no usage restrictions. | Feature | Details | | -------------- | ---------------------------------------------------------------- | | Developer | Meta (formerly Facebook) | | License | MIT (fully open-source, no restrictions) | | Languages | Java, C, C++, Objective-C, Erlang, Hack | | Analysis type | Inter-procedural via separation logic and bi-abduction | | Core engine | Pulse (null deref, memory/resource leaks, taint, use-after-free) | | Concurrency | RacerD (thread safety and data race detection) | | CI mode | Differential analysis — reports only new issues per diff | | Build systems | Gradle, Maven, javac, clang, gcc, make, Buck, Xcode | | Output formats | JSON, SARIF | | GitHub stars | 15,500+ | ## Overview Infer works in two phases: **capture** and **analyze**. During capture, Infer intercepts your build system's compilation commands and translates source files into its internal intermediate representation. During analysis, it examines each function and method individually using its Pulse engine. The key innovation is **bi-abduction** — a logical inference technique that automatically discovers what each function expects (pre-conditions) and guarantees (post-conditions). This means Infer doesn't need developers to write annotations or specifications. It figures out the contracts from the code itself, then checks whether callers respect those contracts. This compositional approach is what makes Infer scale. Instead of analyzing the entire program at once, it breaks the analysis into independent pieces that can be cached and reused. When a developer submits a code change, only the modified files and their dependents need re-analysis. Separation Logic:::Built on formal verification research. Bi-abduction aut [...truncated for length...] --- # Rapid7 InsightAppSec URL: https://appsecsanta.com/insightappsec Description: Independent InsightAppSec review. Rapid7's DAST with Attack Replay for devs and Universal Translator for SPAs. 95+ attack types. Honest pros and cons. InsightAppSec is Rapid7's DAST platform for testing modern web applications. Two features set it apart: the Universal Translator, which normalizes traffic from JavaScript frameworks like React, Angular, and Vue into a consistent format for testing, and Attack Replay, which lets developers verify findings locally without running a full scan. Tests for 95+ vulnerability types. Runs on cloud or on-premise scan engines. Concurrent multi-target scanning at no additional cost. Recently added LLM vulnerability scanning for AI-integrated applications. ## Key features at a glance | Feature | Detail | | -------------------- | ----------------------------------------------------------- | | Attack Types | 95+ including OWASP Top 10, business logic, config issues | | Universal Translator | Normalizes React, Angular, Vue.js traffic for testing | | Attack Replay | Developers verify findings locally without full scan access | | LLM Scanning | Tests AI-integrated apps for prompt injection, data leakage | | GraphQL Testing | Dedicated GraphQL API scanning support | | Scan Engines | Cloud-hosted and on-premise (v7.5 latest) | | Concurrent Scanning | Multiple targets simultaneously, no extra cost | | Compliance Reports | PCI-DSS, HIPAA, OWASP Top 10, SOX | | Report Formats | Interactive HTML, static HTML, CSV, PDF | | Scheduling | Recurring scans with blackout window support | ## What is InsightAppSec? Traditional DAST tools struggle with JavaScript-heavy applications that render content dynamically and manage state client-side. According to the OWASP Testing Guide, testing modern SPAs requires a crawler that executes JavaScript and tracks client-side state changes. InsightAppSec's Universal Translator addresses this by normalizing traffic from various frameworks into a consistent format for security testing. The tool crawls applications using a real browser, executes JavaScript, tracks state changes, and discovers REST endpoints called by the frontend. This gives it broader coverage than crawlers that only process static HTML. The Universal Translator doesn't care which JavaScript framework you use. React, Angular, Vue.js, Ember, Backbone — it normalizes all of them into the same internal format. This means InsightAppSec's attack modules work consistently regardless of frontend technology. Universal Translator:::Normalizes traffic from React, Angular, Vue.js, and other JavaScript frameworks. Executes JS, tracks state changes, and discovers API endpoints called by the frontend. ||| Attack Replay:::Each finding comes with a replay package — HTTP request, reproduction steps, evidence screenshots, and fix guidance. Developers verify bugs locally without needing DAST tool access. ||| 95+ Attack Types:::Covers injection ( [...truncated for length...] --- # Intruder URL: https://appsecsanta.com/intruder Description: Independent Intruder review. Continuous vulnerability scanner with 140,000+ checks, GregAI analyst, and cloud connectors. 3,000+ customers. Pros and cons. Intruder is a cloud-based continuous vulnerability scanner that monitors your external attack surface for security weaknesses. It runs 140,000+ checks against web applications, APIs, cloud infrastructure, and network services. Founded in 2015 and selected for the GCHQ Cyber Accelerator, Intruder now serves 3,000+ customers. It has a 4.8/5 rating on G2 from 154 reviews. | Feature | Details | | ---------------- | -------------------------------------- | | Deployment | Cloud-only SaaS | | Security checks | 140,000+ | | Cloud connectors | AWS, Azure, GCP | | AI analyst | GregAI | | Compliance | SOC 2, ISO 27001, PCI DSS, HIPAA, DORA | | Integrations | 15+ (Jira, Slack, GitHub, etc.) | | API access | Pro, Premium, and Vanguard plans | | Free trial | 14 days (Cloud plan features) | | Starting price | See intruder.io/pricing | ## What is Intruder? Intruder scans internet-facing systems for vulnerabilities on a continuous basis. When your infrastructure changes or a new threat emerges, it triggers scans automatically. No manual scheduling required. The Verizon 2024 Data Breach Investigations Report found that vulnerability exploitation as an initial access vector grew significantly year over year, reinforcing the need for continuous scanning of internet-facing assets. The platform differs from traditional [DAST tools](/dast-tools) in scope. Where most DAST scanners focus on web application logic (XSS, SQLi, authentication flaws), Intruder covers the broader attack surface: exposed ports, misconfigured services, outdated software, and cloud misconfigurations alongside web application vulnerabilities. Intruder is an attack surface management platform with vulnerability scanning, not a deep application security tester. It finds exposed services and known CVEs across your entire perimeter. For detailed web app testing of authenticated flows and business logic, pair it with a dedicated DAST scanner like [ZAP](/zap) or [Burp Suite](/burp-suite). ## What are Intruder's key features? Attack Surface Monitoring:::Automatically discovers new subdomains, exposed services, and cloud resources. Scans trigger when changes are detected so new assets get tested before attackers find them. ||| GregAI Analyst:::Intruder's AI security analyst. It verifies findings, suppresses false positives, and ranks what to fix first based on exploitability and whether the CVE is actively being used in the wild. ||| Cloud Security (CSPM):::Native connectors for AWS, Azure, and GCP. Runs daily misconfiguration checks and automatically imports cloud assets. Up to 3 accounts on Cloud plan, 10 on Pro, unlimited on Enterprise. ||| Emerging Threat Scans:::When a new high-profile vulnerability drops, Intruder proactively checks your infrastructure. No waiting for s [...truncated for length...] --- # Invicti ASPM URL: https://appsecsanta.com/invicti-aspm Description: Invicti ASPM combines proof-based DAST with Kondukto orchestration for 99.98% accuracy. 110+ integrations with SBOM Radar and automated fix verification. Invicti ASPM is a commercial [Application Security Posture Management](/aspm-tools) platform that pairs proof-based DAST scanning with multi-scanner orchestration. Invicti acquired Kondukto in August 2025 and merged both products. The platform connects over 110 security tools, CI/CD systems, and issue trackers. Invicti claims 99.98% accuracy on its DAST findings through safe exploitation proofs, and reports 40% shorter remediation times across 3,600+ organizations. The platform doesn't replace your existing scanners. It orchestrates them. Results from SAST, SCA, DAST, container scanning, and IaC tools get pulled in, normalized, deduplicated, and routed through automated workflows. Verified fixes trigger targeted rescans that close tickets without anyone stepping in. Invicti started as Netsparker, a DAST tool known for proof-based scanning. Kondukto was a Turkish-founded ASPM startup with broad scanner support and a CLI tool. After the acquisition, both products merged under the Invicti ASPM brand. The company is headquartered in Austin, Texas. ## What is Invicti ASPM? Invicti ASPM is a commercial ASPM platform that orchestrates your security testing pipeline. It sits on top of your existing scanners, pulling in results from SAST, SCA, DAST, container scanning, and IaC tools, then normalizing everything into one view. The main differentiator compared to [ArmorCode](/armorcode) or [DefectDojo](/defectdojo) is the proof-based scanning layer from Invicti's DAST engine. When the built-in DAST scanner finds a potential vulnerability, it performs a safe exploitation to confirm the flaw actually exists. You get a proof artifact attached to every finding, not just a confidence score. Proof-Based Scanning:::The built-in DAST engine safely exploits each finding to confirm it's real before reporting. Invicti reports 99.98% scan accuracy with proof artifacts attached to every confirmed vulnerability. ||| Security Orchestration:::Connects 110+ scanners, CI/CD tools, issue trackers, and WAFs. Manages the full scan lifecycle from trigger to ticket with automated deduplication and routing. ||| SBOM Radar:::Tracks libraries, frameworks, and transitive dependencies across your applications. Monitors for new CVEs and flags license compliance risks using CycloneDX and SPDX formats. ## What are Invicti ASPM's key features? ### Proof-based scanning The built-in DAST engine validates each finding through safe exploitation before reporting it. If the scanner detects a potential SQL injection, it attempts a read-only query to prove the flaw exists. A suspected remote file inclusion gets confirmed by reading a system file. Each confirmed vulnerability includes a proof artifact showing how the issue was exploited. Invicti reports this as 99.98% scan accuracy, close to zero false positives in practice. Unlike traditional DAST tools that flag potential issues based on heuristics, Invicti's scanner safely exploits each finding to confirm exploitability. A SQL [...truncated for length...] --- # Invicti Shark (IAST) URL: https://appsecsanta.com/invicti-shark Description: Invicti Shark combines IAST sensors with Proof-Based Scanning to discover hidden assets and pinpoint vulnerabilities to exact file and line numbers. Invicti Shark is an [IAST](/iast-tools) sensor that pairs with the Invicti DAST scanner. The scanner attacks from outside; Shark watches from inside the runtime and catches vulnerabilities and hidden assets that external-only scanning misses. The team behind Shark built one of the first commercial IAST implementations (AcuSensor). Shark plugs directly into Invicti's Proof-Based Scanning, so reported vulnerabilities come with both exploitation proof and exact code locations. ## What is Invicti Shark? Shark sits inside your application while the scanner sends requests. It observes how those requests move through backend code. You get file names, line numbers (for PHP), and stack traces (for Java and .NET) for each finding. Each Shark Token is generated uniquely per target from the Target configuration panel in Invicti. The default bridge URL is https://iast.invicti.com, which needs to be whitelisted. Bridge URL and port are configurable per target. Proof-Based Integration:::Shark feeds runtime observations into Invicti's Proof-Based Scanning. Reported vulnerabilities include both exploitation proof and the exact code location where the issue exists. ||| Hidden Asset Discovery:::Finds admin panels, undocumented API endpoints, backup files, and hidden form parameters that the external crawler cannot reach. Shark lists every file in the application directory and intercepts variable access. ||| API Security Detection:::Monitors for OWASP API Top 10 issues including BOLA (Broken Object-Level Authorization), IDOR (Insecure Direct Object Reference), and BFLA (Broken Function-Level Authorization). ## What are Invicti Shark (IAST)'s key features? | Feature | Details | |---------|---------| | Supported Languages | PHP, Java, .NET, Node.js | | Scanning Approach | IAST sensor paired with DAST scanner | | Vulnerability Proof | Combined Proof-Based Scanning + runtime observation | | Code Location | File names, line numbers (PHP), stack traces (Java/.NET) | | API Coverage | OWASP API Top 10 (BOLA, IDOR, BFLA) | | Asset Discovery | Hidden endpoints, admin panels, backup files, form parameters | | Bridge URL | https://iast.invicti.com (configurable per target) | | Deployment | Staging/test environments only | ### Hidden asset discovery DAST crawlers only find pages and endpoints linked from other pages. Shark sees everything inside the application directory: - Admin panels with no public navigation links - API endpoints missing from documentation - Backup files and development artifacts - Hidden GET and POST parameters the crawler never encounters So the attack surface Invicti actually tests goes well beyond what crawling alone covers. ### Proof-Based Scanning integration Invicti's Proof-Based Scanning confirms vulnerabilities by safely exploiting them and producing evidence. Shark adds the internal view: it confirms that payloads actually reached vulnerable code, provides the call chain showing the attack path, and verifies that input bypassed sanitiz [...truncated for length...] --- # Invicti URL: https://appsecsanta.com/invicti Description: Invicti delivers 99.98% accuracy with proof-based scanning, according to Invicti. Combined DAST+IAST+SCA with ASPM capabilities. Scales to thousands of apps. Invicti is an enterprise-grade [DAST tool](/dast-tools) that merges DAST, IAST, SCA, and ASPM capabilities into one platform. The tool scans websites and APIs for security vulnerabilities and has been adopted by over 3,600 organizations globally. It evolved from Netsparker, an established dynamic analysis tool. In 2025, the parent company acquired Kondukto for ASPM capabilities. ## What is Invicti? Invicti's main claim is proof-based scanning. When the scanner finds a potential vulnerability, it attempts to safely exploit it to confirm the issue is real. This produces a proof of exploit for each finding, which cuts down false positive triage significantly. The platform crawls up to 2,500 pages by default, with expansion possible to 15,000 pages. Typical scans complete in 8-10 hours depending on application size. | Feature | Details | | -------------------- | -------------------------------------------------- | | Deployment | Cloud (AWS US, AWS EU) and on-premises (Windows) | | Scanning approach | DAST with proof-based verification | | Additional testing | IAST (Shark agent), SCA | | Crawl limit | 2,500 pages default, up to 15,000 | | Scan duration | 8-10 hours typical, 24-hour max | | Authentication | Form-based, HTTP Basic, client certificates, OAuth | | Brute force wordlist | 59 entries default, expandable to 5,000 | | Editions | Standard, Team, Enterprise | | Organizations using | 3,600+ | Proof-Based Scanning:::Automatically exploits detected vulnerabilities in a safe way to confirm they are real. Each confirmed finding includes proof of exploit, reducing false positive triage to near zero. ||| Combined DAST + IAST + SCA:::Single platform covers dynamic testing, interactive testing via the Shark IAST agent, and software composition analysis for third-party library vulnerabilities. ||| Enterprise Scale:::Manages thousands of scan targets with group-based organization, batch scanning, and shared scan profiles. Three editions (Standard, Team, Enterprise) for different team sizes. ## What are Invicti's key features? ### Vulnerability Detection Invicti identifies web application security issues including SQL injection, cross-site scripting (XSS), and other OWASP Top 10 vulnerabilities. Note: According to Invicti, the platform achieves 99.98% scan accuracy through proof-based scanning. When a finding is marked as confirmed, the scanner has actually exploited it safely and can show evidence of the vulnerability. ### Software Composition Analysis Beyond vulnerability scanning, the platform catalogs technologies within web applications and flags outdated or vulnerable libraries. ### DevSecOps Integration Most organizations incorporate Invicti into their CI/CD pipelines to ca [...truncated for length...] --- # Jadx URL: https://appsecsanta.com/jadx Description: Free, open-source Android reverse engineering tool. Jadx decompiles APK and DEX to readable Java with GUI and CLI. 47k+ GitHub stars. Jadx is a widely used Android APK decompiler with over 48,100 GitHub stars. Developed by skylot, it is a go-to tool for Android security researchers, developers, and reverse engineers who need to examine compiled Android applications. The tool converts Dalvik bytecode (DEX format) back into readable Java source code with high accuracy. Unlike traditional workflows that required multiple tools chained together, Jadx provides an integrated solution with both graphical and command-line interfaces. Its fast multi-threaded decompilation engine handles modern Android apps efficiently, making it invaluable for security assessments and code analysis. jadx is the standard pick for auditing an Android APK without its source. The CLI decompiles DEX bytecode to readable Java in seconds and exports to an importable Gradle project, so the result loads straight into Android Studio for cross-referencing. When ProGuard strips class names, pointing jadx at the mapping file restores them. ## Using JADX for Android APK Security Analysis JADX is the standard starting point for Android security testing when you need to inspect an APK without its source code. Load the APK into jadx-gui and it decompiles the Dalvik bytecode to readable Java in seconds. From there you can browse activities, services, and broadcast receivers in the AndroidManifest, search for hardcoded API keys and URLs, trace data flows from user input to network calls, and spot insecure storage patterns in SharedPreferences and SQLite. For assessments mapped to OWASP MASVS, JADX covers the static analysis layer — MASVS-STORAGE (insecure data storage), MASVS-CRYPTO (weak algorithms), and MASVS-RESILIENCE (reverse engineering protection). When an APK bundles native `.so` libraries, pair JADX with [Ghidra](/ghidra): JADX handles the Kotlin/Java layer, Ghidra handles the native code. For runtime behavior — certificate pinning bypass, method hooking, dynamic API tracing — [Frida](/frida) or [Objection](/objection) picks up where static decompilation ends. ## What is Jadx? Jadx is a Dex to Java decompiler that processes Android APK files and produces readable Java source code. The decompilation process reverses the compilation that happens when Android apps are built, transforming the optimized bytecode back into human-readable Java that closely resembles the original source. The tool excels at handling complex Android code patterns including lambda expressions, try-with-resources, and other modern Java features. This makes the decompiled output significantly more readable than older decompilers that struggled with these constructs. Jadx-GUI provides a complete IDE-like interface for browsing decompiled code, navigating between classes, searching for strings and methods, and examining AndroidManifest.xml and resource files. The command-line tool (jadx) enables batch processing and integration into automated workflows, making it suitable for CI/CD pipelines and large-scale analysis. APK to Java [...truncated for length...] --- # JFrog Xray URL: https://appsecsanta.com/jfrog-xray Description: JFrog Xray is a binary-level SCA tool that scans compiled artifacts in Artifactory — not source manifests — backed by 2.8M+ malicious artifacts found. JFrog Xray is a binary-level [SCA tool](/sca-tools) that scans compiled artifacts stored in JFrog Artifactory — Docker images, JAR files, and installed packages — rather than source manifests like `package.json` or `pom.xml`. It ships only as an add-on to Artifactory on the Pro X, Enterprise X, or Enterprise+ subscriptions, with no standalone or free-tier option. Sonatype's 9th Annual State of the Software Supply Chain report (2023) found that one in eight open-source downloads carries known and avoidable risks, which makes scanning what you actually deploy a meaningful control. The binary-level distinction matters: source-level scanners read manifests like `package.json` or `pom.xml` at build time and can miss what actually ends up in a compiled artifact. Xray scans the artifact itself — for a Docker image that means the base image, every build layer, and all installed packages; for a Java application it traces through nested JARs and their transitive dependencies. That depth catches vulnerabilities that source-level scanners never see. I come across JFrog Xray in teams that already run Artifactory. It scans binaries at the repository level for known CVEs and license issues, and the policy engine can block a build promotion when a new vulnerability lands. The value is the Artifactory tie-in. As a standalone SCA I would reach for something else, but if you are already on the JFrog Platform, Xray is the sensible way to get supply-chain coverage without adding another tool to the stack. ## What is JFrog Xray? JFrog Xray is a software composition analysis (SCA) tool built into the JFrog Platform that scans compiled artifacts in JFrog Artifactory — Docker images, JAR files, npm packages — for known vulnerabilities, license risks, and malicious components. Unlike source-level SCA tools that read manifest files at build time, Xray analyzes the binary artifact itself, so it sees what actually ships instead of what the manifest claimed. Xray draws on the NVD, GitHub Advisories, and JFrog Security Research data (the team has catalogued more than 2.8 million malicious artifacts to date) and covers the package types most shops care about: Docker, npm, Maven, PyPI, NuGet, Go, Cargo, Composer, RubyGems, and Conan. Deep Recursive Scanning:::Analyzes the complete dependency graph of every artifact, tracing through all layers and transitive dependencies. Catches vulnerabilities hidden in nested components that surface-level scanning misses. ||| Impact Analysis:::When a new CVE drops, shows every artifact, build, and deployment affected across your Artifactory instance. Replaces an afternoon of grepping build logs with one query. ||| Policy-Based Gates:::Policies can block downloads, fail builds, or fire alerts based on CVE severity, specific CVE IDs, license types, CVSS scores, or component age. ## What are JFrog Xray's key features? ### Supported artifact types | Artifact type | Package formats | |---------------|----------------| | Java | Maven (JAR, [...truncated for length...] --- # Jit URL: https://appsecsanta.com/jit Description: Jit combines AI security agents with built-in SAST, SCA, secrets, IaC, CSPM, and DAST scanning. Pre-built Security Plans map to SOC 2, AWS FTR, and more. Jit is an AI agent [ASPM](/aspm-tools) platform for product security teams. It bundles its own SAST, SCA, secrets detection, IaC, CSPM, DAST, and container scanning with AI agents that automate triage, remediation, and compliance work. Everything runs through what Jit calls the Company Context Graph, a knowledge graph that maps code repositories to cloud infrastructure, team ownership, and business context. Agents use this graph when analyzing and prioritizing findings. The company is headquartered in Boston, backed by Tiger Global, Insight Partners, Boldstart Ventures, FXP, and TechAviv. SOC 2 Type 2 certified and an AWS Partner. ## What is Jit? Jit started as a developer-first ASPM platform and has since repositioned around AI agents. Unlike aggregation-focused ASPM tools that expect you to bring your own scanners, Jit ships its own scanning engines and puts AI agents on top to handle analysis, triage, and remediation. Three ideas hold the platform together: Company Context Graph:::Maps your codebase, cloud resources, team structure, and business priorities into a single graph. Agents see where affected code sits in your architecture, who owns it, and whether it's reachable in production. ||| AI Agents:::Three types — Core Agents for security analysis, Pre-Built Agents for triage and fix generation, and Custom Agents for your own workflows. All follow a four-step loop: Plan, Execute, Reflect, Respond. ||| Security Plans:::Packages of scanning controls and policies tied to a specific goal. Pick a plan (say, SOC 2) and Jit turns on the right scanners and checks for you. ## What are Jit's key features? ### AI security agents Jit's agent system is the main differentiator from traditional ASPM tools: - **Core Agents** analyze findings, prioritize by context, and correlate issues across code and cloud using the Company Context Graph - **Pre-Built Agents** handle common jobs: triaging vulnerabilities, opening fix PRs, collecting compliance evidence - **Custom Agents** let teams build their own agents for organization-specific security workflows - All agents follow a four-step loop: Plan (break the task down), Execute (take actions), Reflect (check the results), Respond (deliver output) Unlike traditional ASPM tools that aggregate findings from external scanners, Jit's agents use the Company Context Graph to understand reachability, ownership, and business impact before prioritizing a vulnerability. ### Built-in security scanning Jit runs its own scanners rather than wrapping third-party tools. All scans execute in Jit's managed infrastructure, not in your CI/CD pipelines. - **SAST** - Static analysis of source code for security vulnerabilities - **SCA** - Dependency vulnerability detection and analysis - **Secrets Detection** - Scanning for exposed credentials and API keys - **IaC Security** - Infrastructure-as-code misconfiguration detection (Terraform, CloudFormation, Kubernetes) - **CSPM** - Cloud security posture management for AWS, A [...truncated for length...] --- # KICS URL: https://appsecsanta.com/kics Description: KICS by Checkmarx scans 22+ IaC platforms with 2,400+ Rego-based queries. Open-source scanner for Terraform, Kubernetes, Ansible, OpenAPI, and more. 2.4M+. KICS (Keeping Infrastructure as Code Secure) is an open-source IaC scanner built by Checkmarx. It scans Terraform, CloudFormation, Kubernetes, Docker, Ansible, Helm, OpenAPI, and 15+ other platforms for security misconfigurations. Written in Go, distributed as a single binary or Docker image. 2.4 million Docker pulls. The tool ships with 2,400+ security queries organized by category and severity. Queries are written in Rego, the same policy language behind Open Policy Agent. ## What is KICS? Checkmarx released KICS in 2020 as an open-source companion to their commercial SAST/DAST platform. The name stands for "Keeping Infrastructure as Code Secure." It's written in Go, which means a single binary with no runtime dependencies. 97 releases so far, 9,700+ commits, 141+ contributors. GitLab, Cisco, and Orca Security use it in production. What separates KICS from other [IaC security tools](/iac-security-tools): 22+ Platform Coverage:::Among the widest IaC coverage of any open-source scanner. Terraform, Kubernetes, Ansible, OpenAPI, gRPC, Bicep, Pulumi, Crossplane, GitHub Workflows, and more. ||| Rego-Based Queries:::All 2,400+ queries are OPA policies. Teams that already know Rego from Conftest or Gatekeeper can write custom queries without learning another language. ||| 10 Output Formats:::JSON, SARIF, HTML, PDF, JUnit XML, CSV, CycloneDX, GitLab SAST, SonarQube, Code Climate, and AWS ASFF. Pick what fits your pipeline. ## What are KICS's key features? | Feature | Details | |---|---| | **Security queries** | 2,400+ built-in, organized by category and severity | | **Query language** | Rego (Open Policy Agent) | | **Supported platforms** | 22+: Terraform, CloudFormation, Kubernetes, Docker, Ansible, Helm, OpenAPI 2.0/3.0, gRPC, ARM, Bicep, Azure Blueprints, GDM, SAM, CDK, Docker Compose, Pulumi, Crossplane, Knative, Serverless, GitHub Workflows, OpenTofu, Databricks | | **Severity levels** | Critical, High, Medium, Low, Info, Trace | | **Exit codes** | 60 (Critical), 50 (High), 40 (Medium), 30 (Low), 20 (Info) | | **Output formats** | JSON, SARIF, JUnit XML, HTML, PDF, CSV, CycloneDX, GitLab SAST, SonarQube, Code Climate, ASFF | | **Config formats** | JSON, YAML, TOML, HCL (auto-detected from kics.config) | | **Remote scanning** | S3 buckets, Git repos (HTTPS/SSH), Google Cloud Storage | | **IDE support** | VS Code extension with real-time scanning | | **License** | Apache 2.0 | ## Rego-based queries The Rego-based query system is where KICS really differs from tools like [Checkov](/checkov). Each query runs as an independent OPA policy. If your team already knows Rego from Conftest or OPA Gatekeeper, you can write custom queries without picking up another language. Queries receive the parsed IaC document as input and return structured results with expected vs. actual values, file locations, and remediation hints. ```rego package Cx CxPolicy[result] { resource := input.document[i].resource.aws_s3_bucket[name] not resource.version [...truncated for length...] --- # Kingfisher URL: https://appsecsanta.com/kingfisher Description: Kingfisher is MongoDB's open-source Rust secret scanner with 942 detection rules, 484 live validators, blast-radius mapping, and direct token revocation. ## What is Kingfisher? Kingfisher is an open-source secret scanner built in Rust by [MongoDB](https://www.mongodb.com/) that finds, validates, and revokes leaked credentials across codebases, Git history, cloud storage, and developer platforms. It ships 942 detection rules, performs live API validation for 484 of those detectors, and maps each confirmed credential to the cloud resources it can actually reach. The project was created by [Mick Grove](https://www.linkedin.com/in/mickgrove/), a Staff Security Engineer at MongoDB. He started Kingfisher in July 2024 as a personal project, and MongoDB open-sourced the result on June 16, 2025 under Apache 2.0. Frustrated by the performance issues, limited flexibility, and high false positive rates of existing open source secret scanners, I started building my own tool in July 2024. Kingfisher began as a fork of Praetorian's Nosey Parker but has since been re-engineered around Intel's Hyperscan SIMD regex engine, Tree-sitter parsers for 16 programming languages, and a multi-stage pipeline that chains regex matching, parser context verification, entropy filtering, checksum verification, and live API validation. The result is a scanner that answers the harder triage question — not "does this look like a secret" but "is it real, who owns it, and what can an attacker do with it." **License:** Apache 2.0 (no usage limits, telemetry, or vendor lock-in) **Maintainer:** [MongoDB](https://www.mongodb.com/) — primary author [Mick Grove](https://www.linkedin.com/in/mickgrove/) **Repo:** [github.com/mongodb/kingfisher](https://github.com/mongodb/kingfisher) — 1,000+ stars, 87 releases **Detection:** 942 rules (484 with live validation) across 16 programming languages **Scan sources:** 18+ targets — Git, GitHub, GitLab, Docker, S3, GCS, Jira, Confluence, Slack, Teams, Hugging Face, and more I have been tracking secret scanners since the original Nosey Parker release, and Kingfisher is the first OSS scanner I have seen that ships every layer of the find-validate-revoke loop in a single binary. Most teams currently stitch this together from TruffleHog (validation), a custom AWS access-key auditor (blast radius), and a cloud IAM script (revocation). Live Credential Validation:::484 of the 942 detectors call the issuing provider's API to confirm the secret is still active, separating real incidents from historical noise ||| Access Map Blast Radius:::Maps each validated credential to its cloud identity, accessible resources, and permission scopes across 42 providers — answering "what can an attacker do with this" ||| Direct Revocation:::`kingfisher revoke` invalidates leaked credentials for supported platforms (GitHub, GitLab, Slack, AWS, GCP, and more) from the same CLI that found them ## What are Kingfisher's key features? Kingfisher's feature set covers detection, validation, blast-radius mapping, and revocation in a single Apache 2.0 binary — the four capabilities that other OSS scanners typically split acro [...truncated for length...] --- # Kiuwan Code Security URL: https://appsecsanta.com/kiuwan Description: Kiuwan scans 30+ languages including COBOL, RPG4, and ABAP. Combines code quality with security. Part of Sembi (IDERA). OWASP, CWE, and PCI DSS compliance. Kiuwan Code Security is a cloud-based [SAST](/sast-tools) platform that scans 30+ programming languages for security vulnerabilities and code quality issues. Founded in 2003 and now part of the Sembi portfolio (IDERA, Inc.), Kiuwan has over 20,000 users across 300+ organizations. 30+ Languages:::Scans ABAP, COBOL, RPG4, Java, C#, JavaScript, Python, PHP, Go, Kotlin, Swift, Scala, Perl, Groovy, Oracle Forms, and more. One of the few SAST tools covering legacy mainframe languages. ||| Security + Quality:::Combines vulnerability detection with code quality metrics, technical debt tracking, and maintainability scoring in one platform. Maps findings to OWASP Top 10, CWE, SANS 25, and PCI DSS. ||| Local Scan, Cloud Report:::The Kiuwan Local Analyzer scans source code on your infrastructure — code never leaves your machine. Results upload encrypted to the Kiuwan cloud for analysis, dashboards, and team collaboration. Kiuwan cloud dashboard: project overview with security metrics and compliance status ## What is Kiuwan? Kiuwan takes a hybrid approach to static analysis. The Local Analyzer runs on your machine or CI server and scans source code without sending it externally. Encrypted results then upload to the Kiuwan cloud, where the platform calculates metrics, generates reports, and provides team dashboards. This means source code stays local while teams get centralized reporting, trend analysis, and collaboration features through the cloud interface. Kiuwan maps findings to OWASP Top 10, CWE, SANS 25, PCI DSS, ISO 25000, CERT, and NIST standards. According to PCI DSS Requirement 6.3, organizations processing payment data must use application security testing to identify vulnerabilities in custom code, which Kiuwan's compliance mapping directly addresses. Kiuwan SAST results view: findings list with severity ratings, CWE mappings, and remediation guidance ## What are Kiuwan Code Security's key features? ### Legacy language support Most modern SAST tools skip languages like COBOL, RPG4, ABAP, and Natural. Kiuwan supports them alongside modern languages, which matters for organizations running mixed technology stacks with mainframe applications. | Category | Languages | |----------|-----------| | Enterprise | Java, C#, VB.NET, COBOL, ABAP, RPG4, Natural | | Web | JavaScript, PHP, Python, Ruby, Go, Perl | | Mobile | Kotlin, Swift, Objective-C | | Database | PL/SQL, Transact-SQL | | Other | Groovy, Scala, Oracle Forms, Oracle Apex, JCL, PowerScript | ### Technical debt tracking Kiuwan calculates a technical debt score that estimates remediation effort in concrete terms. Development managers can set quality gates that block releases when debt passes a threshold. The platform tracks how debt changes over time, so teams can see whether code health is improving or degrading. ### Customizable rules Kiuwan ships with thousands of built-in rules. Teams can enable or disable individual rules, adjust severity levels, create custom rules for inte [...truncated for length...] --- # Klocwork URL: https://appsecsanta.com/klocwork Description: Independent Klocwork review. 2,000+ checkers, TÜV SÜD certified for ISO 26262. MISRA, AUTOSAR, and CERT compliance for safety-critical C/C++. Klocwork is a [SAST](/sast-tools) tool from Perforce Software built for safety-critical and security-sensitive development. It supports C, C++, C#, Java, JavaScript, Python, and Kotlin, with particular depth in C/C++ analysis for automotive, medical, industrial, and aerospace applications. Klocwork Validate Platform — findings panel with source code view and issue details 2,000+ Checkers:::Over 1,000 checkers for C/C++ alone, plus 383 for Java, 119 for C#, 722 for JavaScript, 335 for Python, and 251 for Kotlin. Covers security, quality, and coding standards. ||| Safety Certified:::TÜV SÜD certified for ISO 26262 (automotive), IEC 61508 (industrial), EN 50128 (railway), IEC 60880 (nuclear), and IEC 62304 (medical). Supports DO-178B/C for aerospace. ||| Differential Analysis:::Analyzes only changed files to deliver fast results without sacrificing precision. Integrates with CI/CD for continuous compliance checking on every commit. ## What is Klocwork? Klocwork detects security vulnerabilities, coding standard violations, and reliability issues in C, C++, C#, Java, JavaScript, Python, and Kotlin. It natively supports over 50 compiler environments, which matters for embedded and safety-critical projects that use specialized toolchains. The differential analysis engine is the key workflow feature. Instead of re-scanning an entire codebase on every commit, Klocwork analyzes only the changed files and delivers results quickly. Teams use this for continuous compliance — every commit gets checked against MISRA, AUTOSAR, CERT, or whatever standard applies. ## What are Klocwork's key features? ### Compliance standards Klocwork covers both security and safety standards: | Domain | Standards | |--------|-----------| | Security | CERT C/C++, CWE, OWASP Top 10, DISA STIG, PCI DSS, ISO/IEC TS 17961 | | Automotive | MISRA C (2004, 2012, 2023), MISRA C++, AUTOSAR C++14 | | Aerospace | DO-178B/C (via DO-330), JSF AV C++, NASA's 10 Rules | | Industrial | IEC 61508, EN 50128 | | Medical | IEC 62304 | | Nuclear | IEC 60880 | ### IDE and CI/CD integration Klocwork provides plugins for Visual Studio, Eclipse, IntelliJ IDEA, and VS Code. Developers see findings directly in their editor as they code. For CI/CD, Klocwork integrates with Jenkins, GitHub Actions, Azure DevOps, and GitLab CI. The custom Jenkins plugin was deprecated in favor of native integration starting from Klocwork 2024.2, giving teams more flexibility in how they connect pipelines. Klocwork security report dashboard — vulnerability trends, severity distribution, and CWE-mapped finding list ### Perforce Validate Platform Klocwork integrates with the Perforce Validate Platform for centralized reporting across projects. Project Streams manage shared codebases with multiple variants — common in automotive and embedded development where a single codebase produces multiple firmware builds. Klocwork is used across defense, aerospace, automotive, communications, power electronics, and medical [...truncated for length...] --- # Knostic URL: https://appsecsanta.com/knostic Description: Knostic provides need-to-know access controls for LLMs, preventing AI oversharing in enterprise tools like Copilot and Glean. RSA + Black Hat double award winner. Knostic is the first [AI security](/ai-security-tools) platform built to enforce need-to-know access controls for enterprise large language models, preventing AI tools like Microsoft 365 Copilot, Glean, and Google Gemini from oversharing sensitive corporate data to unauthorized users. Founded in 2023 by cybersecurity veterans Gadi Evron (former CISO of the Israeli National Digital Authority) and Sounil Yu (creator of the Cyber Defense Matrix), Knostic addresses a problem unique to the enterprise AI era: LLM-based assistants connect to vast corporate data stores and can surface salary data, M&A details, or strategy documents to anyone who asks the right question. Unlike traditional data-level access controls, Knostic enforces policies at the AI inference layer. Knostic has raised $19.3 million in total funding, including $11 million in March 2025. It is the only startup to win both the RSA Conference 2024 Launch Pad and the Black Hat 2024 Startup Spotlight competitions. It was also named a Top 10 Finalist in the RSAC 2025 Innovation Sandbox Contest, receiving a $5 million investment from Crosspoint Capital Partners. ## Key Features at a Glance | Feature | Details | | ---------------------------- | --------------------------------------------------------------------------------------------------------- | | **Need-to-Know Enforcement** | Inference-time access policies that control what each LLM response reveals based on user role and context | | **Oversharing Detection** | Pre-deployment query simulation that discovers AI data leakage paths before real users hit them | | **Microsoft 365 Copilot** | Monitors and controls Copilot access to Teams, SharePoint, OneDrive, and other M365 sources | | **Glean & Gemini** | Detects oversharing across Glean enterprise search and Google Gemini Workspace deployments | | **Custom LLM Coverage** | Protects internally built AI applications and chatbots with custom policy enforcement | | **Dynamic Redaction** | Removes sensitive elements from AI responses while keeping the rest useful | | **Audit Trails** | Full logging of queries, responses, and data sources for compliance and regulatory reviews | | **Continuous Monitoring** | Re-tests as data sources change, new documents are added, and permissions shift | ## Overview Traditional access controls work at the data level, restricting who can open which files or folders. But enterprise LLMs operate at the knowledge level. They read across thousands of documents and synthesize answers, which means an employee might not have direct access to a confidential file but can still extract its contents by asking the AI assistant a carefully worded question. Compared to data-level [...truncated for length...] --- # kube-bench URL: https://appsecsanta.com/kube-bench Description: kube-bench is an open-source tool by Aqua Security that checks Kubernetes clusters against CIS Kubernetes Benchmark. Supports EKS, GKE, AKS, OpenShift, and k3s. kube-bench is an open-source tool by Aqua Security that checks whether Kubernetes clusters are deployed according to the CIS Kubernetes Benchmark. It automates compliance validation for control plane, worker node, etcd, and policy configurations across 12+ Kubernetes distributions. 7.9k GitHub stars, 1.3k forks. ## What is kube-bench? kube-bench is a Go-based CLI tool that automates CIS Kubernetes Benchmark compliance checks. The CIS Kubernetes Benchmark is an industry-standard set of recommendations for configuring Kubernetes securely. kube-bench runs through each CIS recommendation, tests the cluster configuration, and reports what passes, what fails, and how to fix the failures. The tool covers five areas from the CIS Benchmark: control plane components (API server, controller manager, scheduler), etcd, control plane configuration, worker nodes, and Kubernetes policies. Each check maps directly to a numbered CIS recommendation with a pass, fail, or warning result. ## What Kubernetes distributions does kube-bench support? kube-bench auto-detects the Kubernetes version and selects the correct benchmark. It supports 12+ CIS Benchmark versions for vanilla Kubernetes (1.15 through 1.34) and distribution-specific benchmarks for managed and specialized platforms: | Platform | Benchmark versions | |---|---| | **Kubernetes** | CIS 1.5.1, 1.6.0, 1.20, 1.23, 1.24, 1.7, 1.8, 1.9, 1.10, 1.11, 1.12 | | **Amazon EKS** | CIS 1.0.1, 1.1.0, 1.2.0, 1.5.0 | | **Google GKE** | CIS 1.0.0, 1.2.0, 1.6.0 | | **Azure AKS** | CIS 1.0.0, 1.7.0 | | **Alibaba ACK** | CIS 1.0.0 | | **Red Hat OpenShift** | CIS OCP 3.10–3.11, OCP4 1.1.0+ | | **k3s** | CIS 1.6, 1.7, 1.24, 1.25 | | **RKE / RKE2** | Multiple versions | | **RKE / RKE2** | Multiple versions | The distribution mapping matters more than it looks: the CIS Benchmark version that ships with kube-bench tracks the version of Kubernetes you're running, not the kube-bench release. Kubernetes 1.27+ aligns with CIS 1.10 on vanilla clusters; EKS aligns with the EKS-specific CIS 1.5.0 (the latest published by CIS at the time of writing). The CIS Center publishes new benchmarks roughly quarterly, and kube-bench releases (currently v0.13.0 / v0.14.0 in late 2025) ship updated YAML definitions soon after. For managed services like EKS, GKE, and AKS, kube-bench skips control plane checks since those nodes are not accessible — it focuses on worker node and policy configurations instead. ## How does kube-bench work? kube-bench uses YAML-based test definitions where each CIS recommendation maps to a file specifying what command to run, what output to expect, and the remediation steps if the check fails. This YAML-driven approach makes it straightforward to customize checks or add organization-specific policies on top of the CIS baseline. kube-bench can run three ways: - **Kubernetes Job** — the recommended approach for most clusters. Deploy a Job that runs kube-bench against the node it lands on, then collect results from [...truncated for length...] --- # KubeArmor URL: https://appsecsanta.com/kubearmor Description: CNCF Sandbox runtime security using Linux Security Modules and eBPF. Enforces least-privilege policies for pods, containers, and VMs. 2.1k GitHub stars. KubeArmor is a CNCF Sandbox runtime security enforcement system that restricts container and pod behavior at the kernel level using Linux Security Modules (LSMs) and eBPF. Unlike detection-only tools, KubeArmor actively prevents policy violations by enforcing controls on process execution, file access, and network operations. The project has 2.1k GitHub stars, 121 contributors, and over 1.2 million downloads. The latest release is v1.6.8 (February 2026). KubeArmor is available on the AWS, Red Hat, Oracle, and DigitalOcean marketplaces. It was the first Kubernetes security engine to use BPF-LSM for inline mitigation. ## What is KubeArmor? KubeArmor deploys as a non-privileged DaemonSet on Kubernetes nodes. When workloads start, it applies security policies that define allowed behaviors. Any attempt to violate a policy — a container trying to execute an unauthorized binary or access a restricted file — is blocked by the LSM before it can occur. The tool uses eBPF to instrument kernel security hooks with minimal overhead. KubeArmor automatically selects the most appropriate LSM based on what's available in the kernel (AppArmor, SELinux, or BPF-LSM). Policies are defined using Kubernetes CRDs that specify match criteria (which pods or namespaces to apply to) and security rules (what behaviors to allow or deny). Teams can write custom policies or use pre-built policy libraries based on compliance frameworks like CIS, MITRE ATT&CK, NIST 800-53, and STIGs. Least-Privilege Enforcement:::Automatically restricts workloads to only necessary capabilities, reducing attack surface without manual security context configuration ||| Zero-Code Hardening:::Apply security policies to existing applications without modifying code, rebuilding images, or changing deployment manifests ||| Compliance Libraries:::Deploy pre-built policies based on CIS, MITRE, NIST, and STIG frameworks to meet regulatory requirements out-of-the-box ## What are KubeArmor's key features? | Feature | Details | |---------|---------| | Enforcement mechanism | Linux Security Modules (AppArmor, SELinux, BPF-LSM) | | Instrumentation | eBPF-based telemetry with container/pod/namespace identities | | Policy scope | Process execution, file access, network operations | | Compliance rules | [MITRE ATT&CK](https://attack.mitre.org/matrices/enterprise/containers/), STIGs, [CIS](https://www.cisecurity.org/cis-benchmarks)-based pre-built policies | | Deployment | Non-privileged DaemonSet on Kubernetes, containers, VMs/bare-metal | | Marketplaces | AWS, Red Hat, Oracle, DigitalOcean | | CNCF status | Sandbox | | License | Apache 2.0 | ### Multi-LSM Support KubeArmor works with AppArmor on Ubuntu/Debian systems, SELinux on Red Hat/CentOS, and BPF-LSM on modern kernels (5.7+). This flexibility covers different Linux distributions and Kubernetes environments. **Process Control**: Policies can restrict which binaries containers can execute. For example, a web server container might be limited to runn [...truncated for length...] --- # Kubescape URL: https://appsecsanta.com/kubescape Description: Kubescape is a CNCF Kubernetes security platform trusted by 25,000+ organizations. Scans clusters against CIS, NSA-CISA, and MITRE ATT&CK frameworks. Kubescape is an open-source Kubernetes security platform. It scans clusters, manifests, and container images for misconfigurations and vulnerabilities. You can run it as a CLI tool or deploy it as an in-cluster operator. ARMO created Kubescape and donated it to the CNCF, where it sits as an incubating project. 11.1k GitHub stars, 894 forks. More than 25,000 organizations run it, including Intel, AWS, and Bitnami. ## What is Kubescape? It started life as a misconfiguration scanner. Now it validates configurations against CIS Benchmarks, NSA-CISA hardening guidance, and the MITRE ATT&CK framework for containers — plus image scanning, runtime detection, and network policy generation. CLI scanning:::Scans YAML manifests, Helm charts, Kustomize directories, and container images before they reach a cluster. Caches controls locally for offline use. ||| In-cluster operator:::Microservices deployed via Helm that provide continuous scanning, runtime threat detection via eBPF, and network policy recommendations. ||| Auto-remediation:::The `fix` command corrects misconfigurations in YAML files. The `vap` command generates Validating Admission Policies to block non-compliant resources at deploy time. ## What are Kubescape's key features? | Feature | Details | |---|---| | **Compliance frameworks** | [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes), [NSA-CISA](https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF), [MITRE ATT&CK](https://attack.mitre.org/matrices/enterprise/containers/), SOC 2 | | **Policy engine** | Open Policy Agent (OPA) with Rego controls from public Regolibrary | | **Image scanning** | Grype-based CVE detection in base images and dependencies | | **Image patching** | Copacetic rebuilds images with updated packages without changing the application layer | | **Runtime monitoring** | eBPF via Inspektor Gadget — watches system calls, network connections, file access | | **Network policies** | Observes real traffic patterns and generates least-privilege NetworkPolicy resources | | **Risk scoring** | 0–100 per control, with severity threshold flags for CI/CD gating | | **Output formats** | Pretty-printed tables, JSON, JUnit XML, SARIF, HTML, PDF | | **IDE support** | VS Code, Lens | | **CI/CD integrations** | GitHub Actions, GitLab CI, Jenkins, CircleCI, pre-commit hooks | ## Architecture Kubescape runs in two modes. The CLI is a standalone binary for pre-deployment scanning. The operator is a Helm-deployed set of microservices for continuous in-cluster monitoring. Open Policy Agent runs the policy engine. Controls are written in Rego and live in a public repo called Regolibrary. After the first run, the CLI caches controls locally — scans work offline from that point. ### Operator components The operator has four main pieces: - **kubescape** — misconfiguration scanning (same engine as the CLI) - **kubevuln** — image vulnerability scanning using Grype [...truncated for length...] --- # Kyverno URL: https://appsecsanta.com/kyverno Description: CNCF Incubating policy engine for Kubernetes using YAML and CEL. Validate, mutate, generate, and clean up resources. Used by 1,000+ organizations. 7.4k. Kyverno is a CNCF Incubating Kubernetes policy engine that uses standard YAML and Common Expression Language (CEL) instead of proprietary policy languages. Originally contributed by Nirmata, it has 7.4k GitHub stars, 466 contributors, and is used by over 1,000 organizations in production — including Adidas, Bloomberg, LinkedIn, Spotify, Vodafone, and the US Department of Defense. The latest release is v1.17.0 (February 2026). Kyverno validates, mutates, generates, and cleans up Kubernetes resources, Terraform plans, Dockerfiles, and HTTP requests. It also verifies container image signatures using Sigstore Cosign and Notary. ## What is Kyverno? Kyverno runs as a Kubernetes admission controller that intercepts API requests before resources are persisted to etcd. It checks resources against loaded policies and takes action based on the policy type — blocking non-compliant resources, modifying them to meet standards, or allowing them through. Policies are managed using the same tools and workflows as other Kubernetes resources: kubectl, kustomize, and Git. This design eliminates the need for teams to learn a separate policy language. Version 1.15+ introduced five new policy types, including ValidatingPolicy and MutatingPolicy that extend Kubernetes' native ValidatingAdmissionPolicy and MutatingAdmissionPolicy. Kyverno now supports any payload type beyond just Kubernetes resources, including Terraform plans and Dockerfiles. YAML-Native Policies:::Define policies using standard Kubernetes YAML without learning Rego or other DSLs, reducing cognitive overhead ||| CEL Expression Language:::Use Common Expression Language for complex logic, the same language adopted by Kubernetes ValidatingAdmissionPolicy ||| Resource Generation:::Automatically create ConfigMaps, NetworkPolicies, or other resources when workloads are deployed, ensuring consistent configuration ## What are Kyverno's key features? | Feature | Details | | ------------------ | --------------------------------------------------------------------------------- | | Policy language | Kubernetes YAML and Common Expression Language (CEL) | | Policy actions | Validate, mutate, generate, clean up | | Payload types | Kubernetes resources, Terraform plans, Dockerfiles, HTTP requests, Envoy requests | | Image verification | Sigstore Cosign, Notary | | Scanning modes | Admission control (enforce/audit) and background scanning | | CLI tooling | Policy testing, validation, and offline evaluation | | CNCF status | [Incubating](https://www.cncf.io/projects/kyverno/) | | Adoption | 1,000+ organizations in production | ## [...truncated for length...] --- # Lasso Security URL: https://appsecsanta.com/lasso-security Description: Lasso Security is an end-to-end GenAI security platform with shadow AI discovery, automated red teaming, real-time guardrails, and sub-50ms classification speed. Lasso Security is an [AI security](/ai-security-tools) platform that provides end-to-end protection for enterprise GenAI adoption through a five-pillar framework: Discover, Assess, Test, Enforce, and Protect. The platform processes security decisions in under 50 milliseconds with 99.8% detection accuracy, making it one of the faster options in the AI security space alongside tools like Lakera Guard. Founded in 2023 by Elad Schulman (CEO), Ophir Dror (CPO), Lior Ziv (CTO), and Yuval Abadi (COO), Lasso Security is an Israeli cybersecurity company that emerged from stealth with a $6 million seed round led by Entree Capital. The company has since raised $28 million in total funding from investors including Samsung Next, Singtel Innov8, Selah Ventures, and ClearSky. The board includes Naftali Bennett (former Israeli Prime Minister and former CEO of Cyota, acquired by RSA) and Dean Sysman (co-founder of Axonius). Customers include the US Department of Homeland Security, eToro, Kaltura, Artlist, Optibus, Guesty, Telit, and Nayax. Lasso has also received the Global InfoSec Awards Winner 2026, InfoSec Award 2025, and Forum IT 100 recognition. The company is an AWS Startup participant and Microsoft for Startups member. ## What is Lasso Security? Lasso Security takes a lifecycle approach to GenAI protection through a five-pillar framework: Discover, Assess, Test, Enforce, and Protect. Each pillar addresses a different stage of the AI security challenge, from finding out what AI tools employees are using to blocking attacks against production AI systems in real time. The platform processes decisions in under 50 milliseconds with 99.8% detection accuracy across content, context, and intent analysis. Lasso claims this is 570x more cost-effective than cloud-native guardrails, based on vendor benchmarks. For agentic AI specifically, Lasso developed the Intent Security Framework — a behavioral baseline approach that monitors not just what AI agents do, but what they intend to do. This is critical as organizations deploy autonomous agents that interact with tools, data sources, and MCP servers without direct human oversight. Shadow AI Discovery:::Identifies every AI model, agent, and application across the organization — including unapproved tools employees are using without IT knowledge. Maps the full AI inventory to eliminate blind spots. ||| Automated Red Teaming:::Tests AI resilience using over 3,000 attack types and adversarial techniques. Covers prompt injection, jailbreaks, data extraction, and model manipulation to find vulnerabilities before attackers do. ||| Intent Security Framework:::Behavioral baseline detection designed specifically for agentic AI. Monitors intent behind AI interactions, secures MCP server communications, and enforces behavioral specifications on autonomous agent workflows. ## What are Lasso Security's key features? | Feature | Details | | ----------------- [...truncated for length...] --- # Legit Security URL: https://appsecsanta.com/legit-security Description: Legit Security provides AI-native ASPM with native SAST, SCA, and secrets scanning. 120+ integrations, code-to-cloud pipeline security for Fortune 500. Legit Security is an AI-native [ASPM](/aspm-tools) platform that provides end-to-end software supply chain protection. The platform discovers and maps the entire software development lifecycle, continuously inventories assets and security controls, and surfaces risks for remediation across 120+ integrations. Legit Security is recognized as a leader in application security posture management, serving Fortune 500 organizations that need visibility across complex development environments with hundreds of pipelines and thousands of developers. The company has raised $70 million in funding to date. ## What is Legit Security? Legit addresses a gap that most security tools leave open: the space between code and production. Rather than focusing on a single testing technique, the platform maps the entire software delivery process and identifies risks at every stage. Discover:::Maps your entire SDLC automatically, inventorying code repositories, build pipelines, artifact registries, deployment targets, and the security controls protecting each stage. ||| Protect:::Monitors CI/CD pipelines for misconfigurations, detects insecure setups, enforces hundreds of security policies, and prevents supply chain attacks at the pipeline level. ||| Remediate:::AI agents suggest specific code fixes, create tickets with full context, and track remediation through to validation. Prioritization is based on business risk, not just severity scores. The platform starts at the developer endpoint where AI code is generated and extends through to production, combining code-level analysis with workflow orchestration. ## What are Legit Security's key features? ### Code-to-cloud coverage Legit provides visibility across the entire software delivery chain: | Stage | What Legit monitors | | ----------- | ------------------------------------------------------------- | | Development | Developer tools, AI code assistants, IDE plugins | | Source code | Repositories, branches, pull requests, code changes | | Build | CI/CD pipelines, build configurations, artifact integrity | | Test | Security scanning results, policy compliance, quality gates | | Deploy | Deployment targets, environment configurations, release gates | | Production | Runtime posture, drift detection, material changes | This coverage means security teams see what happens at every stage rather than just scanning code in isolation. ### CI/CD pipeline security Legit continuously monitors CI/CD pipelines to detect misconfigurations and insecure setups that could enable supply chain attacks: - Detects overprivileged service accounts and tokens - Identifies missing branch protection rules - Flags unsigned commits and artifacts - Monitors for dependency confusion risks - Alerts on pipeline injection vulnerabilities Legit treats the CI/CD pipeline as an attack surface, not just a deployment mechanism. Pipeline mi [...truncated for length...] --- # Levo.ai URL: https://appsecsanta.com/levo-ai Description: Levo.ai uses eBPF for agentless API discovery, auto-generates OpenAPI specs, and tests against OWASP API Top 10. Now covers AI agent and LLM security. Levo.ai is an [API security](/api-security-tools) platform that uses eBPF technology to discover APIs automatically, generate accurate OpenAPI specifications from real traffic, and test APIs for vulnerabilities without code changes or agent deployment. The platform has expanded from traditional API security into AI application security, covering AI agents, LLMs, MCP servers, and vector stores with the same runtime observability approach. ## What is Levo.ai? Most API security tools require you to know what APIs exist before you can secure them. Levo flips that model by observing actual traffic to discover APIs automatically, then securing what it finds. Discover:::eBPF sensors capture API traffic at the kernel level. Every endpoint, schema, authentication method, and data type is cataloged automatically, including shadow, zombie, and undocumented APIs. ||| Test:::Auto-generated OpenAPI specs feed directly into security testing. The platform tests against OWASP API Top 10, authorization bypasses, and business logic flaws with zero manual configuration. ||| Monitor:::Runtime observability detects drift, anomalies, and policy violations across APIs and AI components. Sensitive data flows are tracked without sending data to the cloud. Levo's approach eliminates the manual work of maintaining API inventories and writing test cases. The platform builds both from observed traffic. ## What are Levo.ai's key features? ### eBPF-powered API discovery Levo's eBPF sensor operates at the Linux kernel level, observing network traffic without modifying applications: | What eBPF captures | Why it matters | |--------------------|---------------| | API endpoints and paths | Complete inventory including undocumented APIs | | Request/response schemas | Accurate data models from real traffic | | Authentication methods | Identifies APIs with missing or weak auth | | Data types and sensitivity | Flags PII, PHI, and secrets in API payloads | | Rate limits and quotas | Maps API usage patterns and constraints | Because eBPF works at the kernel level, it catches all API traffic regardless of protocol, framework, or language. No code changes, no SDK integration, no proxy deployment. Levo discovers APIs that teams forgot about, undocumented endpoints that developers created for debugging, and deprecated APIs still receiving traffic. These shadow and zombie APIs are among the most common attack vectors because they often lack authentication, rate limiting, and monitoring. ### Automatic OpenAPI spec generation Levo generates OpenAPI specifications from observed traffic rather than requiring teams to maintain specs manually: - Specs reflect actual API behavior, not just what documentation says - Automatically updated as APIs change - Includes authentication requirements, data types, and error responses - Serves as the foundation for automated security testing - Detects spec drift when implementation diverges from documentation This solves a persistent pain point: mo [...truncated for length...] --- # LLM Guard URL: https://appsecsanta.com/llm-guard Description: Free open-source LLM security toolkit. 35 scanners block prompt injection, PII leaks, and toxic output. 5-minute pip install, works with any LLM provider. LLM Guard is an open-source [AI security](/ai-security-tools) toolkit by Protect AI that scans LLM inputs and outputs for security and compliance risks. It has 2.5k GitHub stars and 342 forks on GitHub. The library is MIT licensed and requires Python 3.10+. Protect AI, the company behind LLM Guard, also develops Guardian and ModelScan for ML supply chain security. The latest release is v0.3.16. I use LLM Guard when I need to sit a policy layer in front of a chatbot before it talks to a user. The input scanners catch prompt injection, PII, and banned topics. The output scanners catch refusals, toxic output, and sensitive leakage. It is the most complete free guardrail library I have tried, and it runs offline without calling back to a vendor API. Quick Pick Self-hosted, offline, free? → LLM Guard (this page) Managed cloud API with SLA? → Lakera Guard Dialog flow control with Colang DSL? → NeMo Guardrails Red-team / adversarial testing (not runtime)? → Garak or PyRIT ## What is LLM Guard? LLM Guard sits between your application and its language model. It runs 15 input scanners on user prompts before they reach the model, and 20 output scanners on the model's responses before they reach the user. Each scanner handles a specific risk: prompt injection, PII exposure, toxic language, secrets in code, and more. Scanners are modular. You pick which ones you need and configure them independently. The library works with any language model since it processes text, not model internals. It also ships with an API server mode for language-agnostic deployments. ## What does LLM Guard protect against? LLM Guard covers six runtime security risks: prompt injection attacks that hijack model behavior, PII leakage in outputs, toxic and harmful content generation, hardcoded secrets in responses, malicious URLs in model output, and factual inconsistency when responses contradict provided context. The toolkit runs 15 input scanners on every prompt before it reaches the LLM and 20 output scanners on every response before it returns to the user. Each scanner is independent — activate only the checks your use case needs, with no performance cost from unused scanners. The PromptInjection scanner uses ML models trained on real injection patterns rather than regex matching, so it catches indirect injection attempts hidden in documents or tool outputs. All processing runs locally — no prompt data, no response data, and no credentials leave your infrastructure. LLM Guard is MIT licensed and works with any LLM provider. Input Scanning:::15 scanners that filter user prompts before they reach your LLM. Covers prompt injection, PII anonymization, secrets detection, toxicity, banned topics, invisible text, and more. ||| Output Scanning:::20 scanners that validate model responses. Checks for bias, malicious URLs, factual consistency, sensitive data leaks, toxicity, and relevance to the original query. ||| API Server:::Deploy LLM Guard as a standalone [...truncated for length...] --- # Mend URL: https://appsecsanta.com/mend Description: Mend (ex-WhiteSource): Renovate-powered SCA, agentic SAST via MCP for Cursor/Claude Code, container scanning. Forrester Strong Performer on both SCA and SAST. Mend is an enterprise application security platform that bundles SCA, SAST, container scanning, and DAST into one console. The company rebranded from WhiteSource in May 2022 and sells the products as one developer subscription rather than as separate SKUs. The two flagship products share the same dashboard, reachability engine, and policy controls. Mend SCA uses [Renovate](/renovate) technology for automated remediation, with merge confidence scoring that predicts build compatibility from aggregated CI data. Mend SAST scans 25 languages with taint analysis and ships an MCP server. It plugs into agentic IDEs like Cursor, Claude Code, and GitHub Copilot to catch vulnerabilities in AI-generated code before it enters the repository. Forrester named Mend a Strong Performer in The Wave: SCA Q4 2024 and The Wave: SAST Q3 2025 — the only vendor with that recognition on both lists at time of writing. The company was founded in 2011 in Israel and acquired DefenseCode and Xanitizer to add SAST capabilities to the SCA platform that the WhiteSource business was built on. ## Mend SCA {#mend-sca} ### What is Mend SCA? Mend scans applications to discover all open-source components, checks them against vulnerability databases and license registries, and then does something most scanners skip: it tells you which vulnerabilities actually matter and fixes them for you. Automated Remediation:::Renovate technology generates pull requests that upgrade vulnerable dependencies. Groups related updates, respects semver constraints, and includes merge confidence scores predicting build compatibility. ||| Reachability Analysis:::Traces call graphs to determine whether vulnerable functions are actually called by your application. Unreachable vulnerabilities get deprioritized, reducing alert fatigue while maintaining visibility. ||| License Compliance:::Identifies all component licenses, flags conflicts (e.g., GPL in proprietary code), and enforces custom policies. Handles dual-licensed packages and complex compatibility rules. ### Key features ### Supported ecosystems | Ecosystem | Package managers | |-----------|-----------------| | JavaScript | npm, yarn, pnpm, Bower | | Python | pip, Poetry, Pipenv, Conda | | Java/Kotlin | Maven, Gradle, sbt | | Go | Go modules | | .NET | NuGet, Paket | | Ruby | Bundler | | PHP | Composer | | Rust | Cargo | | Swift | CocoaPods, Swift PM | | Scala | sbt, Maven | | Containers | Docker, OCI images | | IaC | Terraform, Kubernetes | ### Automated remediation Mend's Renovate technology automatically generates pull requests to update vulnerable dependencies. Unlike simple version bumps, Renovate groups related updates, respects semantic versioning constraints, and schedules updates to minimize disruption. Merge confidence scores predict whether an update will break your build based on aggregated data from millions of updates. ### Reachability analysis Mend examines call graphs and code paths to identify whether vulnerable function [...truncated for length...] --- # Mindgard URL: https://appsecsanta.com/mindgard Description: Mindgard provides automated AI red teaming and continuous security testing for LLMs, agents, and multimodal models. MITRE ATLAS-aligned attack library. Mindgard is an [AI security](/ai-security-tools) platform that provides automated red teaming and continuous security testing for LLMs, AI agents, and multimodal models. It is a Dynamic Application Security Testing for AI (DAST-AI) solution built specifically to detect runtime AI vulnerabilities. Founded in 2022 as a spinout from Lancaster University by Dr. Peter Garraghan (CEO/CTO), Dr. Neeraj Suri (CSO), and Steve Street (CRO/COO), Mindgard draws on over a decade of academic AI security research. The company is headquartered in London and Boston, and has raised over $11.6M in funding, including an $8M round in December 2024 led by .406 Ventures with participation from Atlantic Bridge and Willowtree Investments. Mindgard has 11 PhDs on staff and has been recognized in the OWASP LLM and Generative AI Security Solutions Landscape Guide and won the 2025 Cybersecurity Excellence Award for Best AI Security Solution. ## What is Mindgard? Mindgard sits at the testing layer of the AI security stack. Rather than filtering inputs and outputs at runtime like a firewall, it proactively attacks your AI systems to find vulnerabilities before adversaries do. The platform simulates thousands of adversarial attack scenarios against your models and agents, then reports findings aligned with industry frameworks like [MITRE ATLAS](https://atlas.mitre.org/) and [OWASP Top 10 for LLMs](https://owasp.org/www-project-top-10-for-large-language-model-applications/). The platform is neural-network agnostic, meaning it works across generative AI, LLMs, NLP, computer vision, audio, and multi-modal models. It also tests the broader attack surface around AI systems, including agents, tools, APIs, data sources, and orchestration workflows. Automated AI Red Teaming:::Continuously simulates adversarial attacks using an attacker-aligned library of thousands of threat scenarios. Reduces testing timelines from months to minutes with PhD-curated attack techniques. ||| DAST-AI Testing:::A dynamic application security testing solution built for AI. Detects runtime vulnerabilities that static analysis and pre-deployment scanning cannot catch, including prompt injection, jailbreaks, and model manipulation. ||| MITRE ATLAS Alignment:::Full attack library mapped to the MITRE ATLAS framework for standardized threat categorization. The ATLAS Adviser feature helps enterprise teams standardize their AI red teaming reporting and risk assessment. ## What are Mindgard's key features? | Feature | Details | | ------------------- | ------------------------------------------------------------ | | Testing Approach | Dynamic Application Security Testing for AI (DAST-AI) | | Attack Library | Thousands of threat scenarios, continuously updated | | Model Support | LLMs, NLP, computer vision, audio, multi-modal, AI agents | | Framework Alignment | MITRE ATLAS, OWASP Top 10 for LLMs [...truncated for length...] --- # mitmproxy URL: https://appsecsanta.com/mitmproxy Description: mitmproxy is a free MIT-licensed HTTPS intercepting proxy with 43k+ GitHub stars. Inspect and modify mobile app and API traffic from the CLI or browser. mitmproxy is a free, MIT-licensed interactive HTTPS proxy for security testing, mobile app auditing, and API debugging. The project sits at 43,100+ GitHub stars, shipped v12.2.2 in April 2026, and speaks HTTP/1, HTTP/2, HTTP/3, and WebSockets out of the box. Written in Python and maintained by Aldo Cortesi and Maximilian Hils, mitmproxy is the default choice for security engineers who need to see inside encrypted traffic without paying for a commercial proxy like Burp Suite. mitmproxy ships three interfaces in one package: the interactive terminal UI (`mitmproxy`), the browser-based UI (`mitmweb`), and the scriptable CLI (`mitmdump`). All three share the same core engine, the same addon system, and the same Python API. I run mitmproxy in front of mobile apps when I want to see what their backends actually receive. The interactive TUI is faster than a full browser proxy for quick inspection, and the Python addon hook lets me rewrite requests on the fly without stopping the session. It is the first tool I install on every fresh laptop. mitmproxy at a glance License: MIT (fully open source, no paid tier) Language: Python 3.12+ Latest version: 12.2.2 (April 2026) Maintainers: Aldo Cortesi, Maximilian Hils Repository: github.com/mitmproxy/mitmproxy (43,100+ stars) Protocols: HTTP/1, HTTP/2, HTTP/3, WebSockets, raw TCP ## What is mitmproxy? mitmproxy is a free, open-source SSL/TLS-capable intercepting proxy that sits between a client and a server, decrypts HTTPS traffic in real time, and lets you inspect or modify every request and response before it is re-encrypted and forwarded. It supports HTTP/1, HTTP/2, HTTP/3, and WebSockets, and ships under the MIT license with no paid tier. The basic idea is to pretend to be the server to the client, and pretend to be the client to the server, while sitting in the middle decoding traffic from both sides. To achieve HTTPS interception, mitmproxy generates a Certificate Authority (CA) certificate which you install on your device. This CA certificate is used to sign other certificates on-the-fly, making the intercepted traffic appear trusted to your browser or application. Once configured, all HTTP and HTTPS requests and responses flow through mitmproxy where you can inspect headers, bodies, and timing information. The tool supports HTTP/2, HTTP/3 (QUIC), and WebSockets, so it keeps up with modern mobile apps and web services. It handles TLS 1.2 and 1.3, certificate pinning scenarios (when combined with bypass tools), and common authentication schemes. Traffic Interception:::Capture and decrypt HTTPS traffic with automatic certificate generation ||| Multiple Interfaces:::Console UI, web interface, and command-line tool for different workflows ||| Real-Time Inspection:::View requests and responses as they happen with full header and body details ||| Request Modification:::Edit and replay requests to test API endpoints and security controls ||| Python Scripting:::Program [...truncated for length...] --- # MobSF URL: https://appsecsanta.com/mobsf Description: MobSF is an open-source mobile security framework with 20.7k GitHub stars. Static and dynamic analysis for Android, iOS, and Windows with malware detection. Mobile Security Framework (MobSF) is an open-source, automated [mobile security](/mobile-security-tools) testing tool built by Ajin Abraham and 104 contributors. It handles static analysis, dynamic analysis, and malware detection for Android, iOS, and Windows mobile applications. **GitHub:** [MobSF/Mobile-Security-Framework-MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF) | **Stars:** 20.7k | **Latest Release:** v4.4.6 (March 2026) | **License:** GPL-3.0 v4.4.6 security fix: MobSF v4.4.6 (March 2026) patched an SQL injection vulnerability in the SQLite DB viewer component and includes additional security hardening. Upgrade if you're running an earlier version. The project started in 2015 and has been featured at Black Hat Arsenal (Asia 2015, Asia 2018, Europe 2023). It ships as a web application — upload a binary, and MobSF decompiles it, runs security checks, and presents findings in a dashboard. Results can be exported as PDF reports or pulled through the REST API. MobSF is bundled with security-focused Linux distributions including BlackArch and Pentoo. A hosted demo is available at [mobsf.live](https://mobsf.live). MobSF is the typical first pick for one dashboard covering static and dynamic Android or iOS analysis. The static scan extracts the manifest, permissions, certificates, and hardcoded secrets in one pass; the dynamic analyzer runs the app inside a rooted emulator and records HTTPS traffic. It is the free tool most often recommended to teams starting a mobile security program. ## What are MobSF's key features? | Feature | Details | |---------|---------| | **Static Analysis** | Decompiles and analyzes APK, AAB, IPA, APPX binaries and source code | | **Dynamic Analysis** | Runtime testing with Frida instrumentation for Android and iOS | | **Malware Analysis** | Pattern matching for known malicious behaviors and indicators of compromise | | **REST API** | Full API access for uploading, scanning, and retrieving reports programmatically | | **Web Dashboard** | Browser-based interface for uploading apps and reviewing findings | | **PDF Reports** | Exportable security assessment reports | | **OWASP Mapping** | Findings mapped to OWASP MASVS and MASTG standards | | **Network Analysis** | Captures and analyzes network traffic during dynamic testing | | **mobsfscan** | Separate CLI tool for source code scanning in CI/CD pipelines | | **Docker Support** | One-command deployment via Docker | Static Analysis:::Decompiles Android APK/AAB, iOS IPA, and Windows APPX files. Checks for hardcoded secrets, insecure storage, weak crypto, dangerous permissions, exported components, and SSL/TLS misconfigurations. ||| Dynamic Analysis:::Runs apps in a controlled environment using Frida for instrumentation. Monitors network traffic, file system operations, crypto function calls, and runtime behavior on Android and iOS. ||| Malware Detection:::Identifies known malicious patterns, suspicious behaviors, and indicators of compromise. [...truncated for length...] --- # ModSecurity URL: https://appsecsanta.com/modsecurity Description: ModSecurity is an open-source WAF engine for Apache, IIS, and Nginx with 9.5k GitHub stars. Written in C++17, runs via libmodsecurity connectors. ModSecurity is an open-source web application firewall engine that provides real-time protection for web applications running on Apache, IIS, and Nginx. The platform uses an event-based programming language to monitor HTTP traffic, detect attacks, and enforce security policies. Started in 2002, ModSecurity became one of the most widely deployed open-source WAF engines. The project [transferred from Trustwave to OWASP](https://owasp.org/blog/2024/01/09/ModSecurity.html) in January 2024. Trustwave sponsored development through July 2024, and the project now has 9,500 GitHub stars and an active contributor community. ModSecurity is the open-source web application firewall engine maintained by [OWASP](https://owasp.org/www-project-modsecurity/) since [January 2024](https://owasp.org/blog/2024/01/09/ModSecurity.html) (transferred from Trustwave). It runs on Apache, Nginx, and IIS through the modular libmodsecurity (v3) architecture, processes HTTP traffic against an event-based rule engine, and pairs with the [OWASP Core Rule Set](https://owasp.org/www-project-modsecurity-core-rule-set/) for ready-made protection against SQL injection, XSS, and the rest of the OWASP Top 10. License: Apache 2.0. Cost: free. ## What is ModSecurity? ModSecurity is a cross-platform web application firewall engine designed to protect applications from a range of attacks including SQL injection, cross-site scripting, and other OWASP Top 10 vulnerabilities. The platform operates as an embedded security component within web servers, analyzing HTTP requests and responses in real-time. The WAF engine uses a flexible rule language that allows security teams to define custom protection logic matching their application requirements. ModSecurity rules can inspect request headers, cookies, query parameters, POST data, uploaded files, and response bodies to identify malicious patterns. ModSecurity version 3.0 (libmodsecurity) introduced a modular architecture that separates the WAF engine into a standalone library. This design communicates with web servers through connectors for Apache, Nginx, and IIS, enabling easier integration and maintenance compared to earlier tightly-coupled implementations. Open-Source WAF:::Free web application firewall engine under Apache License 2.0. Deploy on Apache, IIS, or Nginx without licensing costs. Maintained by OWASP community. ||| Rule-Based Protection:::Event-based programming language for defining security policies. Inspect requests and responses with granular control over protection logic. ||| OWASP CRS Integration:::Native support for OWASP Core Rule Set providing immediate protection against common attacks. Regular updates address emerging threat patterns. ## What are ModSecurity's key features? | Feature | Details | | ------------- | ------------------------------------------------------------ | | Web servers | Apache HTTP Server, Nginx, Microsoft IIS | [...truncated for length...] --- # Mondoo URL: https://appsecsanta.com/mondoo Description: Mondoo scans infrastructure across cloud, containers, Kubernetes, IaC, and endpoints using open-source cnspec/cnquery. Built-in CIS, NIST, and ISO compliance. Mondoo is an infrastructure security and compliance platform that scans cloud environments, containers, Kubernetes clusters, operating systems, IaC templates, and SaaS applications for vulnerabilities and misconfigurations. The platform is built on two source-available tools: cnspec for security assertions and cnquery for infrastructure data exploration, both licensed under BUSL-1.1 and powered by MQL (Mondoo Query Language). Mondoo was founded by the creators of [Chef InSpec](https://github.com/inspec/inspec), the widely-used open-source compliance-as-code tool. The scanning engines cover over 1,000 resource types across major cloud providers, container runtimes, operating systems, and developer platforms. The commercial Mondoo Platform adds dashboards, compliance reporting, remediation workflows, and historical tracking on top. In March 2026, Mondoo raised $17.5M led by HV Capital, with Atomico and Firstminute Capital participating, bringing total funding to $32.5M. The company reported 7x revenue growth and 4.4x customer expansion over the prior year. The latest major release, Mondoo v13, overhauls Terraform deprecation checks with typed `requiredProviders` support, better PAN-OS filtering, and tighter policy scoping. Mondoo v13.1–13.2 (March 2026) added 9 SageMaker security checks to the AWS policy bundle, plus new Ubiquiti UniFi and F5 BIG-IP security policies, pushing coverage beyond cloud-native into network infrastructure. v13.2 also fixed an identity timeout bug and added nftables support for policy scoping. ## What is Mondoo? Mondoo approaches infrastructure security as a data problem. cnquery lets you ask questions about your infrastructure ("What TLS versions are my servers running?"), and cnspec lets you assert policies against those answers ("All servers must use TLS 1.2 or higher"). Both tools use MQL, a purpose-built query language that reads like natural language but executes against live infrastructure. This policy-as-code approach means security teams define rules once and enforce them everywhere: in CI/CD pipelines during builds, across cloud accounts in production, and on developer workstations locally. cnspec (Security Scanner):::Source-available CLI that asserts security policies against infrastructure. Scans cloud APIs, containers, Kubernetes, OS configs, IaC templates, and SaaS platforms. ||| cnquery (Asset Explorer):::Source-available CLI for querying infrastructure data. Explore cloud resources, container configurations, OS settings, and more using MQL. ||| Mondoo Platform:::Commercial dashboard with compliance reporting, historical tracking, team management, automated remediation, and integration with ticketing systems. ## What are Mondoo's key features? ### Cloud Security Posture Mondoo connects to AWS, Azure, GCP, and Microsoft 365 accounts to continuously scan for misconfigurations and vulnerabilities. The scanner checks IAM policies, network configurations, storage permissions, encryption settings, [...truncated for length...] --- # NVIDIA NeMo Guardrails URL: https://appsecsanta.com/nemo-guardrails Description: NeMo Guardrails by NVIDIA adds programmable safety rails to LLM apps. 5 rail types, Colang DSL, dialog flow control. Works with OpenAI, LangChain. 5.6k stars. NVIDIA NeMo Guardrails is an open-source [AI security](/ai-security-tools) toolkit for adding programmable guardrails to LLM-based conversational applications. It has 5.6k GitHub stars and 597 forks. The project is Apache 2.0 licensed and maintained by NVIDIA. The latest release is v0.20.0 (January 2026). It requires Python 3.10-3.13. The framework was published as a research paper at EMNLP 2023 (arXiv:2310.10501). ## What is NeMo Guardrails? NeMo Guardrails intercepts the traffic between your application and its LLM, applying configurable safety checks that block or modify content based on defined policies. The main difference from other guardrail tools is dialog management. Most solutions only filter individual inputs and outputs. NeMo Guardrails models entire conversation flows. The toolkit uses Colang, a domain-specific language purpose-built for defining conversational guardrails. Colang lets you declaratively specify what conversations should look like, which topics are allowed, and how the system should respond to specific user intents. Both Colang 1.0 and the newer Colang 2.0 are supported. Five rail types cover different stages of the LLM interaction: input rails process user messages, dialog rails control conversation flow, retrieval rails filter knowledge base results, execution rails gate tool/action calls, and output rails validate responses. Colang Language:::A Python-like domain-specific language for defining dialog flows and guardrail policies. Supports both v1.0 and v2.0 syntax with flows, events, actions, and LLM integration. ||| Five Rail Types:::Input, dialog, retrieval, execution, and output rails cover every stage of the LLM interaction. Dialog rails are unique to NeMo Guardrails, controlling how conversations flow across turns. ||| Provider Support:::Works with OpenAI, Azure, Anthropic, HuggingFace, NVIDIA NIM, and other LLM providers. Integrates with LangChain, LangGraph, and third-party security services. ## What are NVIDIA NeMo Guardrails's key features? | Feature | Details | | --------------- | ------------------------------------------------------------------------------------ | | Rail Types | Input, dialog, retrieval, execution, output | | Colang Versions | 1.0 (default) and 2.0 | | Input Rails | Jailbreak detection, prompt injection, content moderation, intent classification | | Output Rails | Fact-checking, hallucination detection, sensitive data blocking, response validation | | Dialog Rails | Topic boundaries, conversation flows, canonical forms, branching logic | | LLM Providers | OpenAI, Azure, Anthropic, HuggingFace, NVIDIA NIM, LLaMA, Falcon, Vicuna, Mosaic | | Frameworks | LangChain, LangGraph, custom chains | | Deployment [...truncated for length...] --- # NeuralTrust URL: https://appsecsanta.com/neuraltrust Description: NeuralTrust is an AI security platform with a 20K+ req/sec AI gateway, automated red teaming, guardian agents, and MCP security. EU-based with split-plane architecture. NeuralTrust is an [AI security](/ai-security-tools) platform that secures AI agents, LLMs, and GenAI applications through a high-performance AI gateway processing 20,000+ requests per second, automated red teaming, and guardian agents for autonomous AI monitoring. The split-plane architecture keeps all customer data on-premises or in the customer's VPC, addressing data sovereignty requirements that cloud-only competitors cannot match. Founded by Joan Vendrell Farreny (CEO), Alejandro Domingo, and Victor Garcia, NeuralTrust is headquartered in Barcelona with a US office in New York. The company has an official partnership with the European Union and counts major enterprises among its customers, including Banco Sabadell, Iberia, Capgemini, NTT Data, and Air Europa. The platform aligns with OWASP, NIST, and Cloud Security Alliance standards. To date, NeuralTrust reports blocking over 15 million attacks, scanning 6.7 million+ models, and analyzing 22 million+ AI interactions. ## What is NeuralTrust? NeuralTrust takes a platform approach to AI security, combining four capabilities under one roof: a high-throughput AI gateway for runtime protection, automated red teaming for pre-deployment testing, guardian agents for agentic AI security, and compliance automation for regulatory requirements. The architecture uses a split-plane design. The data plane — where all customer content is processed — runs entirely within the customer's environment (on-premises, VPC, or hybrid). The control plane manages configuration and policy but never touches customer data. This separation addresses data sovereignty requirements without sacrificing centralized management. The AI gateway handles over 20,000 requests per second per node with sub-100ms latency, making it one of the higher-throughput options in the AI security space. NeuralTrust maintains an open-source presence on GitHub, though the core commercial platform is proprietary. AI Gateway:::High-performance gateway processing 20,000+ requests per second per node at sub-100ms latency. Provides prompt protection, content moderation, sensitive data masking, bot detection, and unified control of GenAI infrastructure. ||| Guardian Agents:::Autonomous security agents that monitor and control AI agent actions in real time. Manage tool and data access through the MCP Gateway, enforce behavioral policies, and detect threats across agent workflows. NeuralTrust is the only AI agent security company officially backed by the European Union. ||| Automated Red Teaming:::Adversarial simulation and defense testing using a catalogue of 150+ attack types. Tests AI models and agents for prompt injection, hallucination, data leakage, and policy violations before deployment. ## What are NeuralTrust's key features? | Feature | Details | | ------------------- | ----------------------------------------------------------------------- [...truncated for length...] --- # NeuVector URL: https://appsecsanta.com/neuvector Description: Open-source Kubernetes-native container security by SUSE. Runtime protection with deep packet inspection, Layer 7 firewall, and CIS Benchmarks. Apache 2.0. NeuVector is an open-source, Kubernetes-native container security platform that provides full-lifecycle protection from build-phase scanning through runtime threat detection and response. Maintained by SUSE, it was open-sourced in January 2022 under the Apache 2.0 license, making it the first end-to-end open-source container security platform. 1.3k GitHub stars, 37 contributors, latest release v5.5.0 (March 2026). ## What does NeuVector do? NeuVector provides vulnerability scanning during build and deployment, plus runtime protection in production with network-level threat detection. The feature that separates it from most container security tools is a patented deep packet inspection (DPI) engine that acts as a Layer 7 firewall between containers and pods. Unlike tools that only monitor system calls, NeuVector inspects actual network payloads to detect and block attacks like SQL injection, DDoS, and DNS-based threats in real time. The platform deploys four main components as containers in a Kubernetes cluster: | Component | Role | |-----------|------| | Controller | Central management, policy engine, REST API | | Enforcer | Per-node agent for runtime monitoring and DPI | | Manager | Web UI for visualization and management | | Scanner | Vulnerability database and image scanning engine | ## How does NeuVector's runtime protection work? NeuVector's runtime security operates in three modes, progressively moving from observation to enforcement: **Discovery mode** learns normal application behavior — which processes run, what network connections containers make, and what file access patterns are expected. This behavioral baseline becomes the foundation for security policies. **Monitor mode** alerts on deviations from learned behavior without blocking traffic, letting teams validate policies before enforcement. **Protect mode** blocks threats and policy violations. The DPI engine inspects Layer 7 traffic between container pairs, catching SQL injection, cross-site scripting, DDoS attacks, DNS-based threats, and tunneling attempts inside otherwise allowed flows. The distinguishing mechanism is process behavior whitelisting plus network policy auto-learning. In Discovery mode the Enforcer watches every process that starts inside a container and every connection it makes. NeuVector then derives an allowlist policy — "this image runs nginx and only talks to the redis service on 6379" — and surfaces it as an editable proposal. Switch to Protect and any process or connection outside the learned allowlist is blocked. This inverts the [Falco](/falco) model: Falco asks "what bad behavior matches a rule?" and NeuVector asks "is this behavior in the allowlist I learned?". The two approaches are complementary rather than competitive. Layer 7 DPI is what distinguishes NeuVector from syscall-based tools. The Enforcer parses HTTP, HTTPS (with TLS interception when configured), DNS, and several other protocols, so attacks that ride inside an allowed networ [...truncated for length...] --- # Sonatype Lifecycle URL: https://appsecsanta.com/nexus-lifecycle Description: Sonatype Lifecycle tracks 140M+ components with AI-powered remediation, Golden Pull Requests, and repository firewall protection. Sonatype Lifecycle (formerly Nexus Lifecycle) is an enterprise [SCA platform](/sca-tools) backed by a component intelligence database tracking 140M+ components. Named a Leader in the Forrester Wave for SCA (Q4 2024) with highest possible scores, it embeds security at every SDLC stage: IDE plugins, repository firewalls, CI/CD gates, and AI-powered remediation. With the Sonatype 2024 State of the Software Supply Chain report finding that [one in eight open-source downloads contains a known vulnerability](https://www.sonatype.com/state-of-the-software-supply-chain/introduction), repository-level firewalling has become a critical defense layer. Sonatype's security research team proactively identifies vulnerabilities before CVE assignment. Their 2026 State of Software Supply Chain Report found 65% of OSS CVEs lack CVSS scores from NVD, and 1 in 7 CVEs differ from NVD by 3+ CVSS points. The platform's repository firewall blocks risky components at download time. ## What is Sonatype Lifecycle? Sonatype Lifecycle integrates at every development stage. IDE plugins warn developers before adding risky dependencies. Repository firewalls block vulnerable components at download time. CI/CD integrations enforce policies at build and release. Golden Pull Requests recommend the minimal safe upgrade with zero expected breakage. Intelligence Database:::Tracks 140M+ components with proprietary vulnerability data, often disclosed before CVE assignment. Covers Maven, npm, PyPI, NuGet, Go, and 15+ additional ecosystems. ||| Repository Firewall:::Blocks risky packages at download time. When developers try to install a malicious or policy-violating component, the firewall blocks the request and suggests alternatives. ||| Golden Pull Requests:::AI-generated upgrade recommendations that guarantee no build breaks. Considers transitive dependencies, breaking changes, and available patches for zero-breakage upgrades. ## What are Sonatype Lifecycle's key features? | Feature | Details | |---------|---------| | Component intelligence | 140M+ tracked components; proactive disclosure before CVE assignment | | NVD accuracy gap | 20,362 false positives and 167,286 false negatives identified in public CVE data | | Golden Pull Requests | Zero-breakage upgrades considering transitive deps and breaking changes | | Policy engine | 18 default policies + 30+ customizable constraints | | License database | 2,000+ open-source licenses with threat categorization | | Ecosystems | Maven, npm, PyPI, NuGet, Gradle, Cargo, Go, Docker, Helm, CocoaPods, Composer, Conda, RubyGems | | Reachability analysis | Call flow analysis for contextual vulnerability prioritization | | Deployment | Cloud, on-premises, or air-gapped (SAGE) | ### Sonatype Intelligence Database Sonatype maintains one of the most extensive component intelligence databases. Security researchers identify new threats daily, often disclosing vulnerabilities before public CVE publication. Their research found 20,362 false pos [...truncated for length...] --- # Nikto URL: https://appsecsanta.com/nikto Description: Nikto is a free Perl web server scanner with 8,000+ checks. I cover installation, core CLI flags, the signature database, and 10 built-in IDS evasion modes. Nikto is a free, open-source Perl web server scanner that runs 8,000+ checks for dangerous files, outdated software, and server misconfigurations. The latest stable release is Nikto 2.6.0 (February 2026), licensed under GPL v3, and it targets the server layer rather than application logic. Chris Sullo wrote Nikto in Perl in 2001, and David Lodge has co-maintained it for years. The project has 10,200+ GitHub stars, 1,400+ forks, and active commits through April 2026. - **License:** GPL v3 (code) — database files have separate licensing - **Maintainers:** Chris Sullo, David Lodge - **Repository:** [github.com/sullo/nikto](https://github.com/sullo/nikto) - **Latest version:** 2.6.0 (February 2026) - **Dependencies:** Perl 5 with `Net::SSLeay`, `IO::Socket::SSL`, `LWP::UserAgent` - **Pre-installed on:** Kali Linux, Parrot OS, BlackArch | Feature | Details | |---|---| | Language | Perl | | License | GPL v3 (code), separate for database | | Checks | 8,000+ | | Protocols | HTTP, HTTPS | | Output formats | HTML, XML, JSON, CSV, SQL, Text | | Authentication | HTTP Basic, cookies | | Evasion modes | 10 techniques | | Tuning categories | 13 test types | | Docker image | `ghcr.io/sullo/nikto` | | Included in | Kali Linux, Parrot OS | ## What is Nikto? Nikto is a command-line web server scanner that sends thousands of HTTP requests to a target and flags known problems. It checks for default install files (`/phpinfo.php`, `/admin/`), backup files (`.bak`, `.old`), outdated server software, weak SSL configurations, and insecure HTTP methods. First released in 2001 and maintained by Chris Sullo and David Lodge, it is pre-installed on Kali Linux, Parrot OS, and BlackArch. Nikto is not a full [DAST tool](/dast-tools). It does not crawl applications, authenticate to login forms, execute JavaScript, or test business logic. Think of Nikto as a fast reconnaissance pass before [ZAP](/zap), [Burp Suite](/burp-suite), or template-based scanners like [Nuclei](/nuclei). The check database gets community updates covering Apache, Nginx, IIS, and dozens of other web servers. The CIS Benchmarks recommend checking for default files, unnecessary services, and server misconfigurations, which is the exact surface Nikto automates. Nikto does not authenticate to applications, render JavaScript, or test custom functionality. It checks the server, not the app. For authenticated application scanning, pair Nikto with a full DAST tool. ## What are Nikto's key features? 8,000+ Server Checks:::Tests for default files, backup files, vulnerable CGI scripts, server version-specific CVEs, insecure HTTP methods (PUT, DELETE, TRACE), and directory indexing. ||| SSL/TLS Assessment:::Checks for expired or self-signed certificates, weak cipher suites, outdated protocol versions (SSLv2, SSLv3, TLS 1.0), missing HSTS headers, and certificate chain issues. ||| Plugin Architecture:::Modular design with 7 hook phases (init, start, recon, scan, prefetch, postfetch, report). Write custom plugi [...truncated for length...] --- # NodeJSScan URL: https://appsecsanta.com/nodejsscan Description: NodeJSScan is a free Node.js SAST tool with web UI and CLI (njsscan). Semantic grep patterns for OWASP vulnerabilities. Docker and GitHub Actions ready. NodeJSScan is a free, open-source [SAST](/sast-tools) tool built for Node.js applications. With over 2,500 GitHub stars, it provides a web interface for manual analysis and a CLI tool (njsscan) for CI/CD pipelines. Created by Ajin Abraham (who also maintains MobSF), NodeJSScan uses semantic grep patterns powered by semgrep and libsast to detect security vulnerabilities with context awareness. Web UI + CLI:::NodeJSScan provides a web interface for interactive analysis with syntax highlighting and fix guidance. The njsscan CLI integrates into CI/CD pipelines with JSON and SARIF output. ||| Semantic Patterns:::Uses semgrep-based rules instead of simple regex matching. This gives context-aware detection that understands code structure, reducing false positives compared to pattern-only scanners. I use NodeJsScan when I need a quick SAST pass over a Node.js service without wiring up a commercial tool. It runs as a Docker container, scans Express and Koa apps for the usual OWASP patterns, and produces a JSON report I can pipe into a PR comment. The ruleset is smaller than Semgrep's, so I treat it as a second opinion rather than a primary scanner. ## What is NodeJSScan? NodeJSScan web UI — upload a zip or paste source, then browse findings with syntax-highlighted code locations and fix guidance. NodeJSScan detects security vulnerabilities in Node.js applications through static analysis. According to Snyk's State of Open Source Security reports, JavaScript consistently ranks among the top languages for disclosed vulnerabilities, making Node.js-specific scanning tools valuable. The scanner targets JavaScript files (.js) and checks for patterns that indicate SQL injection, command injection, XSS, SSRF, insecure cryptography, hardcoded secrets, and more. The tool includes checks for missing security controls like CSRF protection, rate limiting, and Helmet security headers — common gaps in Express.js applications. Each finding includes the file location and remediation guidance explaining why the pattern is risky and how to fix it. Scan dashboard — vulnerability counts by severity after scanning a Node.js project. ## Vulnerability coverage NodeJSScan detects a range of server-side JavaScript security issues: | Category | Examples | | --------------- | ----------------------------------------------------------------------- | | Injection | SQL injection, NoSQL injection, command injection, code injection | | Data exposure | XSS, SSRF, directory traversal, information leakage | | Crypto | Weak cryptography, hardcoded secrets, insecure random | | Config | Missing CSRF protection, missing rate limiting, insecure Helmet headers | | Deserialization | Insecure deserialization patterns | Individual finding detail — vulnerable code excerpt, rule name, risk explanation, and [...truncated for length...] --- # Noma Security URL: https://appsecsanta.com/noma-security Description: Noma Security is an enterprise AI security platform combining agent discovery, posture management, red teaming, and runtime protection. $132M funded. Noma Security is an [AI security](/ai-security-tools) platform that unifies discovery, posture management, red teaming, and runtime protection for enterprise AI and autonomous agents in a single product. Where tools like Garak or Promptfoo focus on specific testing stages, Noma covers the full AI security lifecycle from inventory through production defense. The company was founded in 2023 by Niv Braun (CEO) and Alon Tron (CTO), who met during their service in the IDF's Unit 8200 intelligence unit. Noma emerged from stealth in October 2024 and has since raised $132M in total funding, including a $100M Series B led by Evolution Equity Partners with continued backing from Ballistic Ventures and Glilot Capital. Since its public launch, Noma has reported 1,300% annual recurring revenue growth and signed dozens of enterprise customers across financial services, life sciences, retail, and technology sectors, including UiPath, Best Buy, and Nielsen. The company has identified over 1 million AI and agent risks across its customer base. ## What is Noma Security? Noma's platform addresses the security gaps created by the rapid adoption of generative AI, LLMs, RAG systems, and autonomous agents. It works through a three-step approach: discover the full AI landscape, secure it with policies and controls, and protect it with real-time enforcement. The platform automatically discovers every AI model, agent, MCP server, and data source in an organization's environment — and maps how they interconnect. From there, security teams can define policies, run automated red team assessments, and enforce guardrails in production. AI Agent Discovery:::Automatically discovers every agent within an environment with deep contextual profiling — toolsets, functionality, data access permissions, MCP server connections, and operations. ||| Agentic Risk Map:::Visualizes each agent's connections, tools, identities, and knowledge sources. Uncovers cascading risk scenarios by mapping the blast radius of agent actions across the organization. ||| Runtime Protection:::Enforces real-time guardrails on models and agents in production. Detects and blocks malicious prompts, rogue outputs, and unauthorized agent actions before they execute. ## What are Noma Security's key features? | Feature | Details | | ---------------------- | -------------------------------------------------------------------------------------------------------------------------------- | | Agent Discovery | Automatic profiling of agents, toolsets, permissions, MCP connections | | Agentic Risk Map (ARM) | Blast radius visualization and cascading risk analysis | | AI-SPM | Security posture management with continuous risk asses [...truncated for length...] --- # NowSecure URL: https://appsecsanta.com/nowsecure Description: NowSecure analyzes mobile app privacy and security for GDPR and CCPA compliance. Trusted by 4 of top 5 US telecoms with SBOM and OTT device testing. NowSecure is a commercial [mobile security](/mobile-security-tools) platform that combines automated security testing with privacy analysis. It runs static, dynamic, and interactive analysis on iOS and Android applications, with a particular focus on tracking how apps handle user data. The platform is used by 4 of the top 5 U.S. telecommunications companies, 3 of the top 5 U.S. banks, and several U.S. government agencies including the DOJ, DOD, and DOS. Named customers include Bell Canada, Warner Bros. Discovery, T-Mobile, and Genisys Credit Union. NowSecure reports over 4 million automated mobile app assessments and 8 million automatically identified vulnerabilities across its customer base. ## What are NowSecure's key features? | Feature | Details | |---------|---------| | **Binary SAST** | Static analysis of compiled iOS and Android binaries | | **DAST** | Dynamic testing that executes apps and monitors runtime behavior | | **IAST** | Interactive testing combining static and dynamic techniques | | **Privacy Analysis** | Tracks data flows, third-party sharing, and regulatory compliance | | **API Security Testing** | Tests mobile app API communications for vulnerabilities | | **Dynamic SBOM** | Generates software bill of materials from running app analysis | | **OWASP MASVS** | Tests mapped to Mobile Application Security Verification Standard | | **OTT Support** | Testing for Roku, Apple TV, Fire TV, and Android TV apps | | **PTaaS** | Penetration testing as a service by NowSecure security researchers | | **AI Governance** | Identifies AI files, libraries, and services inside mobile apps | Automated Security Testing:::Runs SAST, DAST, and IAST against iOS and Android binaries. Tests cover authentication, data storage, network communications, and platform interaction per OWASP MASVS. ||| Privacy & Data Flow Analysis:::Maps exactly what user data gets collected, where it goes, and whether it's encrypted. Flags compliance gaps with GDPR, CCPA, HIPAA, and other regulations. ||| Mobile SBOM & Supply Chain:::Generates dynamic software bill of materials that catalogs every third-party SDK, library, and framework inside an app. Tracks known vulnerabilities across dependencies. ## What is NowSecure? NowSecure is a mobile-only security platform. While many application security vendors treat mobile as an add-on to their web testing tools, NowSecure was built specifically for mobile apps from the start. The platform comes in several forms: - **NowSecure Platform** — Cloud-based automated testing with SAST, DAST, IAST, and privacy analysis - **NowSecure Guided Testing** — Automated testing combined with expert analysis from NowSecure's security team - **NowSecure Workstation** — On-premises pen testing toolkit with Frida and Radare built in - **NowSecure PTaaS** — Continuous penetration testing delivered as a managed service - **NowSecure MARI** — Mobile App Risk Intelligence for vetting third-party apps in your enterprise ## Privacy Analysis This [...truncated for length...] --- # Nuclei URL: https://appsecsanta.com/nuclei Description: Nuclei open-source scanner review: 28,000+ GitHub stars, 12,000+ YAML templates, multi-protocol scanning. How it compares to ZAP and Nikto for CI/CD. Nuclei is a template-based vulnerability scanner built by ProjectDiscovery. You write (or download) YAML templates that describe what to check, point Nuclei at your targets, and it fires off the requests. If the response matches the template conditions, it reports a finding. > **Security advisory — upgrade to v3.8.0 (April 18, 2026):** Nuclei v3.8.0 patches [GHSA-29rg-wmcw-hpf4](https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-29rg-wmcw-hpf4) (a JavaScript-protocol template could read local files outside the sandbox, ignoring `allow-local-file-access`) and [GHSA-jm34-66cf-qpvr](https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-jm34-66cf-qpvr) (expressions could be evaluated from non-template sources, opening an RCE vector from malicious templates). Anyone running Nuclei against untrusted template collections should upgrade today. The same release adds PDF export for scan results, an XSS reflection-context analyzer that distinguishes HTML / attribute / JS context, and a honeypot detector that deprioritizes honeypot-shaped targets. The project has 28,000+ GitHub stars, 3,100+ forks, and 210+ contributors. Written in Go (96% of the codebase), MIT licensed. The community maintains 12,000+ templates covering CVEs, misconfigurations, exposures, and default credentials. | Feature | Details | | ------------------ | ----------------------------------------------------- | | Language | Go (96%) | | License | MIT | | Templates | 12,000+ community-maintained | | Protocols | HTTP, DNS, TCP, SSL, File, Whois, Websocket, Headless | | Default rate limit | 150 requests/second | | Concurrency | 25 parallel hosts, 25 parallel templates | | Request timeout | 10 seconds (configurable) | | Output formats | JSON, JSONL, SARIF, Markdown, plain text | | Docker image | `projectdiscovery/nuclei` | | Go requirement | 1.24.2+ | ## What is Nuclei? Nuclei takes a different approach from traditional [DAST tools](/dast-tools). Instead of crawling an application and probing for vulnerabilities automatically, it runs specific checks defined in YAML templates. Each template describes exactly what request to send and what response pattern indicates a problem. This template-driven design means two things. First, false positives drop to near zero because you are matching against specific, known conditions. Second, the community can contribute templates for new CVEs within hours of disclosure. The NIST National Vulnerability Database tracks over 200,000 CVEs, and Nuclei's template library covers a growing subset of them. The 12,000+ templates i [...truncated for length...] --- # Objection URL: https://appsecsanta.com/objection Description: Objection wraps Frida for SSL pinning bypass, keychain dumping, and file system inspection on iOS/Android — no jailbreak or root required. **Objection is a runtime [mobile security](/mobile-security-tools) exploration toolkit built on [Frida](/frida)** that lets pentesters hook live iOS and Android apps from an interactive command line, without writing custom JavaScript instrumentation. SensePost released it in 2016 under GPL-3.0. With **over 8,900 GitHub stars** and **v1.12.4 shipping in March 2026**, it has become the default choice for pentesters who need quick assessment capabilities without the complexity of writing [Frida](/frida) scripts from scratch. The short version What it is: A Python CLI that wraps Frida with pre-built commands for mobile pentesting — the 80/20 instrumentation tool for iOS and Android. How it works: Connects to a running app via an interactive REPL; commands like ios sslpinning disable hook the target at runtime without modifying its binary on disk. Runs on: Jailbroken/rooted devices via frida-server, OR non-jailbroken/non-rooted devices via objection patchipa / patchapk (embeds frida-gadget into the app). Best for: Quick mobile assessments — SSL pinning bypass, keychain extraction, file system inspection, memory dumps — without writing custom JavaScript hooks. Install: pip3 install objection — current release v1.12.4 (March 2026), GPL-3.0, maintained by SensePost. First released by SensePost in 2016 and featured at Black Hat Arsenal Europe 2017 and USA 2019, Objection is actively maintained as an instrumented mobile pentest framework. The latest release, v1.12.4 (March 2026), added a `reconnect` command and `reconnect_spawn` functionality for reattaching to targets after process restarts — a useful addition for long testing sessions where the target app may crash or be relaunched. The main draw is accessibility. [Frida](/frida) expects you to write JavaScript hooks; Objection ships a command-line interface with the hooks already written for you. That shortens the ramp-up for testers who want to work at the instrumentation layer without reading a Frida tutorial first. Key Insight Objection is Frida for people who don't want to write Frida scripts. It is the 80/20 mobile instrumentation tool — pre-built hooks for the tasks that show up on every mobile pentest, with a clean exit hatch to raw Frida scripting when the built-ins don't fit. Objection wraps Frida with a REPL that mobile pentesters can drive without writing scripts first — that is the value over raw Frida. Commands like `android keystore list` and `ios sslpinning disable` cover the first ninety percent of pentest needs: dumping keychains, bypassing cert pinning, tracing class methods. For anything deeper, the underlying Frida API is one hop away. ## What is Objection? **Objection is a Python command-line toolkit that wraps [Frida](/frida)'s dynamic instrumentation to perform runtime analysis of iOS and Android apps.** It injects scripts into running processes to bypass security controls, inspect app internals, and change behavior — the original APK or IPA on disk stays [...truncated for length...] --- # Onyx Security URL: https://appsecsanta.com/onyx-security Description: Onyx Security is an AI control plane for enterprise agent security with Guardian Agent supervisory AI, discovery, monitoring, and governance. $40M funded. Onyx Security is an [AI security](/ai-security-tools) control plane that discovers, monitors, and governs enterprise AI agents across SaaS, cloud, endpoints, and code repositories. Unlike point solutions that address a single layer of AI risk, Onyx provides a unified governance platform spanning observability, security, compliance, orchestration, and ROI measurement. The company launched in March 2026 with $40M in funding from Conviction and Cyberstarts, emerging from stealth after a year and a half of development. Co-founders Maxim Bar Kogan and Gil Elbaz built the team to 70 people before going public, and the platform was already in use at Fortune 500 companies at launch. Bar Kogan is a cybersecurity leader and Unit 8200 veteran who won first prize in the 2008 Israeli CodeGuru competition. Elbaz is an AI researcher who previously reported to NVIDIA's CTO and served in one of the IDF's AI research units. ## What is Onyx Security? Onyx sits between an organization and its AI agents as a supervisory layer. It discovers both approved and shadow AI across the enterprise, monitors agent actions in real time, and enforces security and compliance policies before agents can execute risky operations. The platform is powered by its own set of supervisory agents and proprietary AI models built to understand AI reasoning patterns. When a risk is detected, Onyx can block the action, require human approval, or steer the agent in a safer direction. AI Observability:::Discovers approved and shadow AI across the organization. Provides visibility into prompts, responses, and agent actions across SaaS, cloud, endpoints, and code repositories. ||| Guardian Agent:::Supervisory AI that automatically identifies and remediates risks across deployments. Can block actions, require human-in-the-loop approval, or redirect agent behavior in real time. ||| AI Governance:::Enforces compliance with AI security standards and regulatory requirements including the EU AI Act. Policies are configured in natural language, lowering the barrier for security teams. ## What are Onyx Security's key features? | Feature | Details | | ----------------- | --------------------------------------------------------------------------------- | | Agent Discovery | Finds approved and shadow AI across SaaS, cloud, endpoints, and code repositories | | Guardian Agent | Supervisory AI that identifies and remediates risks automatically | | Policy Controls | Natural language policy configuration for security and compliance | | Threat Detection | Real-time analysis of prompts, responses, and agent actions | | Compliance | EU AI Act, internal governance standards | | Orchestration | Simplifies agent setup and MCP deployment; optimizes cost, accuracy, and latency | | ROI Tracking | Adoption metric [...truncated for length...] --- # OPA Gatekeeper URL: https://appsecsanta.com/opa-gatekeeper Description: Kubernetes admission controller powered by Open Policy Agent. Enforce custom policies using Rego. 4.1k GitHub stars, 249 contributors. Apache 2.0. OPA Gatekeeper is a Kubernetes admission controller that brings Open Policy Agent to cluster policy enforcement. Part of the CNCF graduated OPA project, Gatekeeper has 4.1k GitHub stars and 249 contributors. The latest release is v3.22.0 (March 2026). This version enables sync-vap-enforcement-scope by default, which changes which namespaces ValidatingAdmissionPolicy enforces on — test in staging before upgrading. Gatekeeper uses a "configure, not code" approach where policies are defined using Rego and Kubernetes CRDs. This eliminates the need to build custom admission webhooks while keeping OPA's full policy flexibility. ## What is OPA Gatekeeper? Gatekeeper operates as a validating and mutating admission webhook in Kubernetes. When resources are created or updated, the Kubernetes API server sends them to Gatekeeper for evaluation before persisting to etcd. Gatekeeper runs policies written in Rego and either allows or denies the request based on policy evaluation. The project introduces two key CRDs: ConstraintTemplate and Constraint. ConstraintTemplates define reusable policy logic in Rego. Constraints instantiate those templates with specific parameters and enforcement configurations. This separation allows policy authors to write Rego once and platform teams to apply it with different settings across namespaces. Gatekeeper also provides audit functionality that continuously scans existing cluster resources for policy violations. This feature identifies drift when resources are modified outside admission control or when policies are added after resources already exist. Rego Policy Language:::Leverage OPA's powerful Rego language for complex policy logic, enabling fine-grained control over resource admission ||| Policy Library:::Access a collection of pre-built ConstraintTemplates covering common security and compliance requirements, accelerating policy adoption ||| Audit Mode:::Continuously scan existing resources against policies to detect violations and compliance drift without blocking deployments ## What are OPA Gatekeeper's key features? | Feature | Details | |---------|---------| | Policy language | Rego (OPA) | | CRD types | ConstraintTemplate, Constraint, Mutation | | Enforcement modes | Deny, dry-run, audit | | External data | Support for external data sources in policies | | OPA version | v0.60.0 | | Policy library | Reusable ConstraintTemplates from the Gatekeeper Library | | CNCF status | [Graduated](https://www.cncf.io/projects/open-policy-agent-opa/) (as part of OPA) | | License | Apache 2.0 | ### ConstraintTemplate System The template-constraint pattern promotes policy reuse. A single ConstraintTemplate defining "required labels" can be instantiated multiple times with different label requirements for different namespaces or resource types. This pattern reduces policy duplication and simplifies maintenance. **Dry Run Testing**: Gatekeeper supports dry-run mode where policies can be tested against live traffic with [...truncated for length...] --- # OpenAI Guardrails URL: https://appsecsanta.com/openai-guardrails Description: OpenAI Guardrails is an MIT-licensed Python library for input/output validation in OpenAI agents — tripwires, tool guardrails, PII and jailbreak detection. OpenAI Guardrails is an MIT-licensed Python library that provides a drop-in safety wrapper for the OpenAI Python client, adding automatic input/output validation with a tripwire mechanism that immediately halts agent execution when a violation is detected. It is listed in the [AI security](/ai-security-tools) category. The library is MIT licensed and maintained by OpenAI. The latest release is v0.2.1 (December 2025). It integrates directly with the OpenAI Agents SDK via the GuardrailAgent component for native safety enforcement in agentic workflows. OpenAI Guardrails is distinct from the guardrails feature built into the Agents SDK — this library provides a broader set of configurable safety controls that can wrap any OpenAI API call, not just agent interactions. ## What is OpenAI Guardrails? OpenAI Guardrails sits between your application and the OpenAI API, intercepting requests and responses to run safety checks. The library uses a tripwire mechanism: when a guardrail detects a violation, it immediately raises an exception that halts execution, preventing unsafe content from being processed or returned. Three types of guardrails are supported. Input guardrails validate user prompts before the agent processes them. Output guardrails validate agent responses before they reach users. Tool guardrails wrap function calls, validating both the arguments going in and the results coming out. Built-in guardrails cover the most common safety requirements: content moderation, PII detection (via Microsoft's Presidio), jailbreak detection, hallucination detection, URL filtering, NSFW content filtering, and off-topic detection. Custom guardrails can be added for domain-specific requirements. The Guardrails Wizard provides a no-code configuration interface for building validation pipelines visually without writing JSON by hand. Tripwire Mechanism:::When a guardrail detects a violation, it triggers a tripwire that immediately raises an exception and halts agent execution. Supports parallel mode (lower latency) or blocking mode (zero wasted tokens) depending on your latency vs. cost priorities. ||| Three Guardrail Types:::Input guardrails validate user prompts before agent processing. Output guardrails validate responses before delivery. Tool guardrails wrap function calls to validate arguments and results — critical for agentic workflows where tools have real-world side effects. ||| Agents SDK Integration:::Native integration with the OpenAI Agents SDK via GuardrailAgent. Automatically applies safety checks to agent inputs and outputs, catching violations through InputGuardrailTripwireTriggered and OutputGuardrailTripwireTriggered exceptions. ## What are OpenAI Guardrails's key features? | Feature | Details | | ----------------- | ------------------------------------------------------------------------------------- | | Architecture | Drop-in wrapper for OpenA [...truncated for length...] --- # OpenGrep URL: https://appsecsanta.com/opengrep Description: OpenGrep is a community fork of Semgrep CE created in 2025. Review: rules, 30+ languages, taint analysis, install, and differences from Semgrep. OpenGrep is a community-maintained, LGPL-2.1 fork of Semgrep CE — the popular open-source [SAST](/sast-tools) engine — created in January 2025 after Semgrep moved cross-function taint analysis and other features behind its commercial platform. A consortium of 10+ application security vendors governs the project jointly. The fork is licensed under LGPL-2.1. Governance is the main thing that sets it apart: a consortium of 10+ appsec companies maintains the project jointly, so no single vendor controls the roadmap. OpenGrep restores the features that Semgrep removed from CE — taint analysis, inter-procedural scanning, fingerprinting, and Windows support — and keeps them free under LGPL-2.1. The project has 2,100+ GitHub stars and stays backward compatible with Semgrep's rule format, JSON output, and SARIF output. Existing rules and CI pipelines work without changes. For a direct head-to-head, see the [OpenGrep vs Semgrep comparison](/sast-tools/opengrep-vs-semgrep). ## What Is OpenGrep? OpenGrep is a community-maintained fork of Semgrep's Community Edition, created in 2025 when Semgrep Inc. relicensed parts of the CE engine. Instead of a single-company project, OpenGrep is governed by a consortium of 10+ appsec vendors so no individual company can restrict features again. It is a static code analysis engine written primarily in OCaml. It uses pattern-matching rules that look like the source code they scan — no regex or custom DSLs needed. The engine covers 30+ languages and runs locally. OpenGrep detects a SQL injection by tracing tainted input through inter-method calls to the SQL sink | Feature | Details | |---------|---------| | Languages | 30+ including Python, JavaScript, TypeScript, Java, Go, C, C++, C#, Ruby, Rust, Kotlin, PHP, Swift, Visual Basic | | Rule format | YAML-based, Semgrep-compatible | | Output formats | JSON, SARIF 2.1.0, human-readable console | | Taint analysis | Constructor tracking, inter-method propagation, higher-order function support across 12 languages | | Platforms | Linux, macOS, Windows (including ARM) | | License | LGPL-2.1 | | Binary signing | Cosign-signed releases | | Codebase | OCaml 75.0%, Python 13.1%, Java 3.8% | | Contributors | 189 contributors, 9,400+ commits | | Current version | 1.16.4 (March 2026) | 30+ Languages:::Covers Apex, Bash, C, C++, C#, Go, Java, JavaScript, TypeScript, Python, Ruby, Rust, Kotlin, PHP, Swift, Scala, Terraform, Dockerfile, Visual Basic, and more. Visual Basic support is exclusive to OpenGrep. ||| Taint Analysis:::Tracks tainted data through constructors, field assignments, inter-method calls, higher-order functions, and collection operations like map, filter, and reduce. Available across 12 languages. ||| Semgrep Compatible:::Backward compatible with Semgrep's rule format, JSON output, and SARIF 2.1.0 output. Existing rules, CI pipelines, and integrations work without modification. ## OpenGrep vs Semgrep: Key Differences OpenGrep is fully backward compatible with Se [...truncated for length...] --- # Orca Security URL: https://appsecsanta.com/orca-security Description: Orca Security provides agentless cloud security through patented SideScanning. CNAPP with CSPM, CWPP, CIEM, DSPM. FedRAMP authorized. 24-hour deployment. Orca Security is an agentless Cloud Native Application Protection Platform built on patented SideScanning technology. The platform provides workload-deep visibility across cloud environments, avoiding the agent deployment overhead associated with traditional solutions. Founded in 2019 with 350 employees across London, Tel Aviv, and Portland, Orca serves enterprise customers including Autodesk, Unity, SAP, Sisense, and Lemonade. The platform is FedRAMP Moderate Authorized, SOC 2 Type II certified, and holds ISO 27001/27017/27018/27701 certifications. ## What is Orca Security? Orca Security delivers comprehensive cloud infrastructure security and compliance through a single agentless platform. The solution combines Cloud Security Posture Management (CSPM), Cloud Workload Protection Platform (CWPP), Cloud Infrastructure Entitlement Management (CIEM), and Data Security Posture Management (DSPM). The platform's SideScanning technology reads cloud workload data without deploying agents or running code in customer environments. This approach provides visibility into virtual machines, containers, serverless functions, and cloud infrastructure resources including storage buckets, VPCs, and KMS keys. Orca automatically includes new assets when they're added to cloud environments, eliminating manual configuration and ensuring continuous coverage. The platform centralizes all cloud security findings in a single interface, allowing security teams to query, investigate, and understand risks with full context. SideScanning Technology:::Patented agentless scanning that reads workload data without network packets or code execution. Eliminates agent deployment while providing workload-deep visibility. ||| 24-Hour Deployment:::Configure in minutes and receive complete cloud risk profile within 24 hours. No agents, no code changes, no performance impact on production workloads. ||| Unified CNAPP Platform:::Single platform for CSPM, CWPP, CIEM, DSPM, vulnerability management, API security, and compliance. Query all cloud risks from one centralized interface. ## What are Orca Security's key features? | Module | Details | | ------------ | --------------------------------------------------------------- | | CSPM | Cloud Security Posture Management across AWS, Azure, GCP | | CWPP | Cloud Workload Protection for VMs, containers, serverless | | CIEM | Cloud Infrastructure Entitlement Management | | DSPM | Data Security Posture Management for PII/PHI detection | | CDR | Cloud Detection and Response with 24x7 monitoring | | API Security | API discovery, posture management, drift detection | | AI-SPM | AI Security Posture Management for cloud AI models | | Compliance | 100+ frameworks including PCI-DSS, HIPAA, SOC 2, ISO 27001, CIS | | Runtime | Orca Sensor with eBPF-base [...truncated for length...] --- # Ostorlab URL: https://appsecsanta.com/ostorlab Description: Ostorlab mobile security testing with open-source OXO engine (560 GitHub stars). Multi-tool orchestration with Nuclei, Nmap, and custom scanning agents. Ostorlab is a [mobile security](/mobile-security-tools) testing platform built around OXO, an open-source scanning orchestration engine. Rather than relying on a single analysis engine, OXO coordinates multiple security tools — Nmap, Nuclei, ZAP, and custom agents — to get broader coverage than any one scanner provides alone. **GitHub:** [Ostorlab/oxo](https://github.com/Ostorlab/oxo) | **Stars:** 560 | **Latest Release:** v2.0.0 (April 16, 2026) | **License:** Apache 2.0 > **Project rename (April 2026):** The upstream GitHub repository was renamed from `Ostorlab/ostorlab` to `Ostorlab/oxo` as part of the v2.0.0 bump. The old `ostorlab` pip package and GitHub URL now redirect. v2.0.0 also raises the Python floor to 3.14 — rebase CI runners before upgrading. The open-source OXO engine is free to self-host. The commercial Ostorlab platform at ostorlab.co adds managed hosting, team collaboration, attack surface discovery, and an AI copilot. OXO has 41 contributors and over 200 releases to date. ## What are Ostorlab's key features? | Feature | Details | | ---------------------------- | ------------------------------------------------------------------------------- | | **OXO Engine** | Open-source scan orchestrator coordinating multiple security tools | | **Fast Scan** | Static analysis with secrets detection, malware scanning, and dependency checks | | **Full Scan** | Static + dynamic analysis with runtime monitoring and backend injection testing | | **Privacy Scan** | Data flow analysis and privacy policy compliance verification | | **Agent Architecture** | Docker-containerized agents with a public marketplace | | **Attack Surface Discovery** | AI-powered asset discovery and inventory management | | **CI/CD Integration** | GitHub Actions, GitLab, Jenkins, Azure DevOps, CircleCI, and more | | **SBOM Scanning** | Software bill of materials and dependency confusion detection | | **AI Copilot** | AI-assisted analysis and remediation guidance | | **Multi-Asset Support** | Mobile (APK, AAB, IPA), web, network, domain scanning | OXO Orchestration:::Open-source engine that coordinates security tools like Nmap, Nuclei, ZAP, and custom scanners. Each tool runs as a Docker container, making it easy to add or remove agents. ||| Three Scan Profiles:::Fast Scan for quick static checks, Full Scan adding dynamic analysis and backend testing, and Privacy Scan for data flow tracking and compliance verification. ||| Agent Marketplace:::Public store of ready-to-use scanning agents. Teams can also build and publish their own agents for organization-specific security checks. ## Scan Profiles Ostorlab' [...truncated for length...] --- # OSV-Scanner URL: https://appsecsanta.com/osv-scanner Description: OSV-Scanner V2 by Google scans deps + containers against OSV.dev. Free CLI, guided remediation, layer-aware container scans. 20+ ecosystems. OSV-Scanner is Google's free, open-source vulnerability scanner for open-source dependencies. It queries the [OSV.dev](https://osv.dev/) database, the largest aggregated source of open-source vulnerability data, covering dozens of ecosystems with normalized advisory information from NVD, GitHub Advisories, and ecosystem-specific sources. With the [Synopsys 2024 OSSRA report](https://www.synopsys.com/software-integrity/resources/analyst-reports/open-source-security-risk-analysis.html) finding that 96% of commercial codebases contain open-source components, free tooling like OSV-Scanner makes baseline [SCA](/sca-tools/what-is-sca) accessible to every team. Version 2.0, released in March 2025, transformed OSV-Scanner from a basic dependency checker into a full remediation tool with container image scanning, guided upgrade recommendations, and interactive HTML reports. The project has over 6,000 GitHub stars and is written in Go. The latest release, [v2.3.5](https://github.com/google/osv-scanner/releases/tag/v2.3.5) (March 2026), enables transitive scanning for Python `requirements.txt` files using the deps.dev API, giving Python projects visibility into vulnerabilities hiding in indirect dependencies. ## What is OSV-Scanner? OSV-Scanner reads your project's manifest and lockfiles, identifies every dependency in the tree, and checks each one against the OSV.dev database. Unlike databases that rely solely on CVE identifiers, OSV.dev normalizes advisories across ecosystems so a single vulnerability affecting multiple package managers is tracked consistently. The scanner goes beyond detection. Its guided remediation engine analyzes your dependency graph and recommends the minimum set of upgrades needed to resolve vulnerabilities, ranked by factors like dependency depth, severity, and return on investment. Guided Remediation:::Analyzes your dependency graph and recommends prioritized upgrade paths. Considers dependency depth, severity, fix strategy, and ROI to suggest the minimum changes needed. Supports npm and Maven pom.xml. ||| Container Scanning:::Layer-aware scanning for Debian, Ubuntu, and Alpine images. Shows which layer introduced each package, identifies the base image, and filters vulnerabilities unlikely to affect the container. ||| OSV.dev Database:::The largest open-source vulnerability database, aggregating advisories from NVD, GitHub, PyPI, RubyGems, Go, Rust, and dozens more sources into a normalized, machine-readable format. ## What are OSV-Scanner's key features? ### Guided remediation This is OSV-Scanner's standout feature. Rather than dumping a list of CVEs and leaving you to figure out what to upgrade, it calculates the optimal set of dependency upgrades. The engine considers: - **Dependency depth** -- Direct dependencies are easier to upgrade than transitive ones - **Severity** -- Critical and high findings get priority - **Fix strategy** -- Whether to use in-place upgrades or relaxed constraints - **Return on investment** [...truncated for length...] --- # Oversecured URL: https://appsecsanta.com/oversecured Description: Oversecured reports 99.8% detection accuracy with 3% false positives (vendor-reported). Covers 175+ Android and 85+ iOS vulnerability categories in under 5 minutes. Oversecured is an automated mobile application security scanner built specifically for Android and iOS. It runs both static (SAST) and dynamic (DAST) analysis against uploaded app binaries, covering over 260 vulnerability categories combined. The scanner reports 99.8% detection accuracy with a 3% false positive rate (vendor-reported). No source code is required — you upload the compiled binary (APK, IPA, or AAB) and get results back with highlighted code, exact file paths, and remediation guidance. These accuracy and false-positive numbers — 99.8% detection, 3% false-positive rate, sub-five-minute scans, 175+ Android and 85+ iOS vulnerability categories — are self-reported by Oversecured and have not been independently audited by AppSec Santa. They line up with public case studies (Mercari, Samsung's vulnerability program, the CNN feature) but the underlying test corpus is not published. Oversecured ranked #1 in Samsung's mobile vulnerability detection program and was featured in a CNN investigation about Android app security. Clients include Mercari (Japan's largest marketplace app), Google, VMware, and Kavak.com. ## What is Oversecured? Oversecured was built from scratch for mobile security testing, not adapted from web or general-purpose scanners. That matters because mobile apps have platform-specific attack surfaces — broadcast receivers on Android, URL schemes on iOS, WebView bridge interactions — that general tools tend to miss or misclassify. The scanner works without source code access. Upload an APK, AAB, or IPA file through the web portal or API, and Oversecured decompiles the binary and runs both static and dynamic analysis against it. Results come back with the affected code highlighted, exact file paths, and working proof-of-concept exploits where applicable. SAST + DAST Dual Engine:::Combines static code analysis with dynamic runtime testing to catch vulnerabilities that single-technique scanners miss. ||| 260+ Vulnerability Categories:::175+ Android-specific and 85+ iOS-specific categories, updated weekly with new detection rules. ||| No Source Code Needed:::Upload compiled binaries directly. The scanner decompiles and analyzes without requiring access to your repository. ## What are Oversecured's key features? | Feature | Details | | -------------------- | --------------------------------------- | | Analysis Type | SAST + DAST dual engine | | Android Categories | 175+ vulnerability types | | iOS Categories | 85+ vulnerability types | | Detection Accuracy | 99.8% (vendor-reported) | | False Positive Rate | ~3% | | Scan Speed | Under 5 minutes average | | Source Code Required | No (binary upload) | | Supported Formats | APK, AAB, IPA | | Cross-Platform | React Native, Flutter, Xamarin [...truncated for length...] --- # OWASP Dependency-Check URL: https://appsecsanta.com/owasp-dependency-check Description: OWASP Dependency-Check identifies vulnerabilities using NVD with Maven, Gradle, npm, and pip support. Free OWASP flagship project. Current version 12.2.0. OWASP Dependency-Check is one of the oldest and most widely used open-source [SCA tools](/sca-tools). As an OWASP Flagship Project, it addresses the OWASP Top 10's A06:2021 "Vulnerable and Outdated Components" category directly. With 7.4k GitHub stars, 290+ contributors, and 82+ releases, it has been a go-to free option for identifying known vulnerabilities in project dependencies. The tool checks your dependencies against the National Vulnerability Database (NVD) using CPE (Common Platform Enumeration) matching. It runs as a CLI tool, Maven plugin, Gradle plugin, Ant task, or Jenkins plugin. The current version is 12.2.1 (April 2025). ## What is OWASP Dependency-Check? Dependency-Check scans project dependencies and matches them against NVD entries to find known CVEs. It supports Java (Maven, Gradle), .NET (NuGet), JavaScript (npm), Python (pip), Ruby (Bundler), and Go modules. It also pulls data from NPM Audit, Sonatype OSS Index, and RetireJS for additional coverage. NVD Integration:::Matches dependencies against the National Vulnerability Database using CPE identification. Supports offline mode and regular database updates. An NVD API key speeds up updates significantly. ||| Build Tool Plugins:::Native plugins for Maven, Gradle, and Ant integrate directly into your build process. Fail builds when vulnerabilities exceed your CVSS threshold. ||| Multiple Report Formats:::Generates reports in HTML, JSON, XML, CSV, SARIF, and JUnit format. SARIF output integrates with GitHub's security dashboard. ## What are OWASP Dependency-Check's key features? | Feature | Details | | ----------------------- | ---------------------------------------------------------- | | Current version | 12.2.0 | | License | Apache 2.0 (OWASP Flagship Project) | | Vulnerability source | NVD (CPE matching) + NPM Audit + OSS Index + RetireJS | | Build plugins | Maven, Gradle, Ant (native); SBT, Leiningen (community) | | CI/CD | Jenkins plugin, GitHub Actions, Azure DevOps extension | | Report formats | HTML, JSON, XML, CSV, SARIF, JUnit | | Installation | CLI (ZIP), Maven, Gradle, Homebrew, Docker | | False positive handling | XML suppression files with CVE, CPE, and component filters | | Offline scanning | Cached NVD database for air-gapped environments | ### SBOM output and license scope Dependency-Check produces HTML, JSON, XML, CSV, SARIF, and JUnit reports. SARIF output imports directly into GitHub's code-scanning alerts, which is how most GitHub Actions workflows surface findings on pull requests. An experimental CycloneDX report format exists in the engine, but the primary outputs are vulnerability reports rather than signed SBOMs — teams wanting strict SPDX or CycloneDX SBOM work [...truncated for length...] --- # OX Security URL: https://appsecsanta.com/ox-security Description: OX Security introduced Active ASPM with VibeSec AI and Pipeline Bill of Materials. Achieves up to 97% security debt reduction with real-time enforcement. OX Security introduced Active ASPM, moving past passive aggregation to autonomous posture management. VibeSec, their AI-driven security agent, continuously enforces security policies within CI/CD pipelines. Their Pipeline Bill of Materials (PBOM) tracks full software lineage from code to deployment. The company also created the OSC&R framework in collaboration with security experts from Google, Microsoft, and GitLab — an ATT&CK-like model for describing software supply chain threats. ## What is OX Security? Most [ASPM](/aspm-tools) platforms collect vulnerabilities and display them. OX Security goes further by actively monitoring the development pipeline and blocking risky deployments before they reach production. Active ASPM:::Real-time pipeline monitoring, automatic policy enforcement, and deployment blocking. Prevents vulnerabilities from reaching production rather than just tracking them after the fact. ||| PBOM:::Pipeline Bill of Materials captures the entire build process — source components, pipeline configs, CI/CD tool versions, artifact signatures, deployment targets, and developer identities. Goes well beyond standard SBOM. ||| VibeSec AI:::Analyzes code patterns for vulnerability context, assesses exploitability based on architecture, correlates findings across tools, and generates remediation guidance tailored to your codebase. OX Security reports up to 97% reduction in security debt for organizations using the platform. ## What are OX Security's key features? ### Active ASPM The "active" part distinguishes OX Security from most competitors: | Action | How it works | | --------------------- | ----------------------------------------------------------------------------- | | Real-time monitoring | Watches pipeline activity and detects policy violations as they occur | | Deployment blocking | Prevents risky builds from reaching production based on configurable policies | | Automated remediation | Triggers fix workflows and routes findings to the right teams | | Anomaly detection | Alerts on unusual pipeline behavior that could indicate compromise | Traditional ASPM platforms ingest findings and present dashboards. Active ASPM intercepts the pipeline and takes action: blocking a deployment that fails policy, triggering a scan when a high-risk change is detected, or routing a finding to the right team automatically. ### Pipeline Bill of Materials PBOM captures the full software delivery chain: | What PBOM records | Why it matters | | --------------------------------------- | --------------------------------- | | Source code components and dependencies | Standard SBOM coverage | | Build pipeline configurations | Detect pipeline injection risks | | CI/CD tool versions and plugins | Track build environment integrity | | Artifact signatures [...truncated for length...] --- # Parasoft URL: https://appsecsanta.com/parasoft Description: Parasoft review — 35+ year compliance-focused SAST with TUV-certified tools for DO-178C, ISO 26262, IEC 62304, MISRA. C/C++test, Jtest, dotTEST compared. Parasoft is a compliance-focused [static application security testing (SAST)](/sast-tools) vendor that has shipped automated testing and static analysis tools since 1987, making it one of the longest-running companies in the SAST market. Based in Monrovia, California, Parasoft offers three language-specific products — C/C++test, Jtest, and dotTEST — each combining static analysis, unit testing, and code coverage in a single package. Where Parasoft stands out from most SAST tools is its deep focus on safety-critical industries. Parasoft supports over 2,500 built-in static analysis rules and is one of only a handful of SAST vendors with TUV SUD certification for ISO 26262 and IEC 61508. Unlike general-purpose SAST tools like [Checkmarx](/checkmarx) or [Semgrep](/semgrep), Parasoft ships with tool qualification kits for DO-178C (aerospace), IEC 62304 (medical devices), and EN 50128 (rail) — building its entire workflow around compliance documentation for safety-critical software development. ## Product Screenshots Parasoft DTP Report Center — centralized dashboard with drag-and-drop widgets for requirements traceability, test coverage, violations, and code quality metrics. Source: parasoft.com Parasoft C/C++test running inside Eclipse IDE — violation list with severity classification, source code view, and detailed rule explanations. Source: parasoft.com Parasoft C/C++test functional safety compliance workflow — MISRA rule checking with code coverage overlay and compliance evidence generation. Source: parasoft.com ## Overview Parasoft was founded in 1987, originally commercializing parallel computing research from Caltech. During the 1990s, the company pivoted to software testing automation, starting with runtime error detection for C/C++ (Insure++) and expanding to static analysis, unit test generation, and API testing. Today Parasoft offers a suite of products that span the software testing lifecycle: - **C/C++test** — Static analysis and unit testing for C and C++ (the flagship for safety-critical) - **Jtest** — Static analysis, unit test generation, and code coverage for Java - **dotTEST** — Static analysis for C# and .NET applications - **SOAtest** — API testing and service virtualization - **DTP** — Development Testing Platform for centralized reporting and analytics - **Insure++** — Runtime memory debugging for C/C++ 2,500+ Static Analysis Rules:::Built-in checkers covering MISRA, AUTOSAR C++14, CERT, CWE, OWASP, JSF, and Effective C++. Three tunable analysis modes (Fast, Standard, and Aggressive) let teams balance scan speed against analysis depth. ||| TUV SUD Certified:::C/C++test is certified by TUV SUD for ISO 26262 and IEC 61508 compliance. Qualification kits automate documentation for DO-178C (DAL-A), IEC 62304, EN 50128, and ISO 21434. ||| Unified Testing Platform:::Each product bundles static analysis, unit testing, and code coverage into one tool. The DTP dashboard aggregates results across projects for compliance r [...truncated for length...] --- # Pentest Tools URL: https://appsecsanta.com/pentest-tools Description: Independent Pentest-Tools.com review. 20+ tools (Nmap, OpenVAS, WPScan, SQLMap) in one cloud platform. Pentest Robots automate workflows. Where it shines. Pentest-Tools.com is a cloud-based penetration testing platform that bundles 20+ security tools into a single web interface. Reconnaissance, vulnerability scanning, exploitation, and reporting without installing anything locally. The platform wraps well-known open-source tools (Nmap, OpenVAS, WPScan, SQLMap, ZAP) in a managed cloud environment and adds automation through what it calls Pentest Robots. | Feature | Details | | --------------- | ----------------------------------------------------------------------- | | Deployment | Cloud SaaS | | Tool count | 20+ integrated tools | | Recon tools | Subdomain discovery, port scanning (Nmap), Google dorking, DNS analysis | | Web scanners | SQLi, XSS, command injection, directory traversal | | CMS scanners | WordPress (WPScan), Drupal, Joomla, SharePoint | | Network scanner | OpenVAS | | Exploitation | SQLMap, Sniper auto-exploiter, XSS PoC generator | | Automation | Pentest Robots (chained tool workflows) | | Reports | Customizable DOCX templates | | SSL/TLS | POODLE, Heartbleed, ROBOT detection | ## What is Pentest-Tools.com? According to the OWASP Testing Guide, a thorough web security assessment involves reconnaissance, vulnerability scanning, and exploitation in sequence. The platform aims to replace the workflow of switching between a dozen different CLI tools during a penetration test. You add a target, pick the tools you need, and run them from a browser. Results aggregate in one place, and you can generate a report when done. It is not a single-purpose [DAST tool](/dast-tools). It is closer to a pentest workbench that includes DAST capabilities alongside network scanning, recon, and exploitation features. Pentest-Tools.com targets security consultants and pentest teams who want cloud-hosted tooling without managing their own infrastructure. If you already have Nmap, OpenVAS, and WPScan set up locally, the main value-add is the unified interface, automation, and report generation. ## What are Pentest Tools's key features? Reconnaissance Suite:::Google dorking, subdomain discovery, domain association, virtual host discovery, port scanning via Nmap, and web technology detection. Maps the target's attack surface before you start scanning. ||| Web Vulnerability Scanning:::Tests for SQL injection, XSS, OS command injection, and directory traversal. Uses ML-based classification to reduce false positives. Dedicated XSS scanner powered by OWASP ZAP. ||| CMS Vulnerability Scanning:::WordPress scanning via WPScan, plus dedicated [...truncated for length...] --- # Phoenix Security URL: https://appsecsanta.com/phoenix-security Description: Phoenix Security is a threat-centric ASPM platform that auto-assigns findings to repo owners, validates exploitability, and ships AI-generated PR fixes. Phoenix Security is a threat-centric [ASPM](/aspm-tools) platform that connects vulnerability findings across the SDLC with ownership attribution, exploitability validation, and AI-generated remediation pull requests. ## What is Phoenix Security? Most ASPM tools stop at producing a prioritized list. Phoenix Security explicitly positions itself one step further — closing the loop between "this is risky" and "here is the pull request that fixes it." The platform's tagline captures the angle: **"Security from generation to remediation."** The implicit critique of the rest of the category is sharp — Phoenix's marketing line _"Prioritization without attribution & remediation is just a nicer spreadsheet"_ tells you exactly which problem the team is trying to solve. ## Three pillars Threat-centric prioritization:::Combines CISA KEV (known-exploited vulnerabilities), EPSS scoring, reachability analysis, and runtime exposure to rank issues by what an attacker would actually use, not by raw CVSS severity. ||| Ownership attribution:::Automatically assigns each finding to the specific repository or asset owner. Eliminates the shared backlog where "every ticket is everyone's, so it's no one's." ||| Agentic remediation:::AI agents generate remediation pull requests directly against the affected repos. A human reviews and merges — Phoenix does not auto-merge — but the burden of writing the fix shifts to the platform. ## Vulnerability intelligence sources Phoenix layers in vulnerability intelligence beyond scanner outputs: | Source | What it adds | | ----------------- | ----------------------------------------------------------------------------------- | | CISA KEV | Vulnerabilities with confirmed in-the-wild exploitation | | EPSS | Exploit Prediction Scoring System — probability of exploitation in the next 30 days | | OWASP Top 10 | Web application risk taxonomy alignment | | CWE | Weakness categorisation for grouping similar issues | | Zero-day tracking | Active monitoring of disclosed but unpatched issues | | Reachability data | Whether vulnerable code is actually called from production entry points | ## Leadership and advisory | Role | Person | Background | | ---------------- | ---------------------------------------------- | ------------------------------------------------------------------------- | | CEO | Francesco Cipollone | Long-time AppSec entrepreneur | | CTO | Alfonso Eusebio | International engineering leadership across Telefónica, IB [...truncated for length...] --- # PHPStan URL: https://appsecsanta.com/phpstan Description: PHPStan finds bugs in PHP code without running it. 10 analysis levels let you adopt gradually. Free open-source core, plus extensions for Laravel and Symfony. PHPStan is a free, open-source PHP static analysis tool that finds bugs in PHP code without running it. As a [SAST](/sast-tools) tool created by Ondrej Mirtes and licensed under MIT, PHPStan has 13,900+ GitHub stars and is the most widely adopted static analyzer in the PHP ecosystem. > **Releases — 2.1.48 / 2.1.49 / 2.1.50 (April 15–17, 2026):** Three patches shipped in three consecutive days. They fix regressions introduced in the 2.1 series: type narrowing with large union types, promoted property read handling, and scope typing on enum cases. The new `phpstan bisect` command from 2.1.47 is in active use — the fast patch cadence is a direct result. If you pin PHPStan and saw a regression between 2.1.40 and 2.1.47, 2.1.50 is the fix. PHPStan reads your PHP source code and PHPDoc annotations, infers types throughout your application, and reports errors where the types don't match up — undefined methods, wrong argument types, missing return values, and more. The reason PHPStan actually gets adopted is its **11 progressive analysis levels (0-10)**. Instead of dumping thousands of errors on you the first time you run it, PHPStan lets you start at Level 0 (basic checks) and gradually increase strictness as your codebase improves. Teams can adopt it incrementally, which is why it sticks where other static analysis tools get abandoned after the first run. | Feature | Details | |---------|---------| | Creator | Ondrej Mirtes | | License | MIT (free, open-source) | | Language | PHP only | | Analysis levels | 11 (Level 0 through Level 10) | | Latest version | PHPStan 2.0 (50-70% memory reduction, up to 3x faster) | | PHPStan Pro | 7 EUR/month individual, 70 EUR/month team (up to 25 members) | | Config format | NEON (phpstan.neon) | | Framework support | Laravel (Larastan), Symfony, Doctrine, PHPUnit, Nette | | Plugin ecosystem | 200+ community extensions | | GitHub stars | 13,900+ | ## Overview PHPStan performs static type analysis on PHP code. It doesn't execute your application — it reads the source files, builds a type model, and checks for inconsistencies. The analysis covers everything from basic errors (calling undefined methods, accessing properties that don't exist) to advanced type safety issues (mixed type leaks, generic type violations, nullable mishandling). PHPStan 2.0, released in November 2024, brought significant improvements: a new Level 10 for stricter mixed type checking, dedicated list type support, and a 50-70% reduction in memory consumption on large projects. PHPStan 2.0 analysis runs up to 3x faster on large codebases — for example, PrestaShop analysis dropped from 9 minutes to 3 minutes. It integrates with every major PHP framework through official and community extensions, backed by a large plugin ecosystem. 11 Analysis Levels:::Start at Level 0 (basic checks) and work your way up to Level 10 (strict mixed type analysis). Each level adds more checks without changing previous ones. Adopt at your own pace. ||| Framework E [...truncated for length...] --- # PMD URL: https://appsecsanta.com/pmd Description: PMD is a free source code analyzer with 400+ rules for Java, Apex, Kotlin, and more. Includes CPD for duplicate detection. BSD-licensed. 5,300+ GitHub stars. PMD is an open-source [SAST](/sast-tools) tool that scans source code for common programming flaws, including potential bugs, dead code, and security vulnerabilities. With over 5,300 GitHub stars and 312 contributors, it's one of the most mature code analysis projects in the Java ecosystem. Originally built for Java, PMD now supports 16 languages for rule-based analysis and ships with CPD (Copy/Paste Detector) for finding duplicated code across 33+ languages. 400+ Built-in Rules:::Java has 294 rules alone, with Apex at 69, PL/SQL at 22, and JavaScript at 18. Rules cover code style, design, error-prone patterns, performance, and security. ||| CPD (Copy/Paste Detector):::Finds duplicated code across 33+ languages using the Karp-Rabin string matching algorithm. Supports configurable token thresholds and can ignore comments, literals, and identifiers. ||| Custom XPath & Java Rules:::Write rules as XPath expressions against the AST for quick checks, or implement Java classes for complex analysis logic. Organizations can encode their specific standards into automated checks. PMD CPD finds duplicated blocks by token count — here catching a 23-line validation method copied between UserService and AdminService. ## What is PMD? PMD analyzes source code without executing it, applying configurable rules to identify problematic patterns. According to NIST's Software Assurance guidelines, static analysis tools that detect coding standard violations contribute to reducing security vulnerabilities in production code. PMD earned its reputation in the Java community for catching issues that compilers miss but that lead to bugs, maintainability problems, or security vulnerabilities in production. The name PMD does not officially stand for anything, though the community has proposed various backronyms including "Programming Mistake Detector." The latest version is 7.21.0, released January 30, 2026. PMD is used by Salesforce Code Analyzer as a core analysis engine for Apex development, making it the de facto standard for Salesforce security and code quality analysis. Salesforce also ships a custom variant called `pmd-appexchange` for AppExchange security review. ## Language support PMD supports 16 languages for rule-based analysis, with the bulk of rules targeting Java: | Language | Rule Count | Notes | |----------|-----------|-------| | Java | ~294 | Across 8 categories (best practices, code style, design, documentation, error prone, multithreading, performance, security) | | Salesforce Apex | 69 | 7 categories | | PL/SQL | 22 | 5 categories | | JavaScript | 18 | 4 categories (ECMAScript) | | Swift | 4 | 2 categories | | Kotlin | 2 | 2 categories | | XML | 2 | 2 categories | | Scala | 0 | Language supported but no built-in rules yet | Additional languages with rules: Visualforce, HTML, JSP, XSL, Modelica, Maven POM, Velocity Template Language (VTL), and WSDL. CPD supports 33+ languages for duplicate detection, including C/C++, C#, Go, Python, Ruby, [...truncated for length...] --- # Prisma Cloud URL: https://appsecsanta.com/prisma-cloud Description: Prisma Cloud by Palo Alto Networks is a CNAPP covering CSPM, CWPP, CIEM, DSPM, and code security. Built on open-source Checkov for IaC scanning. Prisma Cloud is Palo Alto Networks' [IaC security](/iac-security-tools) and CNAPP platform. It covers cloud security posture management, workload protection, entitlement management, data security, and code security across AWS, Azure, GCP, OCI, Alibaba Cloud, and IBM Cloud. The platform's code security module is built on Checkov, the open-source IaC scanner from Bridgecrew (acquired by Palo Alto in 2021). Checkov has been downloaded over 2 million times. Note: Palo Alto Networks is merging Prisma Cloud with Cortex CDR to create Cortex Cloud. The new platform became available in Q3 FY25 (late 2025). Existing Prisma Cloud customers are being transitioned with all capabilities preserved. > **Where Prisma Cloud lives on AppSec Santa.** Prisma Cloud is Palo Alto Networks' CNAPP — its primary scope is cloud security posture, runtime workload protection, and cloud detection-and-response. AppSec Santa covers it for its IaC scanning surface (Checkov-powered, since the [Checkov](/checkov) acquisition), which is why it sits under [IaC Security](/iac-security-tools). Broader CNAPP/CSPM/CWPP comparisons that don't touch application code are out of scope here; for those, refer to the vendor's own [Prisma Cloud documentation](https://www.paloaltonetworks.com/prisma/cloud). ## What is Prisma Cloud? Prisma Cloud Enterprise Edition is a unified CNAPP that bundles CSPM, CWPP, CIEM, DSPM, code security, cloud network security, and web application/API security into a single platform. Rather than buying separate tools for each discipline, teams get a consolidated view of cloud risk. The platform connects to cloud provider APIs to scan configurations, workloads, entitlements, and code. It maps relationships across resources, identities, and vulnerabilities to prioritize the issues that actually matter in your environment. Code Security:::IaC scanning built on Checkov covers Terraform, CloudFormation, Kubernetes, Helm, ARM, and Serverless Framework. Includes SCA and secrets detection in CI/CD pipelines. ||| CSPM:::Continuous monitoring of cloud configurations against 100+ compliance frameworks including CIS, PCI-DSS, HIPAA, and NIST. Detects exposed storage buckets, overly permissive IAM roles, and disabled logging. ||| CWPP:::Protects IaaS, PaaS, FaaS, and container workloads at runtime. Covers vulnerability management, compliance, and runtime defense. ## What are Prisma Cloud's key features? | Module | Details | | ------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | | CSPM | Configuration monitoring across AWS, Azure, GCP, OCI, Alibaba, IBM. 100+ compliance frameworks including [CIS](https://www.cisecurity.org/cis-benchmarks). | | CWPP | Workload protection for VMs, contai [...truncated for length...] --- # Protecto URL: https://appsecsanta.com/protecto Description: Protecto provides context-preserving security for AI agents and LLMs. 99.9% PII/PHI detection accuracy, CBAC access control, HIPAA/GDPR compliant. 200+ data types. Protecto is a data security and privacy platform for AI agents and LLMs that detects, masks, and controls access to sensitive information (PII, PHI, confidential data) across 200+ data types in 50+ languages with 99.9% claimed detection accuracy. It is listed in the [AI security](/ai-security-tools) category. The platform sits between enterprise data and AI systems, detecting, masking, and controlling sensitive information access across AI interactions. What sets Protecto apart is context-based access control — making dynamic access decisions at the moment an AI agent requests data, not through static role assignments. Protecto became available on Google Cloud Marketplace in March 2026, and reports protecting over 1 million AI interactions with zero data breaches across more than 3,000 companies. Customers include Inovalon, Automation Anywhere, Ivanti, Bank of Muscat, and Nokia. ## What is Protecto? Protecto tackles a specific problem in enterprise AI: sensitive data moves with AI context, and traditional security tools were not built for this. When an AI agent processes a customer query, it may access databases containing PII, PHI, financial records, and proprietary information. Protecto detects, masks, or controls that sensitive data based on who is asking, why, and in what context. The key technical feature is format-preserving tokenization. When Protecto masks sensitive data, it keeps the semantic structure intact so AI models can still reason over the protected content. A masked social security number still looks like a number in the right format; a masked name still sits in the right position in a sentence. This avoids the accuracy degradation that simpler masking approaches cause. Three products cover different aspects of AI data security: Privacy Vault scans, masks, and stores sensitive data; GPTGuard protects generative AI pipelines with masking and content filtering; and CBAC provides context-based access control for AI agents. Context-Based Access Control:::Dynamic access decisions at inference time. Unlike static RBAC, CBAC evaluates who is asking, their role, the operational context, and the data sensitivity level at the moment the agent requests information. Integrates with Active Directory and Okta. ||| Format-Preserving Tokenization:::Masks sensitive data while maintaining semantic integrity. Protected values retain their format and contextual meaning, so AI models produce accurate results without ever seeing raw PII, PHI, or confidential data. ||| 200+ Data Type Detection:::Automatically detects PII, PHI, and business-confidential data across 200+ data types in 50+ languages. Supports custom entity definitions for organization-specific sensitive information. ## What are Protecto's key features? | Feature | Details | | ---------------- | ----------------------------------------------------------------------------- | | Data Detection | PII, PH [...truncated for length...] --- # Psalm URL: https://appsecsanta.com/psalm Description: Psalm is a free PHP static analysis tool by Vimeo with built-in taint analysis for SQL injection, XSS, and command injection. Catches type errors too. Psalm is a free, open-source PHP static analysis tool that detects both type errors and security vulnerabilities through built-in taint analysis. As a [SAST](/sast-tools) tool originally built by Matt Brown at Vimeo and now maintained by Daniil Gentili, Psalm has 5,800+ GitHub stars and is licensed under MIT. What separates Psalm from other PHP analyzers is its **built-in taint analysis** for detecting SQL injection, XSS, and command injection. Most PHP analyzers focus on type correctness. Psalm goes further: it tracks user-controlled data from input sources (`$_GET`, `$_POST`, `$_COOKIE`) through your application to dangerous sinks (database queries, HTML output, shell commands). If tainted data reaches a sink without sanitization, Psalm flags it as a security vulnerability. Psalm is one of the few free tools that combines PHP type analysis with actual security vulnerability detection, covering SQL injection, cross-site scripting (XSS), command injection, and more — a capability that [PHPStan](/phpstan), the other major PHP analyzer, does not offer. | Feature | Details | |---------|---------| | Original author | Matt Brown (Vimeo) | | Current maintainer | Daniil Gentili | | License | MIT (completely free, no paid tier) | | Language | PHP only | | Error levels | 8 (Level 1 = strictest, Level 8 = most lenient) | | Security analysis | Built-in taint tracking (SQL injection, XSS, command injection, SSRF) | | Auto-fixer | Psalter (adds type annotations, fixes common issues) | | Config format | XML (psalm.xml) | | Output formats | Text, JSON, SARIF (GitHub code scanning), checkstyle, JUnit | | Framework plugins | Laravel, Symfony, PHPUnit | | GitHub stars | 5,800+ | ## Overview Psalm performs two kinds of analysis on PHP code: **Type analysis** checks for type errors, undefined methods, wrong argument types, missing return values, and other correctness issues. This is similar to what [PHPStan](/phpstan) does, though Psalm's type inference takes a slightly more conservative approach that catches certain edge cases. **Taint analysis** (security analysis) tracks the flow of user-controlled data through your application. Psalm builds a data flow graph from sources to sinks, identifying paths where untrusted data can reach dangerous operations. It traces data across function calls, through assignments, and into method parameters -- not just surface-level pattern matching. Both analyses run on the same codebase in a single pass. You can enable taint analysis with the `--taint-analysis` flag. Taint Analysis:::Tracks user input from $_GET, $_POST, $_COOKIE to dangerous sinks. Detects SQL injection, XSS, command injection, and more. Define custom sources, sinks, and sanitizers. ||| 8 Error Levels:::Level 1 (strictest) to Level 8 (most lenient). Default is Level 2. Start lenient on existing projects and tighten over time. Baseline files let you ignore legacy issues. ||| Type-Safe PHP:::Advanced type inference with generics, conditional return types, u [...truncated for length...] --- # PT Application Inspector URL: https://appsecsanta.com/pt-application-inspector Description: PT Application Inspector combines SAST, DAST, IAST, and SCA in one tool. Automatic vulnerability verification with safe exploit generation. 15 languages. PT Application Inspector is a [SAST](/sast-tools) platform from Positive Technologies that combines SAST, DAST, IAST, and SCA in a single tool. It supports 15 programming languages and automatically generates safe exploit payloads to verify whether detected vulnerabilities are actually exploitable. Combined SAST+DAST+IAST+SCA:::Runs static analysis, dynamic testing, interactive testing, and software composition analysis from one platform. Results are correlated and deduplicated in a single dashboard. ||| Auto Vulnerability Verification:::Generates safe exploit payloads to confirm whether detected vulnerabilities are real. Verified issues get marked as confirmed; unexploitable findings get downgraded. ||| Data Flow Diagrams:::Produces interactive data flow diagrams for each vulnerability, showing how tainted input travels through the application to reach a dangerous sink. ## What is PT Application Inspector? PT Application Inspector (PT AI) takes a different approach from most SAST tools by integrating four testing methodologies into one platform. Instead of managing separate static, dynamic, and composition analysis tools, PT AI runs them together and correlates the results. The differentiator is automatic exploit generation. When static analysis finds a potential SQL injection or XSS vulnerability, PT AI constructs a safe test payload and executes it against the application. If the exploit succeeds, the vulnerability is marked as verified. If defenses block it, the finding is downgraded. Positive Technologies claims this reduces false positives without requiring manual triage. PT AI uses abstract interpretation technology for its SAST engine, which distinguishes it from pattern-matching-only tools. Version 5.2 (October 2025) introduced custom analysis rules via a JSA (Just Static Analyzer) DSL for describing code semantics. ## Sanctions and availability For most English-speaking readers this is the single most important fact about PT Application Inspector. Positive Technologies, the vendor, has been under United States sanctions since 2021 — which means that for US persons and entities the tool is, in practical terms, unavailable. In April 2021 the US Treasury's [Office of Foreign Assets Control (OFAC)](https://ofac.treasury.gov/) added Positive Technologies to its [Specially Designated Nationals (SDN) list](https://home.treasury.gov/news/press-releases/jy0127), citing support to Russian intelligence services. In November 2021 the US Department of Commerce's Bureau of Industry and Security added the company to the [Entity List](https://www.federalregister.gov/documents/2021/11/04/2021-24123/addition-of-certain-entities-to-the-entity-list-and-revision-of-entries-on-the-entity-list), restricting export, re-export, and in-country transfer of US-origin items. The combined effect: US persons cannot transact with Positive Technologies without OFAC authorization, and US-origin software, hardware, and technology cannot be supplied to the c [...truncated for length...] --- # PyRIT URL: https://appsecsanta.com/pyrit Description: PyRIT is Microsoft's open-source AI red teaming framework with 3.4k GitHub stars and 117 contributors. Supports multi-modal attacks, crescendo strategies. PyRIT (Python Risk Identification Tool) is an open-source [AI security](/ai-security-tools) red teaming framework built by Microsoft's AI Red Team. It has 3.4k GitHub stars, 661 forks, and 117 contributors. The framework is MIT licensed and requires Python 3.10-3.13. The latest release is v0.11.0 (February 2026). Microsoft built PyRIT based on their experience red teaming production AI systems including Bing Chat and Copilot. The project has a published paper on arXiv (2410.02828). ## What is PyRIT? PyRIT automates the repetitive parts of AI red teaming so security professionals can focus on creative attack strategies. It provides orchestrators that manage multi-turn conversations with AI targets, converters that transform prompts to bypass filters, scorers that evaluate whether attacks succeeded, and a memory system that tracks everything. The framework supports text, image, audio, and video modalities. You can test any AI system accessible via API, from OpenAI and Azure OpenAI to custom HTTP endpoints and browser-based targets via Playwright. PyRIT's architecture is modular. Each component (orchestrators, targets, converters, scorers, memory) can be swapped or extended independently, letting you build custom red teaming workflows for your specific needs. Attack Orchestration:::Multiple orchestrator types handle different attack patterns. Single-turn prompt sending, multi-turn red teaming, crescendo (gradually escalating) attacks, and Tree of Attacks with Pruning (TAP). ||| Multi-Modal Testing:::Test AI systems across text, image, audio, and video. Converters transform content between modalities. Target adapters handle different API formats consistently. ||| Memory and Scoring:::SQLite or Azure SQL backends store all prompts, responses, and metadata. Built-in scorers evaluate responses using rule-based checks, classification models, or LLM-as-judge approaches. ## What are PyRIT's key features? | Feature | Details | |---------|---------| | Orchestrators | Prompt sending (single-turn), red teaming (multi-turn), crescendo, Tree of Attacks with Pruning (TAP), XPIA, benchmarking | | Targets | OpenAI Chat/Responses/Image/Video/TTS, Azure ML, HuggingFace, custom HTTP/WebSocket, Playwright browser | | Converters | Text-to-text (Base64, ROT13, leetspeak, homoglyph, translation), audio, image, video, file converters, human-in-the-loop | | Scorers | Azure Content Safety API, true/false classification, Likert scale, refusal detection, human-in-the-loop, batch scoring | | Memory | SQLite (default), Azure SQL Database, labeling, export, embeddings | | Modalities | Text, image, audio, video | | Attack Types | Prompt injection, XPIA, crescendo, skeleton-key, many-shot jailbreak, role-play, multi-turn manipulation | | Python Support | 3.10-3.13 | | License | MIT | ### Orchestrators Orchestrators manage the flow of red teaming sessions. Each type handles a different attack pattern: - **Prompt Sending** — sends a batch of prompts in a single turn, use [...truncated for length...] --- # Qodana URL: https://appsecsanta.com/qodana Description: Qodana brings 3,000+ JetBrains IDE inspections to CI/CD pipelines. 60+ languages. Free Community tier. OWASP taint analysis. From $6/contributor/month. Qodana is a [SAST](/sast-tools) platform from JetBrains that brings 3,000+ IDE inspections into CI/CD pipelines. It runs the same analysis engines that power IntelliJ IDEA, PyCharm, WebStorm, and other JetBrains IDEs, supporting 60+ languages. The platform covers code quality, security vulnerabilities, and technical debt tracking. A free Community tier is available, with paid plans starting at $6 per active contributor per month. 3,000+ Inspections:::Runs the same inspections as JetBrains IDEs. What developers see in IntelliJ or PyCharm matches what Qodana flags in CI/CD — zero learning curve for JetBrains users. ||| Quality Gates & Baselines:::Fail builds when new issues exceed a threshold. Baselines separate pre-existing technical debt from new problems, enabling gradual improvement without blocking on legacy code. ||| OWASP Taint Analysis:::Traces untrusted input through code to detect SQL injection, XSS, command injection, and path traversal. Covers OWASP Top 10 categories A01, A03, A07, A08, and A10. Ultimate Plus tier. ## What is Qodana? Qodana extends JetBrains IDE inspections beyond individual developer workstations into automated CI/CD workflows. According to NIST's Secure Software Development Framework (SSDF), organizations should use automated tools consistently across all development environments to maximize vulnerability detection. Qodana achieves this by running the same analyses in CI/CD that developers see in their JetBrains IDEs, catching issues that might be missed or ignored during local development. Each language gets a specialized linter based on the corresponding JetBrains IDE: Qodana for JVM uses IntelliJ's engine, Qodana for Python uses PyCharm's, and so on. This means the same rules and the same accuracy in both places. The current version is 2025.3. There are 15 linters available, including 4 free Community linters (JVM Community, Python Community, .NET Community, Clang). ## How much does Qodana cost? Qodana uses a contributor-based pricing model. An "active contributor" is anyone who committed to a Qodana Cloud project in the past 90 days. | Tier | Price | Features | |------|-------|----------| | Community | Free | Java, Kotlin, Python, C#, C++, VB.NET. Limited linters and historical data. | | Ultimate | $6/contributor/month | All languages. Quality gates, baselines, code coverage, FlexInspect, Quick-Fix. 180 days historical data. | | Ultimate Plus | $15/contributor/month | Everything in Ultimate plus taint analysis, vulnerability checker, license audit, SSO, public API. Unlimited historical data. | Minimum 3 contributors for paid plans. 60-day free trial available for both paid tiers. ## What are Qodana's key features? ### Taint analysis (Ultimate Plus) Qodana traces potentially harmful data through your application to identify paths where untrusted input reaches sensitive operations without validation. The engine covers 700+ built-in taint configuration entries for common frameworks and libraries. Perfor [...truncated for length...] --- # Qualys WAS URL: https://appsecsanta.com/qualys-was Description: Independent Qualys WAS review. Cloud-native DAST with AI-optimized scans (96% detection rate) and TruRisk scoring. 370K+ apps scanned. Honest assessment. Qualys Web Application Scanning (WAS) is an enterprise cloud DAST platform built for organizations with large application portfolios. It has scanned 370,000+ web applications and APIs, detecting 25+ million vulnerabilities across its customer base. The platform is part of the Qualys Cloud Platform, which means web application findings correlate with infrastructure vulnerabilities, asset inventory, and policy compliance data in a single console. | Feature | Details | | --------------------- | ------------------------------------------------- | | Deployment | Cloud SaaS (scanner appliances for internal apps) | | Apps scanned | 370,000+ | | Vulnerabilities found | 25M+ | | AI detection rate | 96% | | Scan time reduction | Up to 80% with AI optimization | | Coverage | OWASP Top 10, API Security Top 10 | | API testing | REST, SOAP, OpenAPI v3 import | | Risk scoring | TruRisk (business context) | | Malware detection | Deep learning behavioral analysis | | PII detection | GDPR, HIPAA, PCI DSS sensitive data | ## What is Qualys WAS? Qualys WAS crawls web applications and APIs, sends crafted requests to probe for vulnerabilities, and reports findings with risk-based prioritization through TruRisk scoring. SQL injection, XSS, authentication flaws, misconfigurations — the standard [DAST tool](/dast-tools) detection set. According to the OWASP Top 10, injection flaws and security misconfiguration remain among the most prevalent web application risks, and Qualys maps its findings directly to these categories. What separates it from standalone DAST products is the platform integration. Qualys WAS findings sit alongside network vulnerability data, cloud security posture, and asset inventory information. For enterprise security teams that already use Qualys for infrastructure scanning, adding WAS means one fewer console to manage. For external applications, scanning runs entirely from the cloud. For internal applications behind firewalls, Qualys provides scanner appliances that execute locally and report back to the cloud platform. Qualys WAS is strongest when used alongside other Qualys modules. If you are not already in the Qualys ecosystem, the platform integration advantage disappears. Standalone DAST tools may offer better value for teams that only need web application scanning. ## What are Qualys WAS's key features? AI Scan Optimization:::Machine learning adapts crawling behavior to each application's architecture. Qualys reports 96% detection rate and up to 80% reduction in scan times compared to traditional sequential scanning. ||| TruRisk Scoring:::Risk scores that factor in vulne [...truncated for length...] --- # radare2 URL: https://appsecsanta.com/radare2 Description: radare2 is a free, open-source reverse engineering framework with 23k+ GitHub stars. Disassemble, debug, and analyze binaries across 60+ architectures. radare2 (r2) is a free, open-source reverse engineering framework for disassembling, debugging, and analyzing binaries across 60+ CPU architectures. With 23,300+ GitHub stars, it is the most architecturally versatile open-source binary analysis tool available. Created by pancake (Sergi Alvarez) in 2006, radare2 follows a UNIX philosophy: small, composable command-line tools instead of a monolithic application. This design makes r2 particularly good for scripting, automation, and fitting into analysis workflows where GUI tools like [Ghidra](/ghidra) add unnecessary overhead. **GitHub:** [radareorg/radare2](https://github.com/radareorg/radare2) | **Stars:** 23.2k | **Latest Release:** v6.1.0 (February 2026) | **License:** LGPL-3.0 The main difference between radare2 and [Ghidra](/ghidra) is the interface philosophy. Ghidra is the go-to for GUI-based reverse engineering with its built-in decompiler. radare2 lives in the terminal: quick analysis, scriptable automation via r2pipe, native debugging, and lightweight enough to run on constrained environments including Android and iOS devices themselves. In [mobile security](/mobile-security-tools), radare2 fills an important gap: it analyzes native libraries (.so and Mach-O files) that Java/Kotlin decompilers like [Jadx](/jadx) and resource tools like [Apktool](/apktool) cannot touch. | Feature | Details | |---------|---------| | Architectures | 60+ ISAs (x86, ARM, MIPS, RISC-V, PowerPC, SPARC, AVR, 6502, Z80, and more) | | Binary formats | ELF, PE, Mach-O, DEX, COFF, raw blobs, firmware images, disk dumps | | Scripting | r2pipe bindings for Python, JavaScript, Go, Rust, Ruby | | Debugging | Local and remote via GDB, WinDbg, QNX, Frida (r2frida plugin) | | Emulation | ESIL intermediate language for safe code analysis without execution | | GUI | iaito (Qt-based, optional) with graph views, hex editor, decompiler panels | | Toolsuite | r2, rabin2, rasm2, radiff2, rahash2, rafind2 | | Latest release | v6.1.0 (February 2026), 346 commits from 24 contributors | | Platforms | Linux, macOS, Windows, Android, iOS, FreeBSD, WebAssembly | | License | LGPL-3.0 (fully open source, no commercial tiers) | ## Overview radare2 is not a single tool but a suite of utilities built around a shared library (libr): - **r2** — The main binary analysis shell. Opens files, runs analysis, disassembles, debugs, and patches. - **rabin2** — Binary format inspector. Extracts metadata, imports, exports, strings, and sections from ELF, PE, Mach-O, DEX, and other formats. - **rasm2** — Assembler and disassembler. Converts between assembly and machine code for any supported architecture. - **radiff2** — Binary diffing tool. Compares two binaries at the byte, function, or graph level. - **rahash2** — Hashing utility. Computes checksums and cryptographic hashes of files or memory regions. - **rafind2** — Pattern search tool. Finds byte sequences, strings, and patterns across binaries. Each tool works independently or in combinatio [...truncated for length...] --- # Renovate URL: https://appsecsanta.com/renovate Description: Renovate automates dependency updates across 90+ package managers with custom scheduling, grouping, and automerge rules. Open-source AGPL-3.0. Renovate is an open-source dependency update tool with 20.7k GitHub stars, 1,489 contributors, and over 5,000 releases. It monitors repositories for outdated packages and creates pull requests to keep dependencies current. With support for over 90 package managers and highly flexible configuration, Renovate is the go-to [Dependabot](/dependabot) alternative for teams that need advanced scheduling, grouping, and automerge rules. It works on GitHub, GitLab, Bitbucket, Azure DevOps, and Gitea. Recent releases in the v43.65 cycle added Bazel module lock file support, closing a gap for teams managing Bazel-based monorepos. ## What is Renovate? Renovate scans your project files, detects [dependencies](/sca-tools/what-is-sca) across all supported package managers, and creates pull requests when updates are available. Each PR includes changelogs, compatibility information, and (optionally) merge confidence scores. The tool runs as a GitHub App (hosted by Mend for free), a self-hosted CLI, or a Docker container. Configuration lives in a `renovate.json` file in your repository root, and presets let you share settings across an organization. Renovate is a dependency-update-automation tool, not a vulnerability scanner — it opens PRs to bump versions; a paired Mend Renovate App or GitHub Security Advisories overlay adds the CVE/severity context when one is needed. 90+ Package Managers:::Supports npm, pip, Maven, Gradle, Cargo, Go modules, Composer, Bundler, Helm, Docker, Terraform, GitHub Actions, and 80+ more. Detects package files automatically and handles lockfile updates. ||| Merge Confidence:::Adds badges to PRs showing how likely an update is to break your build. Uses aggregated CI data from millions of updates across the Mend Renovate user base. ||| Regex Managers:::Define custom patterns to update versions in non-standard files (Dockerfiles, CI configs, Makefiles). If it has a version string, Renovate can probably update it. ## What are Renovate's key features? ### Package manager highlights | Category | Managers | |----------|----------| | JavaScript | npm, yarn, pnpm, Bun, Bower | | Python | pip, Poetry, Pipenv, uv, pip-compile | | Java/Kotlin | Maven, Gradle, sbt | | Go | Go modules | | .NET | NuGet | | Rust | Cargo | | PHP | Composer | | Ruby | Bundler | | Swift | CocoaPods, Swift PM | | Infrastructure | Docker, Helm, Terraform, Kubernetes | | CI/CD | GitHub Actions, GitLab CI, CircleCI, Azure Pipelines | | Custom | Regex managers for any version string | ### Scheduling and grouping Renovate supports scheduling beyond simple daily/weekly intervals. Use cron expressions, time windows, and timezone-aware scheduling. Group updates by package name patterns, dependency type (production vs. development), or semver level to reduce PR noise. ### Security updates When a CVE is published for a dependency, Renovate creates a pull request immediately, bypassing normal scheduling rules. The PR includes vulnerability details and severity ratings. S [...truncated for length...] --- # Revenera FlexNet Code Insight URL: https://appsecsanta.com/revenera-code-insight Description: Revenera FlexNet Code Insight scans 14M+ components for license compliance, IP risk assessment, and M&A due diligence workflows. Revenera FlexNet Code Insight is an enterprise [SCA platform](/sca-tools) focused on open-source [license compliance](/sca-tools/open-source-license-compliance), intellectual property protection, and M&A due diligence. While most SCA tools lead with security, Code Insight places equal weight on license compliance, making it the choice for organizations where licensing carries legal and financial consequences. The [Black Duck 2026 OSSRA report](https://www.blackduck.com/resources/analyst-reports/open-source-security-risk-analysis.html) found that 68% of audited codebases contained open-source license conflicts — the sharpest surge in the report's eleven-year history, illustrating why tools like Code Insight exist. The platform maintains a database of 14M+ open-source components with detailed license information. It goes beyond identification to provide guidance on license compatibility, attribution requirements, and obligations that may conflict with your business model. Deep code scanning catches copy-pasted snippets and embedded libraries that dependency-based tools miss. ## What is Revenera FlexNet Code Insight? Code Insight helps software vendors, M&A teams, and regulated enterprises understand what open-source components are in their software, what licenses govern use, and what security vulnerabilities they contain. Workflow features support collaboration between development, legal, and security teams. License Compliance:::Identifies licenses through declared files, embedded text, and headers. Analyzes obligations (attribution, source disclosure, patent grants), checks compatibility, and enforces policies. Handles dual-licensing and version-specific terms. ||| Deep Code Scanning:::Analyzes actual source code to find copy-pasted snippets, embedded libraries not in package managers, and code matching known open-source projects regardless of modification. Catches what dependency scanners miss. ||| IP Risk Assessment:::Identifies code from copyleft-licensed projects, detects potential IP contamination, flags code matching contested projects, and provides evidence for M&A due diligence. ## Revenera vs Flexera: what changed and what didn't Revenera is the Flexera-owned division that was rebranded in May 2020. It was not a spinoff or a separate company — Flexera restructured its operations into two divisions in 2018, and in 2020 the supplier-facing division serving technology and IoT companies took on the Revenera name. FlexNet Code Insight kept its FlexNet family name through the rebrand. Contracts signed under Flexera transitioned to Revenera without product-SKU changes, and legacy documentation still lives on `docs.revenera.com` alongside the parent-company materials at `flexera.com`. The Datasheet for FlexNet Code Insight is currently published at `resources.flexera.com` (parent domain) while the product page sits at `revenera.com` (division domain) — both references are correct. If a vendor sales pitch or Reddit thread calls it "Fle [...truncated for length...] --- # Salt Security URL: https://appsecsanta.com/salt-security Description: Salt Security's Illuminate platform discovers shadow and zombie APIs, detects BOLA and logic-based attacks with behavioral ML, and maps posture to PCI DSS. Salt Security is an [API security tools](/api-security-tools) platform that uses behavioral ML to discover APIs, detect logic-based attacks, and enforce posture governance across cloud environments. The platform — called Salt Illuminate — works by analyzing live API traffic without adding latency to the request path. I have [compared Salt head-to-head with 42Crunch](/api-security-tools/salt-security-vs-42crunch) for buyers weighing behavioral runtime against contract-first design, and [against Imperva API Security](/api-security-tools/imperva-api-vs-salt-security) for the WAF-extension comparison. Founded in 2016 and headquartered in Palo Alto, Salt was one of the first companies focused exclusively on API security. Co-founded by CEO Roey Eliyahu and COO Michael Nicosia. Enterprise customers include Alaska Airlines, Hyundai, Stryker, SoFi, Kingston Technology, and Standard Bank Group. ## What is Salt Security? Salt Security addresses a gap most security teams know about but struggle to close: you can't protect APIs you don't know exist. The platform combines API discovery, posture governance, and runtime threat detection under one product. Salt deploys agentlessly. Connect your cloud accounts, API gateways, or traffic mirrors, and the platform starts mapping your API landscape within minutes. No inline agents, no added request latency, no architecture changes required. Salt Illuminate Platform:::The core AI engine that powers discovery, posture analysis, and threat detection across all API traffic and cloud environments. ||| Agentless Deployment:::Connects to cloud environments (AWS, Azure, GCP), API gateways, and traffic sources without inline agents. Zero impact on request latency. ||| Behavioral Threat Detection:::Baselines normal API behavior over time and detects attacker intent through anomalies, not signatures. ## What are Salt Security's key features? | Feature | Details | | ------------------ | --------------------------------------------------------------------------------------------------------------------- | | API Discovery | Shadow, zombie, internal, external, and third-party APIs via traffic, cloud connectors, and external surface scanning | | Posture Governance | ~100 pre-loaded policy rules covering PCI DSS, HIPAA, GDPR, SOC 2, NIST, CMMC, FedRAMP | | Threat Detection | BOLA, credential stuffing, data exfiltration, account takeover, injection, API abuse | | Data Security | PII, PHI, and payment data tracking across API traffic in motion | | AI Agent Security | MCP Protect for MCP server monitoring, Agentic AI Governance controls, GitHub Connect for code-level MCP discovery | | Deployment | Cloud SaaS or on-premises, agentless with traffic mirroring [...truncated for length...] --- # SCANOSS URL: https://appsecsanta.com/scanoss Description: SCANOSS detects code snippets against 100M+ open-source files, catching vendored dependencies and copy-pasted code others miss. SCANOSS is a lightweight [SCA tool](/sca-tools) that detects open-source components by analyzing actual source code rather than just parsing manifest files. The Open Source Software Knowledge Base (OSSKB) contains fingerprints from 100M+ open-source files, enabling detection of vendored code, copy-pasted snippets, and embedded libraries that traditional dependency scanners miss. The [Synopsys 2024 OSSRA report](https://www.synopsys.com/software-integrity/resources/analyst-reports/open-source-security-risk-analysis.html) found that 53% of audited codebases contained license conflicts -- the kind of risk snippet-level scanning is built to catch. The Python scanner library is MIT licensed. SCANOSS runs scans locally using efficient fingerprinting algorithms, then queries the cloud database only for identified components. This architecture balances speed with comprehensive detection. ## What is SCANOSS? Most SCA tools parse manifest files like `package.json` or `pom.xml`. SCANOSS analyzes actual source files to find matches against millions of open-source projects. If a developer copied a function from Stack Overflow, vendored a library, or embedded code without attribution, SCANOSS catches it. Snippet Detection:::Detects code snippets embedded in source files, not just whole-file matches. If someone copied a function from an open-source project, SCANOSS identifies the source and associated license. ||| 100M+ File Knowledge Base:::The OSSKB contains fingerprints from over 100 million open-source files. Accurate identification even for partial code matches and modified code. ||| Cryptographic Detection:::Identifies cryptographic algorithms and implementations in your codebase. Helps with export compliance and security audits requiring cryptographic usage inventory. ## What are SCANOSS's key features? ### Detection methods | Method | What it finds | |--------|--------------| | File fingerprinting | Whole files matching known open-source projects | | Snippet detection | Partial code matches (copy-pasted functions, blocks) | | Dependency analysis | Components declared in package manifests | | Cryptographic detection | Crypto algorithms and implementations | | License detection | License text in files, headers, and comments | ### Output formats | Format | Use case | |--------|----------| | JSON | Programmatic analysis and CI integration | | SPDX JSON | Standard SBOM for compliance | | CycloneDX JSON | Standard SBOM for vulnerability tracking | | CSV | Spreadsheet analysis | | Raw | Detailed fingerprint results | ### Snippet detection Beyond whole-file matching, SCANOSS detects code snippets embedded in your source files. If a developer copied a function from Stack Overflow or an open-source project, the scanner identifies the source and associated license. This catches compliance issues that manifest-based tools overlook entirely. ### SBOM generation Generates SBOMs in SPDX and CycloneDX formats with component names, versions, licenses, [...truncated for length...] --- # Seeker IAST URL: https://appsecsanta.com/seeker-iast Description: Seeker IAST actively verifies vulnerabilities are exploitable before reporting. Tracks sensitive data for PCI DSS, GDPR, and HIPAA across 10+ languages. Seeker IAST instruments applications at runtime and actively verifies that detected vulnerabilities are actually exploitable before reporting them. It supports Java, .NET, Node.js, Go, Python, Ruby, PHP, and JVM languages like Scala, Kotlin, and Groovy. Originally developed by Synopsys, Seeker moved to Black Duck Software after [Clearlake Capital and Francisco Partners acquired the Software Integrity Group from Synopsys in 2024](https://news.synopsys.com/2024-05-06-Synopsys-Enters-Definitive-Agreement-to-Sell-its-Software-Integrity-Business-to-Clearlake-Capital-and-Francisco-Partners). The thing that actually differentiates it from most [IAST](/iast-tools) tools is active verification. Seeker doesn't just watch data flow. It generates safe payloads to confirm exploitability, and only verified findings make it into the report. ## What is Seeker IAST? Seeker deploys agents that instrument your application during testing. As requests move through your code, the agents observe execution paths, data flow, and configuration. When Seeker spots a potential vulnerability, it constructs safe exploit payloads to verify the issue is real. This patented active verification approach produces near-zero false positives. Seeker also tracks how sensitive data moves through your application, where personal information, credentials, and financial data get processed, stored, or transmitted. That makes it useful for compliance audits on top of security testing. Active Verification:::When a potential vulnerability is detected, Seeker generates safe exploit payloads to confirm exploitability. Only verified findings get reported, producing near-zero false positives. ||| Sensitive Data Tracking:::Tracks personal information, credentials, and financial data through application code. Maps where sensitive data is processed, stored, and transmitted for PCI DSS, GDPR, and HIPAA compliance. ||| Broad Language Support:::Covers Java, .NET, Node.js, Go, Python, Ruby, PHP, and JVM languages (Scala, Kotlin, Groovy). Supports REST, SOAP, GraphQL, and gRPC APIs. ## What are Seeker IAST's key features? | Feature | Details | |---------|---------| | Supported Languages | Java, .NET, Node.js, Go, Python, Ruby, PHP, Scala, Kotlin, Groovy | | Verification | Patented active verification with safe exploit payloads | | API Protocols | REST, SOAP, GraphQL, gRPC | | Compliance | OWASP Top 10, PCI DSS, GDPR, HIPAA, CWE/SANS Top 25 | | SIEM Integration | Splunk, IBM QRadar | | SCA Integration | Black Duck SCA for open-source vulnerability correlation | | Deployment | Requires separate Seeker enterprise server; runs on Windows and Linux | | Automation | REST API for CI/CD integration | ### Active vulnerability verification Where most IAST tools passively observe data flow and flag anything suspicious, Seeker takes it further. When it spots a potential SQL injection or XSS, it constructs safe payloads and sends them through the application to confirm the issue is genuinely exploitable. [...truncated for length...] --- # Seemplicity URL: https://appsecsanta.com/seemplicity Description: Seemplicity processes 1.5B findings daily with 80% reduction in manual remediation work. AI agents automate ticket routing, SLA tracking, and ownership. Seemplicity focuses on one thing: getting findings fixed. The [remediation operations](/aspm-tools) platform processes 1.5 billion findings daily and reports 80% reduction in manual remediation work. It doesn't scan code or aggregate dashboards — it automates the operational grind between detecting a vulnerability and closing the ticket. Headquartered in Tel Aviv with a San Jose office. Raised ~$80M in total funding. Recognized with the 2025 Intellyx Digital Innovator Award and multiple Global Infosec Awards. ## What is Seemplicity? Security teams spend most of their time on administrative work: deduplicating findings across scanners, figuring out who owns the affected code, creating Jira tickets, and chasing developers for updates. Seemplicity automates all of that. AI remediation agents:::Autonomously prioritize, orchestrate, and drive remediation across teams. Route findings to the right owners with full context and track progress against SLAs. ||| Finding correlation:::Consolidates the same vulnerability found by multiple scanners into one actionable item. Reduces scanner noise by 57% and prevents duplicate tickets. ||| Ownership resolution:::Maps findings to code owners automatically using SCM data. Handles team restructures and escalates unowned findings for triage. ||| SLA management:::Tracks remediation against defined targets with configurable escalation rules. Automated reminders, team lead alerts, and executive notifications at threshold percentages. ## What are Seemplicity's key features? ### AI-powered prioritization Seemplicity's AI analyzes findings to determine actual risk and remediation priority: | Factor | How it's used | | --------------------- | --------------------------------------------------------------------- | | Exploitability | Threat intelligence feeds identify actively exploited vulnerabilities | | Asset criticality | Business-critical applications get higher priority | | Exposure | Internet-facing vs. internal affects urgency | | Compensating controls | Existing protections lower effective risk | Priorities adjust dynamically as the threat landscape changes and new exploits are disclosed. ### Remediation workflow automation The platform automates the full remediation lifecycle: | Step | What happens | | ------------------ | ------------------------------------------------------------------------------------- | | Ticket creation | Creates tickets in Jira, ServiceNow, Azure DevOps, GitHub Issues, or Linear | | Context population | Populates tickets with vulnerability details, fix guidance, and related findings | | Deduplication | Links related findings into single actionable tickets — no duplicates across scanners | | Ownership routi [...truncated for length...] --- # Semgrep URL: https://appsecsanta.com/semgrep Description: Semgrep CE is a free, open-source SAST tool scanning 30+ languages. The AppSec Platform adds cross-file analysis, SCA, and secrets detection. Semgrep is a [SAST](/sast-tools) tool that finds bugs and security vulnerabilities using pattern-matching rules that look like the code you're scanning. It comes in two forms: **Semgrep Community Edition (CE)**, the free, open-source CLI under LGPL-2.1, and the **Semgrep AppSec Platform**, which adds cross-file analysis, SCA, secrets detection, and team management on top. The project has 14,300+ GitHub stars and the company (formerly Return to Corp) serves organizations including Dropbox, Figma, and Snowflake. The rule syntax is the main differentiator. Instead of writing abstract regex or custom DSLs, you write rules that resemble the source code you want to match. Custom rule creation takes minutes, not hours. The community registry has 3,000+ rules, and the Platform adds 20,000+ proprietary ones. Semgrep is the SAST tool teams adopt most often for PR-time scanning. The rule language reads like the code it matches, so writing a custom rule for a repo-specific bug pattern takes minutes instead of hours. The open-source CLI covers the free tier; the paid Semgrep Cloud Platform adds dataflow and a managed rules registry. PR-level scanning is the common deployment because the scan time stays under what developers will tolerate. > **v1.160.0 (April 16, 2026):** Scala parsing moved to tree-sitter with a pfff fallback — the last major language that was still pfff-only. Scala 3 syntax support should stop being flaky. Pro-engine taint now tracks through variadic functions, cutting missed sinks in Python and Go code that routes user input through `log.Printf`-style helpers. Follows v1.158 / v1.159 from last week, which redesigned Pro inter-file taint analysis with a claimed 20–40% speedup. ## What is Semgrep? Semgrep Community Edition (CE) is a free, open-source static analysis tool (LGPL-2.1) that scans 30+ programming languages using pattern-matching rules. CE performs single-file analysis — it matches patterns within individual files but does not trace data flow across file boundaries. The Semgrep AppSec Platform extends CE with cross-file dataflow analysis (Semgrep Code), software composition analysis (Semgrep Supply Chain), secrets detection (Semgrep Secrets), and AI-powered triage (Semgrep Assistant). 30+ Languages:::Covers Apex, Bash, C, C++, C#, Go, Java, JavaScript, TypeScript, Python, Ruby, Rust, Kotlin, PHP, Swift, Scala, Terraform, Dockerfile, and more. A generic mode handles unsupported formats. ||| Code-Like Rules:::Rules resemble the source code they match. No regex or custom DSLs to learn. The community registry has 3,000+ rules and the Platform adds 20,000+ proprietary ones. ||| 10-Second Scans:::Median CI scan time is 10 seconds. Runs locally by default. Code never leaves your machine unless you opt into the cloud platform. Pick your next step See alternatives Compare Semgrep against the other SAST engines I've tested, with strengths and gaps for each. → Semgrep vs CodeQL He [...truncated for length...] --- # Skyrelis URL: https://appsecsanta.com/skyrelis Description: Skyrelis is an always-on agentic security platform for LLM multi-agent workflows with centralized policy enforcement, MCP support, and protocol-layer inspection. Skyrelis is an [AI security](/ai-security-tools) platform that provides always-on runtime security for LLM-driven, multi-agent workflows through behavioral monitoring, centralized policy enforcement, and protocol-layer inspection. Unlike developer-focused AI security tools, Skyrelis is built specifically for security operations teams who need centralized oversight of agent deployments. The company was founded by Jaz Lin, a network security engineer who spent seven years at Cisco earning her CCIE certification before holding product and security roles at VMware, Rubrik, and RingCentral. Lin founded Skyrelis after identifying a gap in the market: existing AI security tools were built for developers, not for security operations teams who need centralized oversight of agent deployments. Skyrelis is currently pre-Series A, working with design partners and early production deployments. The team is deliberately small and focused on building for enterprise security operations use cases. ## What is Skyrelis? Skyrelis monitors and governs AI agents at runtime through a combination of a lightweight SDK and a centralized security gateway. Every agent action passes through the gateway for policy enforcement, risk scoring, and audit logging. The core insight behind Skyrelis is that security policies should be managed centrally by security teams, not embedded into individual applications by developers. The platform provides a centralized portal where security operators can see all agents across the organization and configure policies from a single interface. Always-On Monitoring:::Behavioral monitoring that watches every agent action in real time. The security gateway intercepts and evaluates actions before they execute, applying contextual risk scoring to each interaction. ||| Centralized Policy Enforcement:::Security teams manage policies from a single portal across all agents. No need to embed security logic in each application — policies propagate from the gateway to all connected agents. ||| Protocol-Layer Inspection:::Inspects agent communication at the protocol layer, compatible with Model Context Protocol (MCP) and Agent-to-Agent Protocol (A2A) for interoperability with emerging agent standards. ## What are Skyrelis's key features? | Feature | Details | |---------|---------| | Deployment Model | Lightweight SDK + centralized security gateway | | Monitoring | Always-on behavioral monitoring with contextual risk scoring | | Policy Enforcement | Centralized portal for managing policies across all agents | | Protocol Support | MCP (Model Context Protocol) and A2A (Agent-to-Agent Protocol) compatible | | Prompt Security | Intercepts and blocks prompt injection attacks at runtime | | Data Protection | Blocks sensitive data exfiltration attempts through agent channels | | Audit Trails | Full logging of every agent interaction with risk context | | Target Users | Security operations teams (not developer-focused) | | Stage | Pre-Series A, design partne [...truncated for length...] --- # Snyk URL: https://appsecsanta.com/snyk Description: Snyk review 2026. SAST, SCA, Container, and IaC scanners on one platform — what each component does, where teams adopt the bundle, and who should pay for it. Snyk is a developer security platform that combines [SCA](/sca-tools), SAST, container scanning, IaC security, and DAST into a single product. It integrates into IDEs, Git repositories, CI/CD pipelines, and container registries. The platform includes six products: [Snyk Code](/snyk#snyk-code-sast) (SAST), Snyk Open Source (SCA), [Snyk Container](/snyk#snyk-container), [Snyk IaC](/snyk#snyk-iac), Snyk API & Web (DAST), and Snyk Studio for AI-generated code. All share a unified dashboard and security policy engine. Snyk has over 2.5 million developers on its platform. Customers include Twilio, Snowflake, Spotify, Revolut, and Komatsu. > **Where Snyk lives on AppSec Santa.** Snyk is canonicalised under [SCA](/sca-tools) here because Snyk Open Source remains the dominant entry point for most teams and most "Snyk vs" intent. The platform has expanded to cover SAST (Snyk Code), container image scanning (Snyk Container), and IaC (Snyk IaC), reflected in this page's `also_in` field — but cross-category comparisons (e.g. [Snyk vs Checkmarx](/sast-tools/checkmarx-vs-snyk) on SAST) live under each category's hub. The [Snyk alternatives page](/sca-tools/snyk-alternatives) sits under the SCA hub for the same reason. ## What is Snyk? Snyk covers cloud-native application security from a single platform. The company reports 288% ROI from consolidated solutions, 80% faster scan time than prior tools, and 75% faster remediation in upstream development. Developer Integration:::Scans code in IDEs (VS Code, IntelliJ, Eclipse), Git platforms (GitHub, GitLab, Bitbucket), and CI/CD pipelines. Security feedback appears where developers already work. ||| DeepCode AI:::Purpose-built AI engine with 25M+ data flow cases modeled. Generates context-aware fixes with 80% accuracy. Not a general-purpose LLM — built specifically for security analysis. ||| Unified Dashboard:::Single view of vulnerabilities across code, dependencies, containers, and IaC. Prioritizes by reachability, exploit maturity, and EPSS/CVSS scores. Export to Jira, ServiceNow, Slack. ## What are Snyk's key features? | Feature | Details | | ---------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- | | Snyk Code (SAST) | Semantic analysis with data flow tracking, AI fix suggestions, 16 languages, 50x faster than legacy SAST | | Snyk Open Source (SCA) | Dependency scanning, automated fix PRs, license compliance, reachability analysis, 24k+ new vulns discovered in 2024 | | Snyk Container | OS package vulnerabilities, base image recommendations, registry integration | | Snyk IaC | Terraform, CloudFormation, [...truncated for length...] --- # Socket URL: https://appsecsanta.com/socket Description: Socket analyzes package behavior to catch malware, typosquatting, and supply chain attacks before CVEs exist. Free for open source projects. Socket takes a different approach to [SCA](/sca-tools) by focusing on [supply chain attacks](/application-security/supply-chain-attacks-guide). Instead of checking dependencies against CVE databases, it analyzes what packages actually do at the code level. This catches malicious behavior, typosquatting, and supply chain attacks before any vulnerability is disclosed. Traditional SCA tools wait for someone to discover and report a vulnerability. Socket catches threats proactively by inspecting package behavior: network access, filesystem operations, shell execution, and obfuscated code. If a package does something suspicious, Socket flags it regardless of whether a CVE exists. ## What is Socket? Socket monitors your dependencies for supply chain attacks. When you add or update a package, Socket analyzes its behavior and compares it against known threat patterns. It integrates as a GitHub App that comments on pull requests with a security report for every dependency change. Behavioral Analysis:::Analyzes what packages do: network connections, filesystem access, shell execution, environment variable reading, and data exfiltration patterns. Catches threats before CVEs exist. ||| Supply Chain Detection:::Detects typosquatting, dependency confusion, compromised maintainer accounts, and malicious code injection in legitimate packages. Blocks threats at PR time. ||| Risk Scoring:::Each package gets a quality score, security risk rating, and maintenance status. Alerts categorize risks by type: malware, install scripts, obfuscation, and more. Socket (socket.dev) is a supply-chain-focused SCA platform — distinct from socket.io, Socket Mobile hardware, or Socket Fiber Internet. This page covers the security tool at socket.dev. ## What are Socket's key features? ### Malicious package blocking Socket maintains a database of known malicious packages and behavioral patterns. When a dependency matches a threat signature, Socket blocks it in the PR before it reaches your codebase. This is different from CVE-based tools that only flag known vulnerabilities after disclosure. ### Alert categories | Alert | Description | |-------|-------------| | Malware | Known malicious code patterns | | Install Scripts | Dangerous install hooks | | Network Access | Unexpected outbound connections | | Filesystem Access | Unusual file operations | | Shell Access | Command execution | | Obfuscation | Hidden or encoded code | | Typosquatting | Suspicious package names | | Protestware | Packages with political code | ### PR integration Socket adds a security report to every pull request that changes dependencies. Each new or updated package is analyzed and flagged if it exhibits suspicious behavior. ### Transitive analysis and SBOM export Socket analyzes behavior across the full transitive dependency tree, not just direct imports. The `socket optimize` command takes this further by suggesting tested package overrides from the Socket Registry that can reduce or replace un [...truncated for length...] --- # Software Risk Manager URL: https://appsecsanta.com/software-risk-manager Description: Software Risk Manager (formerly Code Dx) correlates findings from 150+ tools to eliminate duplicates. Black Duck's ASPM with SBOM generation, 20+ compliance. Software Risk Manager (SRM) is Black Duck's [ASPM](/aspm-tools) platform that correlates findings from 150+ security tools. Formerly Code Dx, it normalizes results across SAST, DAST, IAST, SCA, and manual pentesting into a single view where the same issue found by multiple scanners appears once, backed by multiple sources. Originally developed as Code Dx, the technology was acquired by Synopsys in 2021 and became part of Black Duck following Synopsys' divestiture of its Software Integrity Group in 2024. Over 4,000 organizations use Black Duck products. Notable customers include Broad Institute, NASA, DHS, Trend Micro, Honeywell, and FINRA. ## What is Software Risk Manager? SRM solves a specific problem: you run multiple security scanners, and they produce overlapping, inconsistent results. SRM ingests all of it, normalizes the findings into a common taxonomy, correlates duplicates, and gives you one prioritized list. 150+ tool integrations:::Ingests results from SAST, DAST, IAST, SCA, secrets, container, and infrastructure scanners. Native integration with Black Duck SCA and Coverity, plus 150+ third-party tools. ||| Finding correlation:::A SQL injection found by Checkmarx and the same issue found by Fortify appears as one finding with two sources. Multiple sources increase confidence; fewer tickets reduce developer fatigue. ||| 20+ compliance mappings:::Maps findings to HIPAA, NIST, PCI DSS, OWASP Top 10, CWE/SANS Top 25, and more. Generates compliance evidence from existing scan data automatically. ## What are Software Risk Manager's key features? ### Multi-tool aggregation SRM integrates with 150+ security tools: | Category | Tools | | -------------- | ------------------------------------------------- | | SAST | Checkmarx, Fortify, Coverity, SonarQube, Veracode | | DAST | Burp Suite, OWASP ZAP, Acunetix | | SCA | Black Duck, Snyk, Dependency-Check | | Secrets | GitLeaks, TruffleHog | | Containers | Trivy, container analysis tools | | Infrastructure | Network scanning, cloud security tools | ### Vulnerability correlation The correlation engine matches findings across tools: ``` Tool A: SQL Injection in login.php:42 Tool B: SQL Injection in login.php:42 Tool C: Database Query Issue in login.php SRM → Single finding with 3 supporting sources ``` More sources = higher confidence. This also eliminates duplicate Jira tickets — a problem that wastes developer time at organizations running multiple scanners. Simple deduplication removes exact duplicates. SRM's correlation goes further by matching findings that different tools describe differently. A "SQL Injection" from one tool and a "Database Query Issue" from another can be linked to the same root cause based on file, line, and vulnerability characteristics. ### Risk-based prioritization SRM prioritize [...truncated for length...] --- # SonarLint URL: https://appsecsanta.com/sonarlint Description: SonarLint (now SonarQube for IDE) provides real-time security and code quality analysis for 20+ languages in VS Code, Visual Studio, Eclipse, and JetBrains. SonarLint (now branded as SonarQube for IDE) is a free IDE plugin that brings security and code quality analysis directly into your development environment. With support for VS Code, Visual Studio, Eclipse, and JetBrains IDEs, it provides real-time feedback as you write code. As a [SAST tool](/sast-tools) integrated into the developer workflow, SonarLint catches security issues and code smells before they reach version control. ## What is SonarLint? SonarLint analyzes code in real-time as you type, highlighting security vulnerabilities, bugs, and code quality issues directly in your editor. Unlike CI-based scanners that run after you commit, SonarLint provides instant feedback—often within seconds of writing problematic code. The plugin explains each finding with detailed descriptions of why the issue is harmful and how to fix it. For many issues, SonarLint offers quick fixes that automatically generate corrected code. In 2025, SonarSource added AI-powered quick fix generation, which adapts fixes to your specific code context rather than using generic templates. SonarLint works across 20+ programming languages including Java, JavaScript, TypeScript, Python, C#, C++, PHP, and Go. Additional languages like COBOL, Apex, and PL/SQL are supported when using Connected Mode with commercial SonarQube editions. Real-Time Analysis:::Get instant feedback on security issues and code quality problems as you type, with detailed explanations and remediation guidance ||| AI Quick Fixes:::Automatically generate context-aware code fixes for many issues using AI, adapted to your specific code patterns and style ||| Connected Mode:::Sync with SonarQube Server or Cloud to enforce team quality gates, share rules, and receive smart notifications about issues ## What are SonarLint's key features? | Feature | Details | |---------|---------| | Supported IDEs | VS Code, Visual Studio, Eclipse, JetBrains (IntelliJ, PyCharm, WebStorm), Cursor, Windsurf, Trae | | Languages | 20+ including Java, JavaScript, TypeScript, Python, C#, C++, PHP, Go, Kotlin, Ruby, Scala, Swift | | Additional languages (Connected Mode) | COBOL, Apex, ABAP, PL/SQL, VB.NET | | Analysis mode | Real-time (as you type), offline by default | | Connected Mode | Syncs rules and quality gates with SonarQube Server or SonarCloud | | AI quick fixes | Context-aware code generation for detected issues | | License | Free (LGPL-3.0), advanced features with commercial SonarQube editions | ### IDE platform support SonarLint runs in Visual Studio Code, Visual Studio, Eclipse, and all JetBrains IDEs (IntelliJ IDEA, PyCharm, WebStorm, etc.). Recent versions also support AI-native editors built on VS Code architecture, including Cursor, Windsurf, and Trae. Install from your IDE's marketplace or plugin repository. The plugin activates automatically when you open supported project types. SonarQube for IDE's refactor preview in VS Code: highlighted issues on the left, AI-suggested fix on the right, with Apply/ [...truncated for length...] --- # SonarQube URL: https://appsecsanta.com/sonarqube Description: Independent SonarQube review: 6,000+ rules across 35 languages. Free Community Build vs paid editions compared. 7M+ developers, AI CodeFix, MCP Server. SonarQube is a code quality and security analysis platform built by SonarSource, used by over 7 million developers at organizations including Snowflake, Deutsche Bank, and Ford. It's a [SAST](/sast-tools) tool, but unlike most SAST tools that focus purely on security, SonarQube also tracks bugs, code smells, duplication, and maintainability. It covers 35+ languages with over 6,000 built-in rules. (Sometimes misspelled as SonarCube or Sonar Qube.) SonarSource switched to calendar versioning in 2025. The Long-Term Active (LTA) release is SonarQube Server 2026.1, and the latest release is SonarQube Server 2026.2 (March 2026). The free tier, now called Community Build (renamed from Community Edition), is on [GitHub](https://github.com/SonarSource/sonarqube) under LGPL-3.0 with 10,200+ stars. Commercial Server editions add branch analysis, taint tracking, and AI CodeFix. SonarQube Cloud is the managed SaaS option, with a free tier covering up to 50k lines of code. I see SonarQube deployed more often as a code-quality tool than a security tool, but the security hotspot category catches enough real issues that I keep it in my list. The free Community Edition scans Java, JavaScript, Python, and a few other languages; paid editions add taint analysis and branch scanning. I treat it as a complement to a dedicated SAST rather than a replacement. ## What is SonarQube? SonarQube is a static code analysis platform developed by Sonar (formerly SonarSource) that scans source code for bugs, security vulnerabilities, and code smells across 35+ programming languages. It combines code quality tracking (reliability, maintainability, duplication, test coverage) with security analysis (vulnerability detection, security hotspots, taint analysis in paid editions) in a single dashboard. Over 7 million developers use it, and the platform has more than 6,000 built-in analysis rules. SonarQube runs as a self-hosted server (SonarQube Server) or as a managed SaaS service (SonarQube Cloud). The free Community Build supports 20+ languages on a single branch, while commercial editions add multi-branch analysis, PR decoration, and deeper security scanning. Quality gates let teams set pass/fail thresholds for metrics like coverage, duplication, and vulnerability count, then enforce those thresholds automatically in CI/CD pipelines. PR decoration shows findings directly on pull requests in GitHub, GitLab, Bitbucket, and Azure DevOps. 35+ Languages, 6,000+ Rules:::Covers Java, JavaScript, TypeScript, Python, C#, C++, PHP, Kotlin, Go, Rust, COBOL, Apex, and more. Rules cover security, reliability, maintainability, and code smells. ||| Quality Gates:::Configurable thresholds that pass or fail code on coverage, duplication, reliability, security, and maintainability. Integrated into CI/CD to block releases that don't meet standards. ||| AI CodeFix:::LLM-powered automated fix suggestions for detected issues. MCP Server integration allows AI coding assistants to access SonarQ [...truncated for length...] --- # SpotBugs URL: https://appsecsanta.com/spotbugs Description: SpotBugs detects 400+ bug patterns in Java bytecode. Free and open-source. Find Security Bugs plugin adds 144 vulnerability types with 826+ API signatures. SpotBugs is a free, open-source [SAST](/sast-tools) tool that finds bugs in Java programs by analyzing compiled bytecode. With over 3,800 GitHub stars and 200+ contributors, it's the community-driven successor to FindBugs. SpotBugs detects over 400 bug patterns, and the Find Security Bugs plugin adds 144 security vulnerability types covering the OWASP Top 10. Since it analyzes bytecode rather than source code, it works with any JVM language: Java, Kotlin, Groovy, and Scala. 400+ Bug Patterns:::Detects null pointer dereferences, infinite loops, resource leaks, incorrect API usage, thread safety issues, and more. Each finding includes a confidence rating and detailed explanation. ||| Find Security Bugs:::Plugin adds 144 security vulnerability patterns with 826+ API signatures across Spring, Struts, JSF, and other frameworks. Covers OWASP Top 10 including SQL injection, XSS, and XXE. ||| Bytecode Analysis:::Analyzes compiled .class files rather than source code. Works with any JVM language and can analyze libraries without source access. Catches issues that only appear after compilation. ## What is SpotBugs? SpotBugs examines compiled Java bytecode to find instances of "bug patterns" — code that is likely to be incorrect. According to research published by the University of Maryland (where the original FindBugs was developed), bytecode analysis catches a distinct class of defects that source-level tools miss. Working with .class files means SpotBugs can analyze third-party libraries and catches issues related to type erasure and compiler optimizations. The tool categorizes findings into correctness bugs, bad practices, performance issues, and security vulnerabilities. The current version is 4.9.8, released October 2025. JDK 21 support was added in version 4.8.0. SpotBugs is used by GitLab's built-in SAST analyzer for Java, Kotlin, Groovy, and Scala projects. GitLab pairs SpotBugs with the Find Security Bugs plugin for security analysis. ## What are SpotBugs's key features? ### Find Security Bugs plugin The Find Security Bugs plugin is what turns SpotBugs into a security scanner. It adds 144 vulnerability types and recognizes 826+ unique API signatures across popular Java frameworks. | Category | Examples | |----------|----------| | Injection | SQL injection, command injection, LDAP injection, XPath injection | | Data exposure | XSS, path traversal, information leakage | | XML | XXE, XML injection | | Crypto | Weak cryptography, insecure random, ECB mode | | Deserialization | Insecure deserialization patterns | | Framework-specific | Spring, Struts, JSF, Android-specific patterns | The latest version is 1.14.0 (June 2025). Maven coordinates: `com.h3xstream.findsecbugs:findsecbugs-plugin`. ### Build tool integration SpotBugs integrates with Maven, Gradle, Ant, and SBT: - **Maven plugin**: `com.github.spotbugs:spotbugs-maven-plugin` (latest: 4.9.8.2) - **Gradle plugin**: `com.github.spotbugs` (latest: 6.4.8) Both plugins support fail-on [...truncated for length...] --- # StackHawk URL: https://appsecsanta.com/stackhawk Description: ZAP-powered DAST built for CI/CD pipelines. YAML config, REST/GraphQL/gRPC/SOAP testing, HawkAI API discovery, and LLM security testing. 14-day free trial. StackHawk is a [DAST tool](/dast-tools) built on the OWASP ZAP scanning engine, packaged for CI/CD pipelines. Security tests are configured in a `stackhawk.yml` file that lives in your repository alongside your code. Scans run in your pipeline, findings go to developers with remediation guidance. The tool focuses on APIs and modern application architectures. REST, GraphQL, SOAP, and gRPC are all first-class scan targets, not afterthoughts bolted onto a browser-based scanner. | Feature | Details | | -------------- | ----------------------------------------------------------------- | | Engine | OWASP ZAP | | Configuration | YAML (`stackhawk.yml` in repo) | | API protocols | REST, GraphQL, SOAP, gRPC | | API discovery | HawkAI (source code analysis) | | Auth methods | Form, HTTP, OAuth2, cookie, token, external command | | CI/CD | GitHub Actions, GitLab CI, Jenkins, CircleCI, Azure, AWS, 6+ more | | Trial | 14-day free trial (enterprise features) | | LLM testing | LLM security risk detection | | Data detection | PII, PCI, PHI sensitive data | | Deployment | SaaS (Docker-based scanner) | ## What is StackHawk? StackHawk takes the ZAP scanning engine and wraps it in a workflow that fits how developers already work. Configuration lives in version control. Scans trigger in CI/CD. Findings include code examples showing how to fix the issue. The philosophy: security testing belongs in the development process, not bolted on at the end. If you can configure your tests in YAML, version-control them, and run them in a pipeline, security testing gets treated like any other quality check. The OWASP Testing Guide recommends integrating [dynamic analysis](/dast-tools/what-is-dast) into CI/CD workflows to catch vulnerabilities before they reach production. HawkAI, the API discovery feature, scans your source code to find endpoints that may not appear in your OpenAPI spec. It looks at route definitions in frameworks like Express, Spring, Django, and Rails, and flags undocumented or internal APIs that your spec missed. StackHawk uses [OWASP ZAP](/zap) for vulnerability detection. You get ZAP's proven scanning capabilities without having to configure ZAP directly. StackHawk adds the developer experience layer: YAML config, CI/CD integrations, and findings written for engineers rather than security specialists. ## What are StackHawk's key features? YAML Configuration:::Security tests defined in `stackhawk.yml` in your repo. Lives in version control and gets reviewed in PRs like any other config. Specify targets, auth, scan duration, and act [...truncated for length...] --- # Red Hat Advanced Cluster Security (StackRox) URL: https://appsecsanta.com/stackrox Description: StackRox is the open-source Kubernetes security platform behind Red Hat Advanced Cluster Security (RHACS). Vuln scanning, compliance, runtime detection. StackRox is an open-source Kubernetes-native security platform that protects containerized applications across build, deploy, and runtime phases. Originally founded as a startup in 2014, StackRox was acquired by Red Hat in February 2021 and open-sourced under the Apache 2.0 license. The commercially supported downstream product is Red Hat Advanced Cluster Security for Kubernetes (RHACS). 1.3k GitHub stars, latest RHACS version 4.10.0 (March 2026). Unlike image-only scanners or runtime-only monitors, StackRox covers the full container lifecycle in a single tool — scanning images before deployment, enforcing 300+ policies at the admission controller, and detecting threats while containers run in production. ## Overview StackRox deploys as a Kubernetes-native application within the clusters it protects. There are no external appliances or agents running outside the Kubernetes control plane — everything runs as containers managed by Kubernetes itself. The architecture consists of four main components: | Component | Role | |-----------|------| | **Central** | API server, UI, data storage, and image scanning engine. One Central manages multiple clusters. | | **Scanner V4** | Vulnerability scanner built on ClairCore. Analyzes image layers for OS and language-level vulnerabilities. | | **Sensor** | One per secured cluster. Collects Kubernetes events, deployment metadata, and policy evaluation data. | | **Collector** | One per node. Monitors runtime activity — process execution, network connections, and file system changes. | This distributed architecture lets StackRox secure clusters at scale without creating a single point of failure. Central can run in one cluster while Sensors and Collectors protect workloads across dozens of remote clusters. | Feature | Details | |---------|---------| | Architecture | Kubernetes-native (Central, Scanner V4, Sensor, Collector) | | Scanner engine | Scanner V4 built on ClairCore | | Built-in policies | 300+ mapped to CIS, NIST, PCI DSS, HIPAA, SOC 2 | | Lifecycle coverage | Build (CI/CD scanning), Deploy (admission control), Runtime (threat detection) | | Supported distros | EKS, GKE, AKS, OpenShift, RKE, self-managed K8s | | Image OS support | RHEL, Alpine, Debian, Ubuntu, Amazon Linux 2023, SLES, Oracle Linux | | Deployment options | Self-managed, Cloud Service (SaaS), OpenShift bundled | | CLI tool | `roxctl` for automation and CI/CD integration | | GitHub | 1.3k stars, Apache 2.0 | | Latest version | RHACS 4.10.0 (March 2026) | ## What are Red Hat Advanced Cluster Security (StackRox)'s key features? Vulnerability Management:::Scanner V4 (built on ClairCore) scans container images for OS packages, language dependencies, and Go binaries. Continuously monitors running workloads against updated CVE data, prioritized by deployment risk context. ||| Policy Engine:::300+ built-in security policies mapped to CIS, NIST, PCI DSS, and HIPAA. Enforce standards across build, deploy, and runtime phases. Custom policie [...truncated for length...] --- # Syft URL: https://appsecsanta.com/syft Description: Syft — Anchore's open-source SBOM generator for containers, filesystems, archives. 8.4k GitHub stars. SPDX + CycloneDX output. Pairs with Grype. Syft is Anchore's open-source SBOM generation tool that catalogs all software components in container images and filesystems. With 8.4k GitHub stars and 219 contributors, it is one of the most widely used [SCA tools](/sca-tools) for generating [Software Bills of Materials](/sca-tools/what-is-sbom) in SPDX and CycloneDX formats. The demand for SBOM tooling grew sharply after [Executive Order 14028](https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity) mandated SBOMs for federal software suppliers. The current version is 1.42.0 (released February 10, 2026). Syft operates entirely offline with no cloud services or external API calls. Point it at a container image or directory, and it returns a complete SBOM in seconds. ## What is Syft? Syft scans container images, directory trees, and archive files to identify all software packages and their versions. It detects packages installed via system package managers (apk, dpkg, rpm) and language-specific dependency managers (npm, pip, Maven, Go modules, and more). The tool generates SBOMs in SPDX and CycloneDX formats, the two industry-standard schemas. These machine-readable inventories list every component in your software, including direct dependencies, transitive dependencies, and operating system packages. Multi-Source Scanning:::Analyze container images (local or from registries), directory trees, and archive files. Supports OCI, Docker, and Singularity image formats. ||| Standard Formats:::Output SBOMs in SPDX, CycloneDX, and Syft JSON formats. Convert between formats. Create signed attestations using in-toto specification. ||| Ecosystem Coverage:::Detect packages from Alpine, Debian, RPM, npm, pip, Maven, Go, Ruby, Rust, PHP, .NET, and dozens more ecosystems automatically. Syft is also referred to as **Anchore Syft** (the `anchore/syft` repository) to distinguish it from Syft Analytics (a financial-reporting tool acquired by Xero) and Syft Technologies (a trace gas analyzer). Most teams run it alongside [Grype](/grype), Anchore's sister project, in an "SBOM-first" pattern: Syft generates the inventory once, Grype scans it repeatedly as new CVEs are disclosed. ## What are Syft's key features? | Feature | Details | |---------|---------| | Current version | 1.42.0 (February 10, 2026) | | GitHub stats | 8.4k stars, 219 contributors, 765 forks | | License | Apache 2.0 | | Output formats | SPDX JSON, CycloneDX JSON, Syft JSON, text, table | | Image formats | OCI, Docker, Singularity | | Installation | curl script, Homebrew, Docker, Scoop, Chocolatey, Nix | | Attestations | Signed SBOM attestations via in-toto specification | | Cloud dependencies | None; runs entirely offline | | Grype integration | Pipe SBOMs directly to Grype for vulnerability scanning | ### Container image analysis Syft scans Docker images, OCI images, and Singularity containers by analyzing each layer. It extracts package manager databases, language dependency manifests (package.json, requirements. [...truncated for length...] --- # Syhunt Dynamic URL: https://appsecsanta.com/syhunt-dynamic Description: Independent Syhunt Dynamic review. 7,000+ vulnerability checks, 581+ API injection tests, and cross-platform support. Where it excels and where it falls short. Syhunt Dynamic is a desktop DAST scanner that runs on Windows, macOS, and Linux. It detects over 7,000 web application vulnerabilities across 75+ categories through automated crawling and injection testing. The scanner handles traditional web applications and APIs alike. It supports OpenAPI, Swagger, GraphQL, API Blueprint, RAML, and Postman Collections for structured API testing. Syhunt is a Brazilian security company. The product uses what Syhunt calls "Augmented Dynamic Analysis" — combining standard DAST with out-of-band (OAST) detection techniques. ## What is Syhunt Dynamic? Syhunt Dynamic crawls deployed web applications, maps their structure, and fires automated attack payloads at discovered endpoints. No source code access needed. Point it at a URL and the scanner discovers pages, forms, JavaScript-generated content, and API endpoints. It then runs 581+ injection checks across 30+ attack categories to find SQL injection, XSS, path traversal, command execution, and other flaws. These vulnerability classes align with the [OWASP Top 10](https://owasp.org/www-project-top-ten/), which identifies injection and broken access control as the most common web application risks. The tool ships as a standalone desktop application with a command-line interface. This makes it usable both as a GUI tool for manual assessments and as a CLI tool for CI/CD automation. | Feature | Details | | -------------------- | -------------------------------------------------------- | | Vulnerability checks | 7,000+ across 75+ categories | | Injection checks | 581+ API-specific | | Platforms | Windows 10/11, macOS, 64-bit Linux | | API formats | OpenAPI v2/v3, Swagger, GraphQL, Postman, RAML, WADL | | Detection method | DAST + OAST (out-of-band) | | Authentication | Basic, NTLM, form-based, session handling | | JS engine | Chrome, Firefox, IE emulation | | Report formats | HTML, PDF, JSON, XML, CSV | | Compliance mapping | OWASP Top 10, PCI DSS, HIPAA, ISO 27001, CWE/SANS Top 25 | | CI/CD | GitLab, Jenkins, GitHub | ## What are Syhunt Dynamic's key features? Deep Crawling Engine:::Maps website structure by following links, submitting forms, emulating JavaScript (Chrome/Firefox/IE behavior), and simulating user interactions like key presses and mouse clicks. Handles HTML5, CSS3, and XHR requests. ||| 581+ Injection Checks:::Tests for SQL injection, XSS, command execution, file inclusion, XXE, and more across REST APIs. Supports both standard detection and out-of-band (OAST) attack techniques for finding blind vulnerabilities. ||| Multi-Format API Scanner:::Imports OpenAPI v2/v3, Swagger v1/v2/v3, GraphQL [...truncated for length...] --- # Sysdig Secure URL: https://appsecsanta.com/sysdig-secure Description: Enterprise Cloud-Native Application Protection Platform (CNAPP) with runtime threat detection, vulnerability management, and CSPM. Customers include IBM. Sysdig Secure is an enterprise Cloud-Native Application Protection Platform (CNAPP) that delivers runtime-first cloud security. The platform combines runtime threat detection, vulnerability management, cloud posture management, and compliance in a unified solution. The company created [Falco](/falco), the CNCF graduated threat detection engine. Sysdig Secure builds on Falco with enterprise capabilities including Sysdig Sage (an AI security analyst), Cloud Attack Graph, and centralized management. Customers include IBM, Goldman Sachs, Booking.com, Alaska Airlines, SAP Concur, and Worldpay. ## What is Sysdig Secure? Sysdig Secure operates as a CNAPP, providing multiple security functions through a single platform. The architecture includes runtime monitoring agents that deploy on Kubernetes nodes and cloud environments, a centralized backend for analysis and policy management, and a unified console for security operations. The runtime detection component uses Falco to monitor kernel events and detect threats in real-time. This telemetry is enriched with container, Kubernetes, and cloud metadata to provide context about security events. The platform correlates runtime behavior with vulnerability data and posture findings to identify active exploits and prioritize remediation. Vulnerability management scans container images, running workloads, and infrastructure-as-code templates. The platform uses runtime insights to prioritize vulnerabilities that are actually exploitable in the live environment, reducing noise from theoretical vulnerabilities in unused code paths. Runtime-First Security:::Detects active threats in production using Falco's kernel-level monitoring, identifying attacks that static scanning cannot catch ||| Sysdig Sage AI:::AI-powered assistant provides contextual analysis, threat investigation guidance, and automated response recommendations ||| Unified CNAPP:::Consolidates CDR, CSPM, CIEM, vulnerability management, and compliance in one platform instead of disparate point tools ## What are Sysdig Secure's key features? | Module | Details | |--------|---------| | CDR | Cloud Detection & Response with 5-second threat detection | | CWPP | Cloud Workload Protection for containers and Kubernetes | | CSPM | Cloud Security Posture Management | | CIEM | Cloud Infrastructure Entitlement Management | | VM | Vulnerability Management with 98% noise reduction via runtime context | | IaC Security | Infrastructure-as-Code scanning | | Sysdig Sage | AI security analyst with multi-step reasoning | | Cloud Attack Graph | Attack path analysis and risk prioritization | | Compliance | PCI-DSS, GDPR, [NIST 800-53](https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final), SOC 2, HIPAA | ### Cloud Detection & Response The CDR capability monitors cloud infrastructure, Kubernetes clusters, and container workloads for threats. It detects anomalies like privilege escalation, crypto mining, data exfiltration, and insider threats. Automated pl [...truncated for length...] --- # Talsec URL: https://appsecsanta.com/talsec Description: Talsec protects 2B+ mobile devices with RASP+ runtime defense. Free freeRASP SDK for Flutter, React Native, Capacitor, and more. AppiCrypt API integrity. Talsec is a [mobile application security](/mobile-security-tools) platform that provides runtime protection (RASP), app hardening, and API integrity verification for mobile apps. The company claims protection across 2 billion+ devices and 5,000+ applications. The platform follows a freemium model: freeRASP is a free, open-source SDK available on GitHub (446 stars), while the paid RASP+ and AppiCrypt products add advanced protections, monitoring dashboards, and backend API security. Talsec is ISO/IEC 27001 certified. Note: the 2 billion+ devices and 5,000+ applications numbers are self-reported by Talsec and have not been independently audited. ## What is Talsec? Talsec focuses on runtime protection rather than pre-release vulnerability scanning. Where tools like [Oversecured](/oversecured) or [Zimperium zScan](/zimperium-zscan) scan app binaries for vulnerabilities before deployment, Talsec's SDK embeds directly into your app to detect and respond to threats at runtime — rooting, hooking, tampering, emulators, and more. The SDK is available for nine platforms: Android, iOS, Flutter, React Native, Capacitor, Cordova, Kotlin Multiplatform, Unity, and Unreal Engine. That coverage extends beyond phones to tablets, smart TVs (Apple TV, Android TV, Fire TV), and other connected devices. freeRASP (Free):::Open-source runtime protection SDK with root/jailbreak detection, hooking prevention, and weekly security reports. MIT licensed. ||| RASP+ (Paid):::Advanced protection with SDK obfuscation, personalized library builds, overlay attack prevention, and real-time monitoring dashboards. ||| AppiCrypt:::Zero-trust API protection that generates cryptograms evaluated server-side to block requests from tampered or compromised app instances. ## What are Talsec's key features? | Feature | freeRASP (Free) | RASP+ (Paid) | |---------|----------------|--------------| | Root/Jailbreak Detection | Basic | Advanced | | Frida/Xposed Detection | Yes | Yes | | App Tampering Detection | Yes | Yes | | Emulator Detection | Yes | Yes | | Screen Capture Prevention | Yes | Yes | | VPN Detection | Yes | Yes | | Overlay Attack Protection | No | Yes | | SDK Obfuscation | No | Yes | | Dynamic TLS Pinning | No | Yes | | Secret Vault | No | Yes | | Monitoring Dashboard | Weekly Reports | Real-time | | Device Limit | Fair Usage Policy | Based on plan tier | ### freeRASP freeRASP is a free, multi-platform runtime protection SDK published under the MIT license. It detects: - **Root/Jailbreak**: Magisk, unc0ver, check1rain, Dopamine - **Hooking frameworks**: Frida, Xposed, Shadow - **App tampering**: Repackaging, code modification, untrusted installation sources - **Device state**: Emulator usage, developer mode, ADB access - **Network**: VPN usage, unsecured Wi-Fi connections - **Screen capture**: Screenshot and screen recording attempts - **Device spoofing**: GPS mocking, time manipulation The SDK also includes **freeMalwareDetection** for Android, which scans for blocklisted [...truncated for length...] --- # Tenable Web App Scanning URL: https://appsecsanta.com/tenable-io Description: Nessus-powered cloud DAST with REST, GraphQL, SOAP API scanning. Attack Surface Management integration for shadow IT discovery. Per-FQDN pricing. Tenable Web App Scanning is a cloud-based [DAST](/dast-tools) solution built on the Nessus scanning engine. It tests web applications and APIs for security vulnerabilities and ties into Tenable's Attack Surface Management for automatic discovery of web properties you might not know about. Tenable WAS uses per-FQDN pricing. See [Tenable's pricing page](https://www.tenable.com/products/tenable-io/web-application-scanning) for current rates. The scanner is also included in Tenable Vulnerability Management trials. ## What is Tenable Web App Scanning? Tenable Web App Scanning (formerly Tenable.io WAS) crawls running web applications through the front end, builds a site map of pages, links, and forms, then tests each one for vulnerabilities. It covers the OWASP Top 10, vulnerable third-party components, and API-specific flaws. According to the Verizon Data Breach Investigations Report, web application attacks remain one of the most common breach vectors, making regular [dynamic testing](/dast-tools/what-is-dast) a practical necessity. The Nessus engine underneath gets regular vulnerability check updates from Tenable's research team. The cloud delivery means no infrastructure to manage — you point it at a URL and go. Where Tenable WAS gets interesting is the Attack Surface Management integration. Tenable ASM continuously discovers web applications and APIs across your digital footprint, including shadow IT properties that security teams may not be tracking. When ASM finds an unknown web app, WAS can scan it automatically. NIST SP 800-53 calls out the importance of maintaining an accurate asset inventory as a foundational security control, and this integration helps address that requirement. | Feature | Details | | ------------------ | ------------------------------------------------ | | Engine | Nessus-powered scanning technology | | Delivery | Cloud-native SaaS | | On-premises option | Via Tenable Security Center (FedRAMP-authorized) | | API testing | REST, GraphQL, SOAP | | Pricing | Per-FQDN pricing (see Tenable's website) | | Rapid scans | Under 2 minutes for hygiene checks | | SPA support | Modern JavaScript frameworks | | Scan controls | Pause/resume, rate limiting, scheduling | | ASM integration | Automatic web app discovery | | Ecosystem | Tenable One, Tenable.io, Tenable.sc | ## What are Tenable Web App Scanning's key features? Nessus-Powered Engine:::Built on Tenable's Nessus scanning technology with regular vulnerability check updates from Tenable's research team. Nessus has been around since 1998 and is one of the most widely deployed vulnerability scanners. ||| Attack Surface Management:::Integrates with Tenable ASM to automatically discover web applic [...truncated for length...] --- # Trivy URL: https://appsecsanta.com/trivy Description: Trivy by Aqua Security scans containers, filesystems, IaC, Kubernetes clusters, and git repos for vulnerabilities, misconfigs, and secrets. Trivy is an open-source security scanner by Aqua Security. It scans container images, filesystems, git repositories, virtual machine images, and Kubernetes clusters for vulnerabilities, misconfigurations, secrets, and license issues. One binary, five target types, four scanner engines. With 34,600+ GitHub stars, 513+ contributors, and 178+ releases, it is the most-starred open-source security scanner on GitHub. > **Where Trivy lives on AppSec Santa.** Trivy is canonicalised under [IaC Security](/iac-security-tools) here because of its tfsec lineage and Aqua's continued investment in IaC scanning. It also covers container image CVEs, dependency vulnerabilities, and SBOM generation, so the [Trivy alternatives page](/sca-tools/trivy-alternatives) intentionally sits under the [SCA hub](/sca-tools) — that is where most "Trivy alternatives" intent lives. The `also_in` field on this page reflects its multi-domain reach. Note: Trivy's official GitHub Action (aquasecurity/trivy-action) was compromised twice in March 2026 by the TeamPCP supply chain campaign — always pin to a specific commit SHA rather than mutable version tags like @v1 or @master. > **v0.70.0 (April 17, 2026):** GPG signing keys for the deb and rpm repositories were rotated as a follow-up to an Aqua security incident. Re-import the new key before running `apt update` or `yum update` on pipelines that install Trivy through the official package repositories. Other highlights: Go `-trimpath` binary version detection via ELF symbol table (fewer "unknown version" results on stripped binaries), a PEP 751 `pylock.toml` parser (pip 25.x emits this file), and Azure misconfiguration scanning parity for ARM-based AKS clusters. ## What Trivy does Trivy started as a container vulnerability scanner. It has since absorbed tfsec (Terraform security scanner) and grown into a multi-target tool that covers most of what DevSecOps teams need from a single CLI. The scanner works locally, in CI/CD pipelines, and as a Kubernetes operator. Written in Go, it ships as a static binary with no dependencies. Install it, point it at a target, get results. Vulnerability Detection:::Scans OS packages and application dependencies against Aqua's vulnerability database. Covers Alpine, Debian, Ubuntu, RHEL, CentOS, Amazon Linux, and more. ||| IaC Misconfigurations:::Detects security issues in Terraform, CloudFormation, Kubernetes manifests, Helm charts, Dockerfiles, Azure ARM templates, and Ansible. Inherited tfsec's full check library. ||| Secrets & Licenses:::Finds hardcoded API keys, passwords, private keys, and cloud credentials. Also identifies software licenses in dependencies for compliance tracking. ## What are Trivy's key features? The matrix below combines 5 target types (container images, filesystems, git repos, VM images, Kubernetes clusters) with 4 scanner engines (vulnerabilities, misconfigurations, secrets, licenses). One binary covers every cell. | Feature | Details [...truncated for length...] --- # TruffleHog URL: https://appsecsanta.com/trufflehog Description: TruffleHog is a free, open-source secret scanner from Truffle Security that detects and verifies 800+ credential types across Git, Docker, S3, Slack, and more. ## What is TruffleHog? TruffleHog is an open-source secret scanner built by Truffle Security that finds and verifies leaked credentials across git repositories, cloud storage, chat platforms, and container images. The project has over 25,700 GitHub stars and handles more than 250,000 scans per day across production environments. What separates TruffleHog from other [SAST tools](/sast-tools) is live verification. Instead of listing regex matches and leaving you to triage, the scanner logs in to AWS, GitHub, Slack, and hundreds of other services to confirm whether each discovered secret still works. I run TruffleHog against every repo I inherit. It walks git history, flags the 800+ credential types it knows how to detect, and tells me which ones are live right now. The result is a much shorter list of real incidents to fix. **License:** AGPL-3.0 (open-source CLI) + commercial Enterprise tier **Maintainer:** [Truffle Security](https://trufflesecurity.com/) **Repo:** [github.com/trufflesecurity/trufflehog](https://github.com/trufflesecurity/trufflehog) — 25,700+ stars **Detectors:** 800+ credential types with live verification **Scan sources:** Git, GitHub, GitLab, Docker, S3, GCS, Slack, Jenkins, Elasticsearch, Postman, filesystem TruffleHog classifies over 800 credential types including AWS keys, GitHub tokens, database passwords, API keys, and service account credentials. For every secret it identifies, it attempts verification by logging into the associated service. This distinguishes active threats (credentials that still work) from historical leaks (revoked credentials). Security teams can prioritize remediation based on which secrets pose immediate risk. TruffleHog maps each discovered secret to the specific identity or account it belongs to. This context helps you understand the scope of exposure and decide which owner to contact. Multi-Source Scanning:::Scan Git repos, GitHub orgs, GitLab, S3, GCS, Docker images, Slack, wikis, Circle CI, Travis CI, and filesystem directories ||| Live Verification:::Automatically test discovered secrets by logging in to verify if credentials are still active and pose immediate risk ||| 800+ Secret Types:::Detect and classify credentials for AWS, GitHub, Google Cloud, databases, SaaS platforms, and hundreds of other services ## What are TruffleHog's key features? | Feature | Details | |---------|---------| | Secret types | 800+ credential detectors with classification | | Verification | Live credential testing for 20+ common credential types | | Scan sources | Git, GitHub, GitLab, S3, GCS, Docker, Jenkins, Elasticsearch, Postman, filesystem | | Output | JSON structured output, human-readable text | | CI integration | `--results=verified` filter, `--fail` exit code (183), `--since-commit` for incremental scans | | Installation | Homebrew, Docker, binary releases, from source (Go) | | License | AGPL-3.0 (open-source), commercial plans available | | Binary verification | cosign signature verification for [...truncated for length...] --- # Vectara URL: https://appsecsanta.com/vectara Description: Vectara is an enterprise agent platform with built-in RAG, hallucination detection, and always-on governance. $53.5M funded. SaaS, VPC, and on-prem deployment. Vectara is an enterprise agent platform that combines retrieval-augmented generation (RAG) with always-on governance, actively detecting and correcting hallucinations at runtime rather than just flagging them. It is listed in the [AI security](/ai-security-tools) category. Founded by former Google AI researchers, Vectara raised $25M in Series A funding in 2024 led by FPV Ventures and Race Capital, bringing total funding to $53.5M. The company positions itself as a platform for regulated industries where AI accuracy and auditability are non-negotiable. Vectara's differentiator is treating governance as a core platform feature rather than a bolt-on. Hallucination detection, policy enforcement, and source attribution run continuously as part of the RAG pipeline, not as optional post-processing steps. ## What is Vectara? Vectara provides a full platform for building enterprise AI agents that retrieve information from organizational data and generate grounded responses. It handles the entire RAG pipeline: ingestion, indexing, retrieval, re-ranking, and response generation with governance controls at each stage. The key architectural decision is always-on governance. Instead of relying on external guardrail tools to catch problems after generation, Vectara embeds hallucination detection, policy enforcement, and citation tracking directly into the generation pipeline. When it detects that a response strays from source material, it corrects the output before delivery. The Mockingbird LLM, launched alongside the Series A funding, is purpose-built for RAG applications. According to Vectara, Mockingbird outperforms GPT-4 and Google Gemini-1.5-Pro on the Bert-F1 benchmark, which measures how accurately RAG models transform retrieved data into prompt responses. Grounded Retrieval:::Context-engineering techniques ground responses in the most relevant information from organizational data. Supports text, tables, and images with multimodal retrieval. ||| Always-On Governance:::Policy-led enforcement that actively detects and corrects hallucinations in real time. Brand controls, factual-consistency checks, and citation integrity verification run continuously — not as optional post-processing. ||| Flexible Deployment:::Three deployment options for different security requirements: cloud SaaS, customer-managed VPC for infrastructure control, and fully on-premises for air-gapped environments where data never leaves the customer's data center. ## What are Vectara's key features? | Feature | Details | |---------|---------| | RAG Pipeline | End-to-end: ingestion, indexing, retrieval, re-ranking, generation | | Hallucination Detection | Real-time detection and correction during generation | | Mockingbird LLM | Purpose-built for RAG; outperforms GPT-4 on Bert-F1 benchmark | | Source Citations | Every response includes source attribution with change detection | | Policy Controls | Brand, factual-consistency, and compliance rules enforced at runtime | | Access Contro [...truncated for length...] --- # Veracode URL: https://appsecsanta.com/veracode Description: Veracode review 2026. Binary-analysis SAST, Phylum-powered SCA, and DAST under one dashboard — what each scanner does and who pays for the bundle. Veracode is a [SAST](/sast-tools), [SCA](/sca-tools), and [DAST](/dast-tools) platform owned by Thoma Bravo. Its differentiator is binary analysis — the SAST scanner reads compiled bytecode rather than requiring source code access. The platform consolidates four scanners (SAST, SCA, DAST, manual pen testing) plus an AI Fix service into one dashboard. Veracode reports 420 trillion lines of code scanned across customer applications in 2025. ## Platform components Veracode bundles four scanners and an AI remediation layer that share one dashboard, customer base, and compliance reporting: **[Veracode Static Analysis](/veracode#veracode-static-analysis-sast)** — SAST scanner that analyzes compiled binaries without source code access. Pipeline Scan returns results in under 90 seconds for CI/CD feedback. **[Veracode SCA](/veracode#veracode-sca)** — Software composition analysis enhanced by the January 2025 Phylum acquisition. Adds ML-powered malicious package detection with package firewall for npm and PyPI. **[Veracode Dynamic Analysis (DAST)](/veracode#veracode-dynamic-analysis-dast)** — Enterprise DAST that scales to hundreds of web applications. Crashtest Security acquisition (2022) added JavaScript SPA support for React, Angular, and Vue. **Veracode Fix** — AI-powered code remediation that produces fixes for vulnerabilities Veracode detects. Integrates into IDEs and pull requests. **Manual Penetration Testing** — Veracode also offers human-led pen testing as an add-on service for applications that benefit from expert manual review. ## Components in detail ### Veracode Static Analysis (SAST) Veracode SAST is one of very few scanners that operates on compiled bytecode rather than source code. Customers upload JAR files, .NET assemblies, COBOL binaries, or Visual Basic 6 builds — the source never leaves the developer's machine. The trade-off cuts both ways. Binary analysis catches issues introduced by compilers or bundled third-party libraries that source-only scanners miss. It also requires a successful build for every scan, so broken builds mean missed scans. Pipeline Scan returns results in under 90 seconds for CI/CD feedback; full Platform Scan handles compliance reporting. Coverage spans 100+ languages including enterprise legacy (COBOL, Visual Basic 6, RPG) that most modern scanners skip. ![Veracode SAST findings displayed inline in the VS Code IDE with severity badges, CWE classifications, and remediation guidance](/images/tools/veracode/sast-vscode-findings.webp) _Veracode SAST findings inline in VS Code — IDE plugin surfaces vulnerabilities and remediation guidance without a separate scan window._ ### Veracode SCA Veracode SCA combines traditional CVE scanning with Phylum's ML-powered behavioral analysis (acquired January 2025). Veracode reports 60% more accurate malicious package detection after the integration. Detection covers typosquatting, dependency confusion, compromised maintainer accounts, and malicious code injectio [...truncated for length...] --- # Wallarm URL: https://appsecsanta.com/wallarm Description: Wallarm combines WAF with API security across 160,000+ protected APIs. Auto API discovery, OWASP API Top 10 coverage, bot management, and GraphQL protection. Wallarm is an API security platform that protects over 160,000 APIs and processes billions of requests daily. It pairs a web application firewall with ML-based API protection, automatic API discovery, and bot management in a single product. The company is headquartered in Austin, TX with an additional office in San Francisco. Customers include Panasonic, Victoria's Secret, Miro, Samsung, Dropbox, and Semrush. Wallarm also maintains several open-source projects: API Firewall, GoTestWAF, and the libDetection library. ## What is Wallarm? Wallarm started as a WAF and expanded into [API security tools](/api-security-tools) as API traffic outgrew traditional web application traffic. The platform treats API protection as the primary concern rather than a bolt-on to WAF rules, putting Wallarm alongside WAF-heritage peers like [Imperva API Security](/imperva-api-security) but with stronger emphasis on developer-controlled deployment. It works in two modes. Inline mode sits in the request path and blocks attacks before they reach your backend. Out-of-band mode mirrors traffic for analysis without touching the live request flow. Both feed the same Wallarm Console for visibility. The platform organizes into four product areas: Advanced API Security:::Bundles API Discovery, API Security Testing, API Abuse Prevention, and credential stuffing detection. Discovers your full API inventory from real traffic and blocks OWASP API Top 10 attacks. ||| Cloud-Native WAAP:::Web application and API protection that deploys across cloud, Kubernetes, and on-premise environments. Handles injection attacks, XSS, and L7 DDoS alongside API-specific threats. ||| Security Edge:::DNS-based edge deployment that puts API protection in front of your infrastructure. Wallarm claims deployment in as little as 15 minutes by redirecting DNS. Multi-cloud and multi-CDN compatible. ||| API Attack Surface Management:::Agentless detection of external-facing APIs and hosts. Finds API leaks and exposed endpoints you may not know about. ## What are Wallarm's key features? | Feature | Details | | ------------------ | ------------------------------------------------------------------------- | | APIs protected | 160,000+ | | Requests processed | Billions daily | | API Discovery | Automatic inventory from live traffic, shadow/zombie/orphan API detection | | Threat detection | ML-based anomaly detection + signature matching | | OWASP coverage | Full OWASP API Security Top 10 | | Bot management | Credential stuffing, ATO, L7 DDoS, scraping detection | | GraphQL | Query depth limits, complexity analysis, introspection blocking | | Deployment options | Docker, Kubernetes, [...truncated for length...] --- # Wapiti URL: https://appsecsanta.com/wapiti Description: Open-source Python 3 web vulnerability scanner. 30+ attack modules for XSS, SQLi, XXE, SSRF, Log4Shell, Spring4Shell. Swagger/OpenAPI support. GPL v2 licensed. Wapiti is a free, open-source web vulnerability scanner written in Python. It crawls web applications and injects payloads through HTTP parameters to find injection vulnerabilities, misconfigurations, and known CVEs. With 1,600+ GitHub stars, 247 forks, and 31 contributors, Wapiti has maintained active development since 2006. Version 3.2.10 was released in November 2025. The project is included in Kali Linux. I use Wapiti when I want a scriptable black-box web scanner that does not require a paid license. It crawls a target and runs attack modules for SQL injection, XSS, command injection, and file inclusion, then outputs an HTML or JSON report. The false-positive rate is higher than commercial DAST tools, but for quick scans on internal apps it is fast to spin up. ## What is Wapiti? Wapiti is a command-line black-box fuzzer. It does not read source code. Instead, it crawls a deployed web application, extracts links and forms, then sends attack payloads through GET and POST parameters, cookies, and HTTP headers. This approach aligns with the OWASP Testing Guide's recommendation for runtime testing of deployed applications to complement static analysis. It analyzes responses to identify vulnerabilities. When it injects an XSS payload into a form field and that payload shows up in the response HTML, it flags it. When a time-based SQL injection payload causes a delayed response, it reports that too. The scanner ships 30+ attack modules covering injection flaws, known CVEs (Log4Shell, Spring4Shell, Shellshock), server misconfigurations, and more. It also supports Swagger/OpenAPI specs for API testing. Written in Python 3, Wapiti requires version 3.12, 3.13, or 3.14. It runs on Linux and macOS natively, and on Windows through WSL. | Feature | Details | | ------------------ | ------------------------------------------------------ | | Language | Python 3.12 / 3.13 / 3.14 | | License | GPL v2 | | Attack modules | 30+ | | GitHub stars | 1,600+ | | Latest version | 3.2.10 (November 2025) | | Report formats | HTML, JSON, XML, CSV, TXT | | Authentication | Basic, Digest, NTLM, form-based, browser cookie import | | Proxy support | HTTP, HTTPS, SOCKS5 | | Session management | SQLite3 database (suspend/resume) | | API testing | Swagger/OpenAPI | | JS rendering | Headless Firefox | | Platforms | Linux, macOS, Windows (WSL) | ## What are Wapiti's key features? 30+ Attack Modules:::SQL injection, XSS, file inclusion, command execution, [...truncated for length...] --- # Waratek URL: https://appsecsanta.com/waratek Description: Waratek, RSA Innovation Sandbox winner, provides JVM-embedded virtual patching for CVE remediation without code changes or restarts. Waratek is a Java-focused [RASP](/rasp-tools) solution that embeds security directly into the JVM. Winner of the RSA Innovation Sandbox Award, it protects Java applications from OWASP Top 10 vulnerabilities, zero-day exploits, and known CVEs without code changes or restarts. The platform ships as two products: **Waratek Secure** (automated vulnerability remediation) and **Waratek Elevate** (legacy app modernization with compliance). Both operate at the JVM bytecode level using a patented data tainting engine that tracks untrusted data as it flows through the application. Waratek claims 2% performance overhead, 150ms time-to-remediate, and protection across 80,000+ applications in production. The company targets financial services, healthcare, and government organizations running business-critical Java workloads. | Feature | Details | | -------------------- | ------------------------------------------------- | | Language | Java (JVM-based) | | Architecture | JVM bytecode instrumentation | | Products | Waratek Secure, Waratek Elevate | | Detection | Patented data tainting engine | | Performance overhead | 2% (vendor-stated) | | Virtual patching | CVE remediation without code changes or restarts | | API security | RESTful API endpoint discovery | | Frameworks | Spring, Struts, Tomcat, and other Java frameworks | | Compliance | PCI DSS, GDPR, SOC 2, HIPAA | | Management | Waratek Portal (SaaS or on-premises) | ## What is Waratek? Waratek instruments the JVM at the bytecode level. When untrusted data enters the application from the network, the data tainting engine tracks it through every method call, variable assignment, and framework transformation. If that data reaches a dangerous operation — a SQL query, a deserialization call, a file system access — Waratek knows whether it has been properly sanitized. This approach differs from pattern-matching RASP tools that look at request signatures. Waratek sees how data actually flows through code, which eliminates the false positives that come from matching attack patterns in legitimate traffic. Virtual patching applies security fixes at the JVM bytecode level. When a CVE affects a third-party library, Waratek can neutralize the vulnerability without modifying source code, rebuilding the application, or restarting the process. This is particularly valuable for legacy Java applications that cannot be easily patched or redeployed. Data Tainting Engine:::Tracks untrusted data from network entry through every code path. When tainted data reaches a dangerous operation without sanitization, Waratek blocks the request. Eliminates false positives from pattern matching. ||| Virtual Patching:: [...truncated for length...] --- # WitnessAI URL: https://appsecsanta.com/witnessai Description: WitnessAI is an AI security platform with intent-based behavioral controls, shadow AI discovery, and runtime defense for enterprise models and AI agents. WitnessAI is an [AI security](/ai-security-tools) platform that provides unified visibility, intent-based behavioral controls, and runtime defense for enterprise AI usage across employees, models, applications, and agents. Unlike pattern-matching AI security tools that scan for known malicious strings, WitnessAI analyzes the meaning and purpose behind each prompt to catch sophisticated multi-turn attacks and contextual jailbreaks. Co-founded by Rick Caccia (CEO) and incubated by Ballistic Ventures, WitnessAI is headquartered in Mountain View, California. Caccia brings over two decades of cybersecurity leadership experience from Palo Alto Networks, Google Cloud Security, and Exabeam. In January 2026, WitnessAI announced $58 million in strategic funding led by Sound Ventures, with participation from Fin Capital, Samsung Ventures, Qualcomm Ventures, and Forgepoint Capital Partners — joining existing investors Google Ventures and Ballistic Ventures. The round followed 500% ARR growth and a 5x headcount expansion over the prior year. The company has been recognized on Fortune's Cyber60 list, as an SC Awards Excellence Award finalist, and named in the 2025 IDC Innovators report for Security for Agentic AI. ## What is WitnessAI? WitnessAI sits at the infrastructure layer between users and AI models. Instead of building safety features into models or relying on endpoint monitoring alone, the platform intercepts and analyzes AI interactions at the network level, applying intent-based behavioral controls in real time. The platform is organized into three modules — Observe, Protect, and Control — that work together to give security teams full visibility into AI usage, defend against adversarial attacks, and enforce governance policies across the organization. What distinguishes WitnessAI from pattern-matching approaches is its intent-based detection engine. Rather than flagging keywords or matching predefined patterns, the system analyzes the meaning and purpose behind each prompt, catching sophisticated multi-turn attacks and advanced prompt injection that rule-based filters miss. Observe:::Discovers and catalogs all AI applications, agents, and MCP servers across the organization. Provides real-time visibility into AI conversations — including prompts and responses — and identifies shadow AI usage across employees and teams. ||| Protect:::Delivers runtime defense against prompt injection, jailbreaks, and harmful AI responses with automated red teaming for pre-deployment vulnerability discovery. Includes a bidirectional AI Firewall that screens both inputs and outputs. ||| Control:::Enforces governance policies based on department, role, intent, or workforce type. Intelligently routes prompts to appropriate models based on risk and cost, applies real-time data redaction, and generates granular audit trails for compliance. ## What are WitnessAI's key features? | Feature | Details | |---------|---------| | Detection Approach | Intent-based behavio [...truncated for length...] --- # Wiz URL: https://appsecsanta.com/wiz Description: Wiz is a Cloud Native Application Protection Platform (CNAPP) providing agentless security scanning across AWS, Azure, GCP, OCI, and Alibaba Cloud. Wiz is an [IaC security](/iac-security-tools) and CNAPP platform that scans cloud environments without installing agents. The platform connects to AWS, Azure, GCP, OCI, and Alibaba Cloud via API and maps relationships between resources, identities, and vulnerabilities through what it calls the Security Graph. More than 50% of Fortune 100 companies use Wiz, including Morgan Stanley, Salesforce, BMW, Siemens, Snowflake, and Slack. The company was the fastest SaaS product to reach $100M and $200M ARR. Google announced a $32B acquisition of Wiz in March 2025. As of Google Cloud Next '26, Wiz has officially joined the Google Cloud Security family, with the deal closing during 2026. The platform integrates with 200+ security tools through the Wiz Integration Network (WIN). > **Where Wiz lives on AppSec Santa.** Wiz is primarily a CNAPP (cloud-native application protection platform) — its canonical scope is cloud-posture and runtime, not application security. AppSec Santa covers Wiz only for its IaC scanning surface (Wiz Code, Checkov-derived rules), which is why this page sits under [IaC Security](/iac-security-tools). For container runtime, CSPM, and CWP comparisons that fall outside AppSec, dedicated CNAPP coverage is out of scope here. ## What is Wiz? Wiz connects to cloud provider APIs and scans every layer of infrastructure without agents. It covers virtual machines, containers, serverless functions, storage, databases, identity systems, and networking. A full risk profile is available within 24 hours of connecting your cloud accounts. The platform has three main modules. **Wiz Code** scans repositories, CI/CD pipelines, container registries, and images. It generates 1-click fix PRs when it finds issues. **Wiz Cloud** handles agentless posture management: CSPM, CWPP, CIEM, vulnerability scanning, and IaC checks. **Wiz Defend** adds eBPF-based runtime protection and threat detection for workloads that need real-time monitoring. Wiz automatically discovers new cloud resources as they're added. A free 14-day trial is available. Agentless Scanning:::Connects via cloud provider APIs. No agents to install, no performance impact on workloads. Covers VMs, containers, serverless, PaaS, storage, and networking. ||| Security Graph:::Maps relationships between cloud resources, identities, vulnerabilities, and network exposure. Traces connections from source code through CI/CD to production infrastructure. ||| Attack Path Analysis:::Identifies toxic combinations where multiple issues create exploitable paths. A misconfigured VM + critical CVE + excessive IAM permissions = one prioritized alert, not three separate ones. ## What are Wiz's key features? | Module | Details | | -------------- | --------------------------------------------------------------------------------------------------- | | Wiz Code | Code, CI/CD, registry, and container image [...truncated for length...] --- # Xage Security URL: https://appsecsanta.com/xage-security Description: Xage Security is a zero trust platform for AI, LLMs, and agentic AI enforcing identity-based controls at the protocol layer. NVIDIA partnership, jailbreak-proof. Xage Security is an [AI security](/ai-security-tools) platform that delivers zero trust for AI, LLMs, and agentic AI at the protocol layer, enforcing identity-based access controls below the AI stack where prompts cannot bypass them. This protocol-layer approach is fundamentally different from application-level tools like Lakera Guard or Noma Security — even a successfully jailbroken AI agent cannot circumvent Xage's enforcement because it operates at a layer the AI cannot reach. The company was founded by Duncan Greatwood (CEO), a former Apple executive who previously served as CEO of Topsy — the social media search and analytics pioneer acquired by Apple in 2013. Susanto Irwan serves as Co-Founder, President, and CTO. Xage originally built its zero trust platform for IT, operational technology (OT), and cloud environments, securing critical infrastructure including 60%+ of U.S. midstream energy infrastructure. In 2025, the company expanded to AI security with the launch of Zero Trust for AI, signing its first customer within days and securing a strategic partnership with NVIDIA within weeks. The company reported 81% year-over-year revenue growth, 102% customer growth, and raised an additional $15M in equity funding in December 2025 led by Piva Capital. ## What is Xage Security? Xage's approach to AI security is fundamentally different from prompt-level filtering or application-layer monitoring. The platform enforces identity and policy at the network data protocol layer — below the AI stack. This means that even if an AI prompt is manipulated through jailbreak techniques, unauthorized access is blocked because enforcement happens at a layer the AI cannot reach. Each AI agent is treated as a non-human identity with cryptographic credentials, scoped entitlements, and automated rotation. The Xage Fabric wraps each agent with access control shielding based on its identity and entitlements, handling credential issuance, rotation, and revocation automatically. Xage Fabric policy management UI — source/destination identity enforcement across OT devices Protocol-Layer Enforcement:::Enforces zero trust at the network data protocol layer, not at the AI prompt or output layer. Policy enforcement sits below the AI stack where jailbreaks and prompt manipulation cannot bypass it. ||| Identity-Based Agent Security:::Each AI agent gets cryptographic credentials with scoped entitlements and automated rotation. The Xage Fabric wraps agents with access controls tied to their verified identity. ||| NVIDIA Integration:::Runs natively on NVIDIA BlueField DPUs for hardware-accelerated enforcement. Supports 10M assets, 50M simultaneous AI interactions, and 400 Gbps throughput — 100x faster than software-only solutions. ## What are Xage Security's key features? | Feature | Details | |---------|---------| | Enforcement Layer | Network data protocol layer (below AI stack) | | Jailbreak Protection | Prompt manipulation cannot bypass protocol-layer enforcemen [...truncated for length...] --- # ZAP (Zed Attack Proxy) URL: https://appsecsanta.com/zap Description: Complete ZAP review. Free, open-source DAST with 14,700+ GitHub stars. Now backed by Checkmarx. API scanning, CI/CD automation, and honest limitations. ZAP (Zed Attack Proxy) is a widely used open-source web application security scanner. It's free, Apache 2.0 licensed, and has no paid tiers or feature restrictions. With 14,700+ GitHub stars, 2,500+ forks, and 229+ contributors, ZAP is a go-to free [DAST tools](/dast-tools) choice for security teams, pentesters, and developers. Version 2.17.0 shipped in December 2025, written primarily in Java (73% of the codebase). In September 2024, Checkmarx partnered with the ZAP project and hired all three project leaders — Simon Bennetts, Rick Mitchell, and Ricardo Pereira. ZAP remains free and open source. Checkmarx provides funding and resources for continued development. ## What is ZAP? ZAP sits between your browser and the target application as an intercepting proxy. All HTTP/HTTPS traffic passes through ZAP, where you can inspect, modify, and replay requests in real-time. Beyond manual testing, ZAP includes automated scanning: a spider that crawls the application, an AJAX spider that uses a headless browser for JavaScript-heavy pages, a passive scanner that analyzes traffic without sending extra requests, and an active scanner that fires attack payloads at discovered endpoints. The tool earned OWASP Flagship Project status and has been a GitHub Top 1000 project. The OWASP Testing Guide lists ZAP as a reference tool for dynamic application security testing. | Feature | Details | |---------|---------| | License | Apache 2.0 (free, no restrictions) | | GitHub stars | 14,700+ | | Contributors | 229+ | | Language | Java (73%) | | Latest version | 2.17.0 (December 2025) | | API testing | REST, GraphQL, SOAP | | Automation | YAML-based framework | | Desktop platforms | Windows, macOS, Linux | | Docker images | zap-stable, zap-weekly | | CI/CD | Official GitHub Actions, GitLab templates | | Output formats | HTML, JSON, XML, Markdown, SARIF | | Maintained by | Checkmarx (all 3 project leaders employed) | ## What are ZAP (Zed Attack Proxy)'s key features? Intercepting Proxy:::Man-in-the-middle proxy that captures all HTTP/HTTPS traffic. Inspect requests and responses, modify parameters and headers, replay requests, and record authentication sequences. SSL/TLS decryption with ZAP's CA certificate. ||| Automated Scanning:::Traditional spider + AJAX spider (headless browser) for crawling. Passive scanner analyzes proxied traffic. Active scanner fires attack payloads at every discovered endpoint. Configurable scan policies control what gets tested. ||| Automation Framework:::Define entire scan workflows in YAML files — contexts, authentication, spidering, scanning, and reporting. Run them from CLI or Docker. Treat your scan configuration as code in version control. ### Intercepting Proxy ZAP's core is the man-in-the-middle proxy. Configure your browser to route traffic through ZAP and you can: - Inspect every request and response in real-time - Modify parameters, headers, and request bodies before they reach the server - Replay requests with altered val [...truncated for length...] --- # ZeroThreat URL: https://appsecsanta.com/zerothreat Description: ZeroThreat is an AI-powered DAST platform for web apps and APIs. Scans for 40,000+ vulnerabilities across REST, SOAP, GraphQL, and gRPC. Free tier available. ZeroThreat is an AI-powered [DAST tool](/dast-tools) that combines dynamic application security testing with automated penetration testing for web apps and APIs. It scans for over 40,000 vulnerabilities including OWASP Top 10 and CWE Top 25. The platform tests REST, SOAP, GraphQL, and gRPC endpoints from a single interface. Founded in 2023 and headquartered in Carol Stream, Illinois, ZeroThreat launched publicly at Web Summit 2024 in Lisbon. ## What is ZeroThreat? ZeroThreat is a cloud-based DAST scanner that uses AI to find and validate vulnerabilities in running web applications. Instead of relying only on pattern matching, the platform attempts to validate whether detected issues are actually exploitable. ZeroThreat claims 98.9% detection accuracy with near-zero false positives. You enter a URL and ZeroThreat handles the rest. No agents to install, no complex configuration. The platform crawls your application, discovers endpoints, and runs attack simulations against them. | Feature | Details | |---------|---------| | Vulnerability checks | 40,000+ including OWASP Top 10, CWE Top 25 | | API protocols | REST, SOAP, GraphQL, gRPC | | Authentication | Login recording via Chrome extension, MFA support | | Business logic | BOLA, IDOR, access control testing | | Scan speed | 13,942 URLs scanned in 9 minutes (vendor benchmark) | | Compliance | GDPR, ISO 27001, PCI-DSS, HIPAA reporting | | Deployment | Cloud SaaS + on-premises proxy for internal targets | | Certifications | ISO certified, SOC 2 certified | AI-Powered Scanning:::Uses AI to validate whether detected vulnerabilities are actually exploitable, reducing false positives. Claims 98.9% accuracy across 40,000+ vulnerability checks. ||| API Pentesting:::Tests REST, SOAP, GraphQL, and gRPC endpoints including internal APIs. Covers authentication flaws, injection, and business logic issues in API layers. ||| Zero-Config Setup:::Enter a target URL and scanning starts. No agents, no infrastructure setup. Scans run on ZeroThreat's cloud and results appear in the dashboard within minutes. ## What are ZeroThreat's key features? ### Web Application Scanning ZeroThreat crawls web applications and runs attack simulations covering SQL injection, XSS, SSRF, IDOR, authentication flaws, and misconfigurations. These vulnerability classes align with the OWASP Top 10, which the platform uses as a baseline for its scanning coverage. Playwright-based SPA scanning for JavaScript-heavy applications is listed as coming soon. The dashboard shows results as they come in. Each finding includes the request/response evidence and a severity rating. You can re-scan individual issues instantly after applying fixes, without running a full scan again. ### API Security Testing ZeroThreat tests API endpoints across four protocols: REST, SOAP, GraphQL, and gRPC. It discovers API routes during crawling and tests them for injection, broken authentication, excessive data exposure, and business logic flaws. The pla [...truncated for length...] --- # Zimperium zScan URL: https://appsecsanta.com/zimperium-zscan Description: Zimperium zScan validates mobile hardening controls with SAST+DAST+IAST analysis. Tests SSL pinning, anti-tampering, root detection, and supply chain risks. Zimperium zScan is an automated Mobile Application Security Testing (MAST) platform that combines static, dynamic, and interactive analysis for Android and iOS applications. It scans app binaries and returns prioritized findings in 15-30 minutes. What sets zScan apart from pure vulnerability scanners is that it also validates whether security controls like anti-tampering, anti-reversing, and SSL pinning are actually implemented correctly. Part of the Zimperium Mobile Application Protection Suite (MAPS), zScan can be used standalone or alongside zShield (app shielding), zDefend (runtime protection), and zKeybox (key protection). Zimperium was founded in 2010 and is headquartered in Dallas, TX. The company holds a Forrester Wave Leader position in Mobile Threat Defense, won the 2025 Mobile Breakthrough Award for "Mobile Security Solution of the Year," and is a 2025 SPARK Matrix Leader for In-App Protection. A free 30-day trial is available. ## What is Zimperium zScan? zScan accepts APK, IPA, and AAB files uploaded directly or pulled from App Store and Google Play URLs. The scanner decompiles the binary and runs three types of analysis: - **Static Analysis (SAST)**: Examines decompiled code for security flaws, insecure API usage, and cryptographic issues - **Dynamic Analysis (DAST)**: Simulates runtime behavior to detect vulnerabilities and misconfigurations during execution - **Interactive Analysis (IAST)**: Combines static and dynamic testing under realistic runtime conditions Unlike scanners that only find weaknesses, zScan also checks whether defensive measures are correctly implemented. If your team invested in certificate pinning, root detection, or code obfuscation, zScan confirms those protections are working as expected. Vulnerability Detection:::SAST+DAST+IAST analysis identifies security flaws, insecure API usage, and cryptographic issues in mobile binaries. ||| Security Control Validation:::Verifies that anti-tampering, anti-reversing, SSL pinning, and root/jailbreak detection are correctly implemented. ||| Supply Chain Assessment:::Generates SBOMs and flags third-party SDKs and libraries with known vulnerabilities or security concerns. ## What are Zimperium zScan's key features? | Feature | Details | |---------|---------| | Analysis Types | SAST + DAST + IAST | | Scan Speed | 15-30 minutes | | Input Formats | APK, IPA, AAB, App Store/Play Store URLs | | Infrastructure | Cloud-based (no local setup required) | | Report Formats | SARIF, PDF, JSON | | CI/CD Plugins | GitHub Actions, GitLab CI, Jenkins, Harness, GoCD, Bitrise | | Compliance | OWASP MASVS, PCI-DSS, HIPAA, GDPR, NIAP | | Cross-Platform | Flutter, React Native, Xamarin, Cordova, Ionic | | MAPS Suite | Works with zShield, zDefend, zKeybox | | Trial | Free 30-day trial (unlimited apps) | ### Anti-Tampering Validation zScan verifies that anti-tampering controls are correctly implemented: - Root/jailbreak detection - Debugger detection - Emulator detection - Code integr [...truncated for length...] ---