customers
security teams using sekura today.
Early adopters running autonomous penetration tests on real codebases — with proof-of-exploit for every finding.
early adopter
security teams ship on proof, not probability.
- 5
- repositories assessed
- 19
- findings delivered
- 100%
- shipped with proof-of-exploit
- 0
- false positives
proof, not probability
a real finding from a design partner — proven, not guessed.
Critical Reachable ReDoS in a transitive dependency (CVE-2021-29060)
design partner — identity & passport platform (web-facing service)
$ sekura scan --repo computeid-passport --type web
[sca] [email protected] ← CVE-2021-29060 (ReDoS, CVSS 7.5)
[reach] imported by simple-swizzle → color → theme loader (app entry)
[proof] crafted color value "rgb(9999999999999999999999999999999999999999%..." → 100% CPU, request hangs >30s
[verdict] EXPLOITABLE — single unauthenticated request stalls a workerimpact
A single crafted, unauthenticated request triggers catastrophic regex backtracking and pins a server worker — repeatable, no auth, no special access. Denial of service against a login-path service.
fix
bump color-string to ^1.5.5 (patched) — transitive, one lockfile change
Findings are shown with evidence and a verdict — not a severity score and a shrug.
paste a repo. get proof.