sekura
autonomous pentest agent · live demo

proof of exploitation,
not probability.

REC00:06.48
$ sekura scan --target acme-payments-api --mode full
[INFO]gitleaks ▸ .env.sample:7 dummy token (ignored)
[INFO]semgrep ▸ users/routes.py:88 missing-authz-check (medium)
[FINDING][F-02] hypothesis: IDOR on GET /users/:id/receipts (users/routes.py:88)
[INFO]semgrep ▸ auth/token.py:55 weak-jwt-alg (none) (low)
[INFO]whitebox-reviewer: 3 hypotheses emitted · routing to phase 2
[PHASE]── phase 2 / 6 · recon ────────────────────────────────────
[AGENT]recon-agent: subfinder + amass · scope=acme-payments-api.prod
[INFO]httpx: 200 OK api.acme.internal/healthz server=envoy/1.29
[INFO]katana crawl depth=3 · 12 endpoints discovered
[INFO] POST /v2/auth/login (auth.svc)
[INFO] POST /v2/auth/refresh (auth.svc)
[INFO] GET /v2/users/:id (users.api)
[INFO] GET /v2/users/:id/receipts (users.api)
[INFO] POST /v2/payments/charge (payments.api)
[INFO] POST /v2/payments/invoice (payments.api)
[INFO] GET /v2/orders/:id (orders.api)
[INFO]nuclei: tech-detect · [email protected] · [email protected] · s3@aws
[INFO]recon-agent: surface mapped · 12 endpoints · 8 services
[PHASE]── phase 3 / 6 · auth context ─────────────────────────────
[AGENT]authz-analyzer: deriving role matrix from OpenAPI + traces
[INFO]roles resolved: [anon, user, merchant, admin]
[INFO]session cookie: sid · SameSite=Lax · HttpOnly=1 · Secure=1
[INFO]jwt alg=RS256 · kid rotation=24h · no "none" accepted
[PHASE]── phase 4 / 6 · vuln agents (16 concurrent) ──────────────
[AGENT]spawning 16 agents · budget=180s · max_rps=20/host
[AGENT]sqli-analyze
orchestrator·26 lines·loop 15s
attack surface
0findings0exploited0critical chain
api.gatewayauth.svcpayments.apiusers.apiorders.apidb.postgresredis.caches3.receipts
idle scanning finding exploited

point it at your repo. 52 tools, 14 agents, six phases, one critical chain — all without a human in the loop.

run it on your code see the sample report

six specialized agents. fifty-plus tools. every scan runs the same deterministic sequence — from recon through to proof-of-exploit.

scroll to trace each phase ↓
architecture · 6 phases, 50+ tools

every scan runs through six phases. scroll to trace one.

phase 01 · read the code before probing the service

White-Box + SAST

Seven SAST engines plus a whitebox LLM reviewer read the repo, emit hypotheses, and seed every later phase with ground truth.

agents & tools8
  • agentwhitebox-reviewer— reads diffs + whole-repo context, emits ranked hypotheses with file:line anchors
  • toolsemgrep— taint + pattern rules (p/owasp-top-10, p/python, p/javascript)
  • tooltrivy— dependency + container + IaC scanning
  • toolbandit— python AST · weak crypto, subprocess, yaml.load
  • toolgosec— go AST · hardcoded creds, unsafe exec, TLS config
  • toolcheckov— terraform / cloudformation / k8s manifests
  • toolnjsscan— node.js + express insecurity patterns
  • toolgitleaks— commit-history secret scan (depth=500)
about whitebox-reviewer
uses prompts/whitebox_reviewer.md · produces Finding with Verdict::Hypothetical
rustFinding (hypothesis)
 1Finding {
 2  id: "F-01",
 3  kind: Vuln::SqlInjection,
 4  verdict: Verdict::Hypothetical,
 5  source: Source::Whitebox,
 6  anchor: "payments/query.py:142",
 7  evidence: "semgrep ▸ tainted-sql-format",
 8  cvss_est: 7.5,
 9}

most scanners report individual vulnerabilities. sekura maps how they chain together — because a breach is never just one thing.

scroll to reveal the chain ↓
attack graph · petgraph + dijkstra

the chain is the finding.

sast and dast stop at the hypotheses. sekura keeps walking — and turns a handful of medium findings into the thing that actually keeps a ciso up at night.

Userexternal
API Gatewayservice
Auth Serviceservice
Payment Serviceservice
postgresstore
s3://card-vaultstore
stripe.comexternal
0findings
0hops in chain
0critical
CHAIN-01 · card-vault exfiltration
9.8
critical chain
5 hops · dijkstra · exploitability-weighted
individually medium. chained, a breach.
a normal-looking system
run it on your code · free, phase 1 only

stop reading. start scanning.

paste a public github repo. we'll run phase 1 — whitebox + sast, seven engines, zero traffic to your target — and stream findings as they land.

https://
public repos only · phase 1 scan (whitebox + sast) · full report via email · rate-limit 10/hr/ip