Skip to main content

Features

AISafe provides a suite of AI-driven security testing capabilities. This section describes each feature: its purpose, use cases, and configuration.

You can combine these features to fit your workflow, whether you are running a one-off assessment before a release or maintaining continuous coverage across a fast-moving codebase. Start with an assessment type, add continuous capabilities as your needs grow, and rely on triage and reports to close the loop.

The features work together. An assessment produces findings, triage refines them into an actionable backlog, and reports package them for sharing. Continuous features keep that coverage current over time, making security an ongoing practice.

Assessment types

The two foundational assessment types are the primary ways to find vulnerabilities in your code and applications. Most teams start with one of these and layer on continuous capabilities.

  • Code Audit: whitebox static analysis. AI agents combined with structural static analysis examine your source code for vulnerabilities, taint flows, misconfigurations, and insecure patterns across a wide range of languages. Use code audit when you have access to the source and want deep, cross-file data flow analysis.
  • Attack Paths: kill-chain evidence navigation for source assessments. Use it to review how AISafe connects findings, prerequisites, controls, and confidence into a path without treating investigatory chains as confirmed exploits.
  • SBOM Export: CycloneDX/SPDX dependency inventory export for code-shaped assessments with dependency metadata. Use it when procurement, GRC, or supply-chain tooling asks for a machine-readable SBOM.
  • Pentest: blackbox runtime testing. AI agents probe your live application over HTTP and via a headless browser, modeling the attack surface and testing for exploitable vulnerabilities without access to your source code. Use pentest when you want to validate the running application or test a deployed environment.

You can run both assessment types against the same project to get complementary coverage: code audit finds source-level issues that the running application may not expose, while pentest confirms which issues are exploitable in the running application.

Continuous security

Beyond one-off assessments, AISafe offers three continuous security features that keep your posture current as your codebase evolves. You configure each at the project level, and it runs without manual intervention:

  • PR Review: automated security review on each pull request. AISafe reviews the changed paths for vulnerabilities and posts findings back to the pull request before merge. This catches issues at the earliest possible moment, when the context is fresh and the fix is cheapest.
  • Scheduled Scans: recurring assessment cadences on a project. Define how often to re-audit a project (daily, weekly, monthly) and AISafe creates each assessment. This covers new code and dependencies on a predictable rhythm.
  • Monitoring: continuous re-validation of findings and regression detection. AISafe re-checks that reported vulnerabilities remain reproducible and alerts you when a fix regresses or a new exposure appears. This closes the gap between finding and fix.

You can use these features alone or together. For example, a project might run PR review on each change, a scheduled scan each week, and monitoring on all critical findings. This gives you layered coverage from commit to deployment and beyond.

You configure each continuous feature per project, so you can tailor coverage to the sensitivity of each application. A critical production service might get all three, while an internal tool gets scheduled scans alone.

Triage and reports

Each assessment produces findings that need triage and reporting. AISafe automates both, freeing your team to focus on remediation:

  • Triage: the AI triage pass confirms which findings represent real vulnerabilities, deduplicates by root cause, assigns confidence scores, and prepares findings for human review. You retain full control over the final status of each finding and can override any triage decision.
  • Reports: generates shareable PDF deliverables with executive summaries, per-finding details, and remediation recommendations suitable for stakeholders, compliance packages, and executive review. You can share reports via public URLs with external reviewers.

Together, triage and reports close the loop. Triage turns raw agent output into a clean, prioritized backlog, and reports package that backlog into a document you can hand to anyone, from the engineer fixing the code to the auditor verifying compliance.

Feature pages

The pages below describe each feature in detail: configuration options, workflow stages, and the vulnerability types each feature targets.