Run your first assessment
You will create an organization, connect a source or target, choose an assessment type, run it, and read the findings. By the end you will have a completed assessment with structured vulnerabilities ready for triage and remediation.
Step 1: Create an organization
When you sign in, AISafe prompts you to create an organization. The organization is your tenant: it holds your assessments, findings, reports, team members, integrations, and billing. Enter an organization name and code (the code becomes part of your assessment IDs, e.g. AIS-ACME-TLP). You can rename the organization later, but the code is immutable.
To create the organization, fill in the Organization name field (a human-readable label like "Acme Security") and the Organization code field (a short alphanumeric slug like ACME). Click Create organization. AISafe takes you to the dashboard, ready to start your first assessment.
Step 2: Connect a repo or provide a target
For a code audit, connect a GitHub or GitLab repository. If you have the AISafe GitHub App installed, you can select a private repo from your connected repositories. You can also provide a public repository URL. For a pentest, provide one or more target URLs (the live application endpoints you want tested), along with any authentication instructions or credentials the agent needs to reach authenticated areas.
On the assessment creation screen, choose the Source tab for a code audit or the Target tab for a pentest. For a source-based audit, pick a repository from the dropdown of connected repos, or paste a public clone URL. For a target-based pentest, enter each target URL on a separate line and add any login credentials or session tokens the agents need to reach authenticated pages.
Step 3: Pick an assessment type
Choose between:
- Code Audit: whitebox static analysis. AI agents examine your source for vulnerabilities, taint flows, and misconfigurations. Best when you have source access.
- Pentest: blackbox runtime testing. AI agents probe your live application over HTTP, modeling the attack surface and testing for real exploitable vulnerabilities. Best for staging or production targets.
You can also provide additional instructions: free-form text that tells the agents what to prioritize (e.g. "focus on high-severity vulnerabilities that map to a CVE").
Select the assessment type from the two cards on the creation screen. The card you pick determines which fields appear next. If you want to narrow the scope, type your additional instructions into the Instructions text area before continuing.
Step 4: Run the assessment
Click Start assessment. AISafe spins up isolated sandboxes, runs the AI agents, and streams progress through stages. See What happens during an assessment for the full stage breakdown. Depending on the size of your codebase or target, an assessment completes in minutes to a few hours.
After you click Start assessment, AISafe redirects you to the assessment detail page. A progress bar at the top shows the current stage and estimated completion. You can leave the page and come back. AISafe notifies you by email (and Slack, if connected) when the assessment completes. You do not need to keep the browser tab open.
Step 5: Read the findings
When the assessment completes, you land on the findings list. Each finding includes:
- A severity (critical, high, medium, low, info)
- Evidence: file locations, taint flows, proof-of-concept payloads, and HTTP captures
- A suggested fix with code snippets where applicable
- CWE and OWASP category mappings
You can triage findings (confirm, mark as false positive, accept risk, or mark duplicate), export them to your issue tracker, or generate a PDF report.
Click any finding to open its detail view. The detail view shows the full evidence trail, the affected code or request, the suggested fix, and any comments from your team. Use the severity and status filters at the top of the list to focus on the issues that matter most.
What happens during an assessment
Once you start an assessment, AISafe runs a multi-stage pipeline. Each stage builds on the previous one, and you can watch progress in real time on the assessment detail page.
Code audit stages:
- Understanding: the agents index your codebase, map the project structure, and identify entry points and data flows.
- Analysis: the agents trace taint flows, model the attack surface, and prioritize which areas to audit.
- Audit: the agents test for vulnerabilities, misconfigurations, and insecure patterns across the prioritized areas.
- Triage: the agents validate each candidate finding, deduplicate, and assign severity ratings.
- Report: the agents assemble the final findings list with evidence, fix suggestions, and category mappings.
Pentest stages:
- Validation: the agents verify that the target is reachable and authentication (if provided) works.
- Scoping: the agents crawl and map the application's endpoints and parameters.
- Modeling: the agents build a model of the attack surface and prioritize test cases.
- Testing: the agents probe for vulnerabilities over HTTP, sending crafted requests and analyzing responses.
- Triage: the agents validate exploitable findings and assign severity ratings.
- Report: the agents assemble the final findings list with evidence and fix suggestions.
Timeline varies with scope. A small repository or single-target pentest completes in under 30 minutes. A large monorepo or a multi-target pentest with authentication can take several hours. You will receive an email notification when the assessment finishes, so you do not need to monitor it.
After the assessment
Once your assessment completes, you have a structured findings list ready for action. Your next moves:
- Triage findings: open the Findings view to confirm real issues, mark false positives, and accept risks. Start with critical and high severity findings.
- Assign remediation: export confirmed findings to Linear or Jira from the findings list so your engineering team can pick them up in their normal workflow.
- Generate a report: go to the Reports section to download a PDF suitable for sharing with stakeholders or compliance packages.
- Set up continuous review: if you connected a repository, consider enabling PR review so AISafe audits new code changes before merge.
Next steps
- Concepts: Assessment: understand the assessment lifecycle
- Concepts: Finding: learn about severity, status, and evidence
- Guide: Run your first code audit: end-to-end walkthrough