vs. running Claude yourself

You already have an API key.
Why not just ask Claude directly?

Honestly? You could. Paste a URL, ask Claude to look for vulnerabilities, get something back. But the gap between “Claude found a bug” and “my team can act on this report” is a lot more than it looks, and once you’ve built it, you still have to keep it running. Here’s what that actually involves.

Start free trialSee a real scan

3-day free trial, no credit card required

What you’re actually signing up for when you DIY it

This isn’t a knock on doing it yourself. It’s just a realistic list of what a proper scanner takes to build.

DIY with Claude API
  • Build a crawler that handles SPAs, redirects, and auth sessions
  • Prompt-engineer Claude to reliably output structured vulnerability data
  • Handle rate limits and retries without dropping scan jobs
  • Queue scans so they don't stomp each other
  • Store findings somewhere searchable
  • Build a UI to actually read the output
  • Generate PDF reports you can send to a client
  • Manage API keys
  • Keep the whole thing running when you're not watching it

Estimated time to production: 2–4 months if you’re moving fast

AI Vulnerability Scanner
  • Crawler included, handles SPAs, auth, and redirects
  • Structured vulnerability output with confidence and severity baked in
  • Rate limiting and retries handled by the queue layer
  • Isolated container per scan, jobs never interfere
  • Database backed findings with full history
  • Dashboard with filters, live stream, and comparison view
  • PDF reports ready to share with a client or exec
  • API key management
  • Runs on its own infra, nothing to babysit

Time to first scan: about 3 minutes after signup

Infrastructure

A queue that sits between you and Anthropic, in both directions

On the way in: each scan gets dispatched to its own fresh container. No shared state, no scan bleeding into another, no race conditions.

On the way out: requests that hit a rate limit or a transient API error retry automatically with backoff. You get the results, not a timeout or an empty report.

You
Priority
queue
Isolated
container
Anthropic
API
Your
report

Each scan runs in its own container. Failed requests retry automatically so jobs complete, not error out.

CriticalIDOR on /api/users/[id]
IDOR

No authorisation check on the resource owner. Sequential integer IDs make enumeration trivial, any authenticated user can read any other user’s PII.

AI assessment

Confidence
94%
Severity
100%

Copy-fix prompt

Fix this IDOR: The GET /api/users/[id] route returns full user records without checking if the requester owns the resource. Add a server-side ownership check comparing the session user to the requested ID. Switch to UUIDs to prevent enumeration...

Signal over noise

Confidence scores and severity on every single finding

Raw AI output says “this looks suspicious.” That’s not useful. Every finding here comes with a 0–1 confidence score from the model and a severity from info to critical.

Filter by severity, sort by confidence, and focus on the things that actually matter. A critical finding at 0.94 confidence is a real bug. A medium at 0.3 is worth a second look.

And for every finding, there’s a pre-written AI prompt you can take straight to Claude or Cursor to get a concrete fix, specific to that endpoint, that vulnerability, that context.

Everything else that just works

The boring stuff that matters when you’re using this for real work.

Priority queue

Your jobs don't queue behind everyone else's

There's a smart dispatcher sitting in front of Anthropic. When you kick off a scan, it gets a dedicated container, not a shared process that competes with other users' jobs. Requests that hit a rate limit or transient API error retry automatically with backoff. You get results, not timeouts.

Confidence + severity

Every finding is scored, not just listed

Each vulnerability comes with a severity (info to critical) and a 0-1 confidence score from the AI. High severity, low confidence? Worth investigating but don't panic. High severity, 0.92 confidence and an IDOR on your user API? Fix it today. You can filter by both, so the noise stays noise and the signal gets through.

Copy-fix prompt

One click to take the fix to your IDE

Every finding includes a ready-to-paste AI prompt tailored to that specific vulnerability, in your code context. Copy it, paste it into Claude or Cursor, and you get a concrete fix, not a generic OWASP writeup. The prompt includes the endpoint, the reproduction steps, and what the scanner actually observed.

BYOK, no markup

Your Anthropic bill stays exactly what Anthropic charges

Connect your own Anthropic API key and we never touch it for billing. Your AI spend goes straight from your account to Anthropic at their published rates, no intermediary margin, no credit conversion, no hidden fee per token. You pay us $9/month flat for the platform. That's it.

Export everything

Your data. Take it anywhere.

All scan results, findings, and metadata export to JSON, CSV, PDF, or HTML. Import into your SIEM, feed into your ticketing system, run your own analysis. We're not a lock-in play. The scans you run here belong to you and you can pull them out at any time.

Reports

PDF reports you can hand to a client or a CTO

Not a JSON blob or a wall of markdown. A formatted PDF report with your findings grouped by severity, full reproduction steps, remediation guidance, and confidence scores. Exportable in one click from any scan.

Support

Actual humans when something goes wrong

If a scan doesn't behave, a report looks off, or you can't figure out how to configure something, you can reach us directly. We don't hide behind a knowledge base. Submit a ticket from the app and we'll get back to you.

BYOK plan, $9/mo

We don’t mark up your Anthropic tokens. Not one penny.

On the BYOK plan, you connect your own Anthropic API key. Every scan uses that key. Anthropic bills your account at their standard rate. We have no visibility into that cost and take no cut of it.

The $9/month covers the platform: the crawler infrastructure, scan history, PDF export, team access, and everything else. If your organisation already has an Anthropic API agreement or volume discount, you keep all of it.

Haiku, per page scanned

Platform fee (monthly flat)$9.00 / mo
AI cost per page~$0.003
Our margin on the $0.003$0.00

AI costs billed by Anthropic directly to your account

Sonnet, per page scanned

Platform fee (monthly flat)$9.00 / mo
AI cost per page~$0.02
Our margin on the $0.02$0.00

Your Anthropic org rate applies, volume discounts pass through

Data ownership

Your scans are yours. Take them and go any time.

Every finding, every scan result, every piece of metadata exports in one click. No support ticket, no data request form, no export fee.

Export formats: JSON, CSV, PDF, or HTML. Feed it into your SIEM, open a ticket per vulnerability automatically, or just archive it. The data is structured and meant to be used outside this platform.

.json.csv.pdf.html
{
  "scanId": "scn_4f8a...",
  "target": "https://example.com",
  "completedAt": "2026-06-12T10:30:00Z",
  "findings": [
    {
      "type": "IDOR",
      "severity": "critical",
      "confidence": 0.94,
      "url": "/api/users/[id]",
      "description": "...",
      "reproductionSteps": [...],
      "remediation": "...",
      "fixPrompt": "..."
    }
  ]
}

Try it on your own app

Paste a URL, pick a model, connect your Anthropic key or use a managed plan. You’ll have a full vulnerability report in under 10 minutes.

Start free trialSee pricing

3-day free trial, no credit card required