Violet
Start free scan
HomeProductPricingExamplesResourcesAboutSign in
Now in public beta

AI-powered
penetration testing.

violet runs autonomous security agents that find, confirm, and report real vulnerabilities — not just alerts. Point it at your app — production, staging, or local — with whatever auth it needs, and get a pentest-grade report with reproducible exploits.

Start free scan Read the methodology
Auth · API key · SSO — or no auth at all. Production-ready with built-in rate limiting.
✓ Exploit confirmed
Auth bypass · /api/v2
CRITInjection
Coverage
OWASP Top 10
and growing
Median pentest runtime
1–1.5 hrs
full 5-phase pipeline
Juice Shop benchmark
20+
critical findings
Reporting philosophy
Exploits + best practices
every finding actionable
Benchmarked on industry-standard vulnerable apps
Juice Shopc{api}talcrAPIWebGoatDVWAbWAPPHackazonOWASPJuice Shopc{api}talcrAPIWebGoatDVWAbWAPPHackazonOWASP
§ 01 — The pipeline

Five phases, from target to reproducible PoC.

violet emulates a human pentester’s methodology — combining authenticated reconnaissance with live exploitation in a real browser.

01
Pre-reconnaissance
Optionally parse connected repos, map auth flows, and understand the stack. Source code analysis is optional — black-box scans work just as well.
~10min
02
Reconnaissance
Port, service, and subdomain discovery. Stack fingerprinting and API schema exploration. Browser crawl of every reachable route. Build the attack surface.
~10min
03
Vulnerability analysis
Parallel agents per OWASP category trace user input to dangerous sinks. Produce hypothesized exploit paths.
~20min
04
Exploitation
Turn hypotheses into proof. Real attacks via browser, CLI, and custom scripts. Confirmed exploits ship with a working PoC; when a WAF, CSP, or rate limit blocks the attack, the finding still ships as a security recommendation.
~25min
05
Executive reporting
Consolidated, deduplicated findings. Copy-and-paste PoCs. Severity, CVSS, and a fix path an engineer can ship.
~10min
§ 02 — Findings

Confirmed exploits. Not alerts.

Confirmed exploits ship with a working proof-of-concept. When a WAF, CSP, or rate limit blocks the attack, the finding still ships as a security recommendation — not silently discarded.

  • Copy-and-paste PoCs you can re-run yourself
  • Markdown + PDF deliverables for auditors
  • Severity ranked · CVSS · remediation guidance
  • AI-fix prompt file — one per finding, ready for Claude, Codex, Gemini, or your team's AI assistant
CRITICAL
Exploited
Finding · Injection

SQL injection leaks credentials on /rest/products/search

The q query parameter is concatenated into a raw SQL statement. A UNION-based payload leaks the full Users table, including bcrypt hashes.

Proof of concept
# UNION payload pulling users + bcrypt hashes
$ curl "https://app.acme.com/rest/products/search?q=qwert'))"
    "UNION SELECT id,email,password,null,null,null,null,null,null FROM Users--"
 200 OK [{"email":"[email protected]","password":"$2a$08$..."}, ...]
CVSS 9.8CWE-89OWASP A03
How to read this
§ 03 — Transparency

Watch the agent work.

Every action streams to a live activity feed — tool calls, HTTP traffic, reasoning, and the exact moment a hypothesis is confirmed as a real exploit. Replay any run.

Tool callsBrowser actionsAgent reasoningExploit PoCsPhase timings
violet — pentest run · juice-shop
[14:02:11] recon → port scan · 5 open ports · nginx/1.24
[14:04:44] recon → schema fuzz → 87 routes · 31 authenticated
[14:08:02] vuln analysis → vuln agent · tracing req.query.q into raw SQL
[14:10:12] think → “concatenation into SELECT on line 42 — UNION attack viable”
[14:12:14] http → GET /rest/products/search?q=qwert%27))%20UNION...
[14:12:15] exploit! → 200 OK · leaked 24 bcrypt hashes
[14:12:20] verify → reproduced 3× with different payloads
[14:12:44] prove → PoC frozen · CVSS 9.8 · drafting finding
[14:38:02] report → deduplication · exec summary · PDF
▸ 4 critical · 7 high · 9 medium · all exploited · 68m 14s
§ 04 — Why violet

Your team ships every day. Your pentest shouldn’t happen once a year.

Every pentest credit gets you a full run of the 5-phase pipeline. Kick one off before a release, after a refactor, or whenever you want a fresh pair of eyes on the code.

1 credit
runs the full 5-phase pipeline — pre-recon through executive report
no usage surprises · fixed scope
96%
confirmed-exploitable rate across our internal vulnerable-app benchmark suite
measured on Juice Shop, crAPI, WebGoat
2 tracks
confirmed exploits ship with a working PoC; non-exploitable issues ship as security recommendations
every finding is actionable — nothing is dropped silently
§ 05 — FAQ

The honest answers.

More in our documentation.

Can I run violet against production?

Yes. Configure a production scan with rate limiting and focus/avoid path rules to keep traffic and blast radius controlled. For destructive payload classes we still recommend staging or a sandbox — but production is a first-class target.

Does violet need my source code?

No. Source code analysis is optional — it helps find deeper bugs when you connect GitHub or GitLab, but violet runs a full black-box pentest without it. Point it at your URL and go.

What authentication does violet support?

Login forms, API keys, and username/password (basic auth) — plus fully anonymous scans for public surfaces. The auth step accepts standard credentials and handles login automatically. Credentials are used only during the scan and never stored.

What vulnerabilities does it cover?

OWASP Top 10 coverage — and growing. violet runs 5 parallel agents during vulnerability analysis, then 5 more parallel agents during exploitation that confirm each finding with a working PoC. Coverage expands without blowing up wall-clock time.

How long does a pentest take?

A full run typically completes in 1–1.5 hours. Phase 3 runs 5 parallel agents for vulnerability analysis, and Phase 4 runs 5 parallel agents for exploitation — parallelism per phase keeps wall-clock time down.

How is violet different from a traditional scanner?

Traditional DAST tools fire payloads and flag responses — producing long lists of "potential" issues. violet reasons through your code, forms hypotheses, and actually exploits them. What you get back is a short list of confirmed bugs with working PoCs, not a spreadsheet of maybes.

Point violet at something you built.

Sign up, point violet at your app, and get a pentest-grade report in about an hour.

Start free scan Talk to us