Security should keep up with the software.
Violet was built by a pentester who got tired of shipping the same quarterly reports, long after the bugs had already shipped.
Meet Violet.
She is a penetration testing AI agent with a curious little spark. She'll tiptoe through your web app, try the handles, and gently point out what's not quite right—no mess, no fuss.
Why I built Violet.
I've spent the last 7 years as a security consultant working with engineering teams at companies like AWS, Google, Disney, and PayPal, helping them find and fix vulnerabilities before attackers do. Traditional penetration tests are expensive, slow, and point-in-time — a snapshot that's often outdated by the time it's delivered, while new code is already in production.
But software no longer ships in snapshots. Teams deploy constantly, and with AI coding tools accelerating development, even small teams and non-technical builders can now ship applications in days. Security rarely keeps up, and vulnerabilities slip through in the gaps.
That gap is where Violet comes in. Violet is an on-demand penetration testing agent that runs a full 5-phase pentest every time you click Start free scan, identifies issues your team has shipped, and delivers clear, actionable findings you can fix immediately. She's not perfect, but she is fast, consistent, and available whenever you need her.
I built Violet to make security testing accessible to smaller teams without the cost, delay, and friction of traditional pentesting — while maintaining depth and rigor.
How we make decisions.
When we're unsure, we come back to these.
When Violet can demonstrate a vulnerability, the finding ships with a working PoC. When an external control (WAF, CSP, rate limit) blocks the attack, the finding still ships as an informational security recommendation — so you know what to harden, not just what was exploited.
Violet scans production, staging, and local dev. Built-in rate limiting and scope rules keep it on what matters and off what doesn't — so you pick the blast radius, not us.
Every action the agent takes streams to a live feed. Tool calls, reasoning, HTTP traffic — all of it. You can replay any run and see exactly how a finding was reached.
Every report is drafted for the engineer who will fix the bug, not the auditor who will file it. Copy-and-paste PoCs, plain-language explanations, fix paths you can ship.