Honest answers, the long version.

Violet is your AI pentest colleague. Think of her as the autonomous junior pentester on your team — she reads your source code, drives a real browser through your app, probes for vulnerabilities the way a human attacker would, and writes up the findings in plain English. She is not a scanner that prints CVEs; she is a teammate who hunts.

Under the hood she runs through a multi-phase pipeline: reconnaissance, source-code analysis, vulnerability hunting, targeted exploitation to prove findings, and a written report. A typical engagement finishes in under an hour and costs one credit.

We built Violet for teams that need an honest security review but cannot wait six weeks for a consulting slot or pay five figures for it. The report is yours — no NDA, no follow-up retainer, no upsell. She works for you for the length of one scan, hands over the artifact, and disappears until the next one.

A Violet scan typically completes in 30 to 90 minutes. Anything longer usually means one of three things, in order of how often we see them:

1. Login is fragile. Violet supports two login methods today: form login (Violet navigates to your login URL and fills a username + password) and HTTP Basic Auth. Within form login, things that slow recon down: a login page with unusual field names, heavy JavaScript before the form mounts, or a post-login redirect chain. The fix is usually to tweak the scan config so Violet lands on the right page after login.
2. The crawler found a lot of surface area. Apps with hundreds of routes, dynamic dashboards, or admin panels behind feature flags will generate a larger exploitation queue. The vuln agents work through it in parallel but the wall-clock time still grows roughly with surface area.
3. A specific vuln category found something interesting. When an agent finds a real lead, it digs. The exploitation phase can run for 10 to 20 minutes on a single promising finding before concluding.

If your app uses SSO (Okta, Google, SAML), magic-link / email OTP, CAPTCHA on the login form, or MFA / TOTP, the agent cannot get past the login page today. The fix in those cases is to set up a test account that bypasses the second factor, or to expose a programmatic login endpoint Violet can hit. See our guide on scanning production safely for setup patterns we have seen work.

If a scan exceeds two hours, we treat that as a bug — please ping us in support with the scan ID and we will look. The report is still produced even if a phase times out; nothing is lost.

One credit equals one full pentest scan. Credits never expire.

You can buy credits three ways:

• Single credit — pay-as-you-go. Good for a one-off audit before a launch or a board review.
• Bundle — five or ten credits at a discount, paid up front, never expires. Good for teams that ship monthly and want to scan before each release.
• Monthly subscription — fixed credits per month at the steepest per-scan rate. Unused monthly credits roll over for one cycle. Good for high-cadence teams or agencies running scans on behalf of clients.

PHP pricing is available with payment via GCash, Maya, or GrabPay for customers in the Philippines. USD pricing covers everyone else.

You can switch between bundles and subscriptions anytime. We do not charge for failed scans — if the pipeline errors out and produces no report, the credit is automatically refunded to your account.

A Violet report is structured to be read top-down by an engineer who has not seen the codebase in months. We open with an executive summary — three to six sentences on what we found and what to prioritize — then list every finding in severity order.

Each finding has five parts:

• Headline. One sentence describing the vulnerability and where it lives.
• Why this matters. Plain-English impact. Not "CVSS 8.1, network attack vector"; rather, "an unauthenticated attacker can read any user's billing details."
• Proof. The exact request, response, screenshot, or code path we used to confirm the issue is real and exploitable.
• How to fix. A specific, code-level change — usually one or two file references with the bad pattern and the corrected pattern.
• Severity. Critical, High, Medium, Low. Tied to real impact, not just CVSS score. See severity vs urgency.

Start with Critical findings on Monday morning, then High by end of week, then schedule Medium for the next sprint. The triage guide walks through this in detail.

Yes — and it materially improves the quality of the audit. A grey-box pentest (source + live app) finds roughly 2-3x more real issues than a black-box test against the same app, in the same time budget. The agent can trace data flow from a sink in the UI back to the controller, see the validation logic, and reason about authorization rules — none of that is possible from the outside alone.

You hand us a Git repository (GitHub, GitLab, or a tarball upload). We clone it into an isolated workspace for the scan, never push, never modify, and delete it within 24 hours of the report being generated. The repo is not used to train any model.

We support TypeScript, JavaScript, Python, Ruby, Go, Java, PHP, and C#. Mixed-language repos work — the source agent reads everything in the tree and follows whichever language the live app surfaces.

Secrets in your repo (.env files, hardcoded API keys, JWT secrets) are flagged as findings of their own. The agent does not exfiltrate them or use them outside the scan workspace.

Violet supports two login methods today:

• Form login — you give Violet a login URL plus a username and password. The agent navigates to the login URL, fills the form, submits it, and uses the resulting session cookie for the rest of the scan.
• HTTP Basic Auth — you give Violet a username and password and they are sent on every request as an Authorization: Basic … header. Use this for legacy apps behind a single Basic-Auth gate.

That is the entire list. We do not support, as of today:

• SSO (Okta, Google, Auth0, Azure AD, generic SAML, OIDC).
• Magic links or email/SMS one-time codes.
• CAPTCHA on the login form (reCAPTCHA, Turnstile, hCaptcha).
• MFA / TOTP / WebAuthn / passkeys on the customer side.

If your production app requires any of the above, the workaround is to create a dedicated test account that uses a plain password — exempted from MFA, exempted from CAPTCHA, and not federated through SSO. Most identity providers let you create a local user that bypasses these. The account only needs to live long enough for a scan; you can disable it between scans.

You provide credentials inside the scan config. They are held in memory for the duration of the scan and never written to disk in our system — see where is my data stored for the full retention details. SSO, magic-link, CAPTCHA-aware login, and customer-side TOTP are on the roadmap but not committed to a release.

Application data, scan metadata, and reports live in AWS US-East (N. Virginia) on a managed Postgres database with encryption at rest. We do not replicate to other regions; this is a single-region service today.

What we keep:

• Your account, billing records, and scan history (until you delete the account).
• Generated reports (until you delete them, or 12 months after the scan, whichever is sooner).
• Scan logs and audit trails (90 days, then purged).

What we do not keep:

• Your source code. Cloned for the scan, deleted within 24 hours of report completion.
• Live credentials you supplied for login during the scan. Held in memory only for the duration of the scan, never written to disk.
• Any data we pulled from your app during exploitation (e.g. screenshot of a leaked record). Referenced in the report only as a redacted preview; the raw artifact is purged with the workspace.

We do not use your data to train models. SOC 2 Type II is on the roadmap for 2026 — ping support if you need the current attestation status for a procurement review.

From the dashboard, go to Settings → Team and click Invite. You enter an email address and pick a role; Violet sends a signup link. The invitee creates a password, lands in your organization, and can immediately use it according to whatever role you assigned.

Four roles exist today, from most to least powerful:

• Owner — full control. Manages billing, members, integrations, and org settings. Can promote other members to Owner. Can delete the organization. Every org has at least one Owner — you cannot demote the last one. The account creator is the first Owner; you can hand the role off and step down.
• Admin — manages people and infrastructure. Can invite, remove, and change member roles (but cannot promote to Owner or delete the org). Can manage billing, connect integrations, read the audit log, edit org settings, and moderate finding comments. Use this for an ops or security lead who runs the workspace day-to-day without owning the business relationship.
• Member — runs the actual security work. Can start scans, cancel scans, delete their own scans, share scan reports, update findings, and comment on findings. Cannot see billing, invite teammates, or change org settings. This is the right default for engineers who use Violet as part of their job.
• Viewer — read-only. Can see scans, reports, and findings the org has run, but cannot start a scan, comment, or change anything. Useful for executives, auditors, or contractors who need visibility without the ability to spend credits.

All roles share the same credit pool. A scan started by any Member draws from the org balance; bundles you bought as an Owner are usable by every teammate without setup. Viewers cannot start scans and so cannot spend credits.

To remove someone, click their row in the team list and choose Remove from organization. Their session is invalidated immediately and they lose access to all scans. Their authored data (scan history, comments) is preserved under their email; we do not retroactively scrub.