Agentic by design
A closed loop of recon → exploit → verify → report. The agent decides what to do next from what the target gave back.
Cybersecurity was built for
human speed
.
We're rebuilding it for the
AI era.
We hack software to secure it.
PwnKit runs
We are building the default security layer for the agentic era.
Monthly downloads across affected packages.
PwnKit finds bugs in software
billions depend on.
billions depend on.
paperclip · 60k ★ · GHSA-47wq-cj9q-wpmp critical jsPDF · 56M monthly · CVE-2026-31938 critical node-forge · 147M monthly · CVE-2026-33896 high mysql2 · 41M monthly high LiquidJS · 7M monthly · CVE-2026-30952 high Uptime Kuma · 152M pulls · CVE-2026-33130 medium paperclip · 60k ★ · GHSA-47wq-cj9q-wpmp critical jsPDF · 56M monthly · CVE-2026-31938 critical node-forge · 147M monthly · CVE-2026-33896 high mysql2 · 41M monthly high LiquidJS · 7M monthly · CVE-2026-30952 high Uptime Kuma · 152M pulls · CVE-2026-33130 medium paperclip · 60k ★ · GHSA-47wq-cj9q-wpmp critical jsPDF · 56M monthly · CVE-2026-31938 critical node-forge · 147M monthly · CVE-2026-33896 high mysql2 · 41M monthly high LiquidJS · 7M monthly · CVE-2026-30952 high Uptime Kuma · 152M pulls · CVE-2026-33130 medium paperclip · 60k ★ · GHSA-47wq-cj9q-wpmp critical jsPDF · 56M monthly · CVE-2026-31938 critical node-forge · 147M monthly · CVE-2026-33896 high mysql2 · 41M monthly high LiquidJS · 7M monthly · CVE-2026-30952 high Uptime Kuma · 152M pulls · CVE-2026-33130 medium
Uptime Kuma · 152M pulls · CVE-2026-33130 medium LiquidJS · 7M monthly · CVE-2026-30952 high mysql2 · 41M monthly high node-forge · 147M monthly · CVE-2026-33896 high jsPDF · 56M monthly · CVE-2026-31938 critical paperclip · 60k ★ · GHSA-47wq-cj9q-wpmp critical Uptime Kuma · 152M pulls · CVE-2026-33130 medium LiquidJS · 7M monthly · CVE-2026-30952 high mysql2 · 41M monthly high node-forge · 147M monthly · CVE-2026-33896 high jsPDF · 56M monthly · CVE-2026-31938 critical paperclip · 60k ★ · GHSA-47wq-cj9q-wpmp critical Uptime Kuma · 152M pulls · CVE-2026-33130 medium LiquidJS · 7M monthly · CVE-2026-30952 high mysql2 · 41M monthly high node-forge · 147M monthly · CVE-2026-33896 high jsPDF · 56M monthly · CVE-2026-31938 critical paperclip · 60k ★ · GHSA-47wq-cj9q-wpmp critical Uptime Kuma · 152M pulls · CVE-2026-33130 medium LiquidJS · 7M monthly · CVE-2026-30952 high mysql2 · 41M monthly high node-forge · 147M monthly · CVE-2026-33896 high jsPDF · 56M monthly · CVE-2026-31938 critical paperclip · 60k ★ · GHSA-47wq-cj9q-wpmp critical
Open-source hacking agents,
proven in public.
proven in public.
Validated by exploit
Every finding is re-run as a live exploit before it lands in your report. If verify can’t reproduce it, it never reaches you.
Open by default
Inspect the engine, replay the benchmark, read the methodology — audit before you trust.
Leading the benchmarks
99 of 104 on XBOW — the best public score, with every solve backed by replayable exploit artifacts.
Point it at
what you ship.
what you ship.
Parallel agentic scans across web, AI, packages, and source — same engine, four surfaces.
Pressure-test
critical systems.
A scoped engagement, repeated on the cadence your team can responsibly run.
- 1.0 / Scope
Agree what can be attacked.
Targets, credentials, action allowlists, and stop procedures are set before any agent runs.
- 2.0 / Exploit
Apply adversarial pressure.
The same open-source engine attacks web apps, APIs, packages, source, and AI surfaces inside the agreed scope.
- 3.0 / Verify
Replay before reporting.
A finding has to survive verification before it becomes evidence your team sees.
- 4.0 / Triage
Keep the noise out.
Duplicates, false positives, and unreproducible results are filtered before review.
- 5.0 / Evidence
Give engineers the trail.
Findings ship with transcript, exploit chain, reproduction state, and operator review.
Questions we answer
before you ask.
The questions every CTO and CISO call lands on by minute eight.
Start locally.
Scale when it matters.
Scale when it matters.