The world's first fully automated, context-aware offensive security platform.
VulnPilot is an autonomous security assistant designed to find, verify, fix, and explain vulnerabilities in real-time. By bridging the gap between static analysis (SAST) and dynamic testing (DAST), VulnPilot provides a seamless workflow that moves from discovery to remediation in seconds.
A high-fidelity cockpit for security researchers. Monitor your scan's progress via real-time WebSocket streams.
- Phased Intelligence:
init→recon→sca→sast→secrets→logic→dast→analysis. - Live Finding Stream: Instant alerts with AI-generated explanations and replay evidence.
Don't just find bugs—obliterate them. One-click security remediation.
- Autonomous Refactoring: AI-powered code transformation for local source files.
- Secure Blueprints: Get developer-facing remediation steps and secure code snippets instantly.
Sophisticated leak scanning that goes beyond regex.
- Intelligent Prioritization: Scans sensitive targets (
.env,secrets.yaml,config.json) first to minimize risk exposure. - False Positive Filtering: AI validates the context of discovered strings to reduce noise.
Audit deeper than ever by importing real browser traffic.
- HAR & cURL Import: Learn complex workflows from your browser session.
- Mutation Engine: Replays and mutates authenticated requests to find IDORs and logic flaws.
- Bespoke AI Fuzzing: Contextual payloads generated based on discovered parameters and sinks.
- Taint-Chasing SAST: Traces user input from entry point to dangerous sink across multiple files.
- Native SCA: AI-assisted dependency analysis to catch vulnerable libraries before they bite.
git clone https://github.com/Abmarne/VulnPilot.git
cd VulnPilotCreate a .env file in backend/:
GOOGLE_API_KEY=your_gemini_key_here
GROQ_API_KEY=your_groq_key_here
# Optional: ANTHROPIC_API_KEY, OPENAI_API_KEYBackend:
cd backend
python -m venv .venv
# Windows
.venv\Scripts\activate
pip install -r requirements.txt
python main.pyFrontend:
cd ../frontend
npm install
npm run devAuthenticated profiles allow VulnPilot to audit dashboards, internal APIs, and logged-in administrative flows.
- Export HAR: Open DevTools → Network Tab → Right-click →
Save all as HAR with content. - Import: Paste the HAR file or a single cURL into the VulnPilot dashboard.
- Audit: Select the profile and Launch. VulnPilot will automatically merge these requests into its attack surface Map.
For automation and CI/CD pipelines:
# Full Target Audit
python cli.py --target "https://your-site.com" --fail-on "High" --output "report.md"
# Apply Auto-Remediation to Local Code
python cli.py --target "./workspace" --apply-fixVulnPilot is built on a mission-critical stack designed for speed and intelligence.
- Orchestration: FastAPI (Python)
- Interface: Next.js 14 (React)
- Brains: Multi-model support (Gemini 2.0 Flash, Groq/Llama-3, Claude 3.5, GPT-4o)
- Analysis Ecosystem:
- Hybrid SAST: Taint-chasing logic with intelligent file prioritization.
- Contextual DAST: AI-guided fuzzing based on discovered API schemas.
- Secrets Scanner: Deep scan for credentials, tokens, and private keys.
- Native SCA: Automated manifest analysis.
We believe security is a collective effort. If you have any ideas for new fuzzing payloads, remediation prompts, or engine optimizations, feel free to open a PR!
VulnPilot — Scan smarter, fix faster, sleep better.