◆ Codebase security & supportability assessment

Agents find. You adjudicate.

Assay gives one engineer the reach of nine parallel security lenses across an unfamiliar codebase — then puts every finding through a human verification gate before it earns a place in the report. Evidence-labeled. Reproducible. No false-positive noise.

Zero runtime dependencies · Node ≥ 18 · ships a /audit skill · self-verifying Word & HTML output
 /audit --thorough

recon      stack · domain · data sensitivity · existing gates   
fan out    9 lenses, parallel                                  
verify     every high-severity finding, in source              ✓ non-negotiable
publish    self-verifying .docx + history dashboard            

FINDINGS   2 Critical  3 High  ·  5 of 5 adjudicated

The problem with agentic scanning

A plausible, well-evidenced, wrong finding is worse than no finding.

It burns the credibility of every other finding in the report. LLM agents are excellent at locating candidate issues across a large codebase and unreliable at adjudicating them. Assay is built around that exact failure: use agents for reach, adjudicate every finding yourself, and label where the confidence comes from.

How it works

A method, not just a scanner.

Five stages. The verification gate in the middle is what makes the output worth reading.

00

Recon

Stack, domain, data sensitivity, and which gates already exist.

01

Fan out

Nine lenses run concurrently — quote file:line, trace to sink, refute first.

02

Verify

Every high-severity finding, re-checked by a human in the source.the gate

03

Synthesize

An answer-first summary plus a labeled technical appendix.

04

Publish

A self-verifying .docx and an interactive history dashboard.

The finding-history dashboard

The report says what's wrong. This says how long it's been wrong.

Every finding lands on the commit that first wrote its line — so you see whether your risk arrived in one bad fortnight or accreted over three years.

01

Timeline & accumulation

Every finding at its introducing commit, banded by severity.

02

Churn × findings

The files that change every week, against the ones that hold findings.

03

Filter, and everything re-renders

Every plot, table, and headline agrees — one visible set.

lexboard-history.html
Assay finding-history dashboard

What's in the kit

Reach, rigor, and a deliverable.

Everything an AppSec engineer needs to assess an unfamiliar codebase and hand back something a stakeholder will act on.

🔍

Nine parallel lenses

Authz, injection, the LLM surface, backend, frontend, infra/CI-CD, secrets, OWASP crypto/design, and maintainability.

⚖️

The verification gate

Quote file:line, trace to sink, refute before reporting. Then a human adjudicates every High.

📊

Deterministic supportability scan

Repo age, velocity, LOC, bus factor, churn, coverage, complexity, vulnerable deps — same commit, same figures.

🛡️

Container-local secscan

Normalizes semgrep, gitleaks, trivy and OWASP ZAP into one worklist. Refuses non-local targets.

📄

Self-verifying .docx

Cover, live TOC, index — and a build that throws if a heading went missing. Brand it at the shell.

Runs as a /audit skill

Install once; open any repo and type /audit. Improving the kit improves the skill.

Pricing

Simple pricing. Scale when the verdict matters.

Start with a single seat; Team and Enterprise add the finding-history dashboard, integrations, and the support a security program needs.

Personal

For the solo engineer or consultant.
$99.99 / yr
  • Nine-lens method & the /audit skill
  • Self-verifying .docx & HTML output
  • Deterministic supportability scan
  • Single-developer seat
  • Email support
Get Personal
Most popular

Team

For a security team running recurring assessments.
$490 / mo
  • Everything in Personal
  • Finding-history dashboard
  • secscan integrations (semgrep, trivy, ZAP)
  • Branded report shells
  • Priority support
Start with Team

Enterprise

For regulated orgs and push-gate programs.
Custom
  • Everything in Team
  • SSO & on-prem deployment
  • Engagement & onboarding support
  • Training on the verification method
  • SLAs
Talk to us

Why Assay

Built from a real engagement, not a whiteboard.

Assay came out of assessing a ~165k-LOC legal-tech system — FastAPI, React, Postgres, and an LLM agent that could write to the database — to design a production push gate. The scripts were the easy part; the method is what determines whether the output is worth reading.

9
parallel lenses
0
runtime dependencies
100%
of highs adjudicated
“Agents are excellent at locating candidate issues and unreliable at adjudicating them. Use them for reach; adjudicate yourself.”
— The principle at the center of the method

Get started

Open a repo you don't know. Come back with a verdict you can defend.

Request access, or grab a Personal license and run /audit on any repo today.

$ audit-kit skill  ·  /audit in any repo