Assay gives one engineer the reach of nine parallel security lenses across an unfamiliar codebase — then puts every finding through a human verification gate before it earns a place in the report. Evidence-labeled. Reproducible. No false-positive noise.
› /audit --thorough recon stack · domain · data sensitivity · existing gates ✓ fan out 9 lenses, parallel ✓ verify every high-severity finding, in source ✓ non-negotiable publish self-verifying .docx + history dashboard ✓ FINDINGS 2 Critical 3 High · 5 of 5 adjudicated
The problem with agentic scanning
A plausible, well-evidenced, wrong finding is worse than no finding.
It burns the credibility of every other finding in the report. LLM agents are excellent at locating candidate issues across a large codebase and unreliable at adjudicating them. Assay is built around that exact failure: use agents for reach, adjudicate every finding yourself, and label where the confidence comes from.
How it works
Five stages. The verification gate in the middle is what makes the output worth reading.
Stack, domain, data sensitivity, and which gates already exist.
Nine lenses run concurrently — quote file:line, trace to sink, refute first.
Every high-severity finding, re-checked by a human in the source.the gate
An answer-first summary plus a labeled technical appendix.
A self-verifying .docx and an interactive history dashboard.
The finding-history dashboard
Every finding lands on the commit that first wrote its line — so you see whether your risk arrived in one bad fortnight or accreted over three years.
Every finding at its introducing commit, banded by severity.
The files that change every week, against the ones that hold findings.
Every plot, table, and headline agrees — one visible set.
What's in the kit
Everything an AppSec engineer needs to assess an unfamiliar codebase and hand back something a stakeholder will act on.
Authz, injection, the LLM surface, backend, frontend, infra/CI-CD, secrets, OWASP crypto/design, and maintainability.
Quote file:line, trace to sink, refute before reporting. Then a human adjudicates every High.
Repo age, velocity, LOC, bus factor, churn, coverage, complexity, vulnerable deps — same commit, same figures.
Normalizes semgrep, gitleaks, trivy and OWASP ZAP into one worklist. Refuses non-local targets.
Cover, live TOC, index — and a build that throws if a heading went missing. Brand it at the shell.
Install once; open any repo and type /audit. Improving the kit improves the skill.
Pricing
Start with a single seat; Team and Enterprise add the finding-history dashboard, integrations, and the support a security program needs.
Why Assay
Assay came out of assessing a ~165k-LOC legal-tech system — FastAPI, React, Postgres, and an LLM agent that could write to the database — to design a production push gate. The scripts were the easy part; the method is what determines whether the output is worth reading.
Get started
Request access, or grab a Personal license and run /audit on any repo today.