Cipher · An AI security engineer

Security review at development speed. Without losing depth.

Continuous, autonomous review with validated exploits and concrete fixes. Multi-layer reasoning at machine speed, human judgment where it matters.

Book a demo → See how it works

Cipher Platform · review preview Reviewing

Inputs

{} Source 312

~ Cloud 48

# IaC 28

/ APIs 17

@ IAM 61

¶ Docs 24

Δ PRs 14

◷ History 91

Living security graph

Phase 04 · Evidence · 1 critical reproduced

Evidence

Critical CPHR-EXP-04821

Authenticated admin escalation via signed webhook replay

Path s3:vendor-feed→api-gateway→payments-svc prod

Repro cap-3c4a71 · 14:22:08 · sbx-a19f

High CPHR-EXP-04816

PHI leak through debug flag following request context

Path auth-svc→log-pipeline→vendor-export prod

Repro cap-3c4b09 · 14:23:51 · sbx-a19f

+ 3 validated · 12 hypotheses triaged

Only proven exploitable · zero noise Human-in-the-loop · sensitive actions SOC 2 Type II · in progress

Built by operators

As attackers and defenders, we know what matters, what's noise, and how to prove it.

Led security at

AWS

Coinbase

Top researcher at

Cobalt

Independent pentest research.

iii

Disclosed at 100+ high-value targets

Apple

Google

Microsoft

PayPal

United Airlines

Yahoo

Bitfinex

Mbed TLSmbedTLS

National CSC · NL

— among the internet's most-attacked surfaces.

Why now

Engineering moves at machine speed. Security review doesn't.

The gap is widening every week.

AI-assisted development has changed software velocity. Teams ship more code, in more surfaces, more often. Most of it touches business logic scanners can't reason about.

Traditional security still lives on a quarterly cadence:

Scannersgenerate noise.
Pentestsgenerate reports.
Teamsgenerate triage queues.

Pattern matching can't reason about multi-step business logic. That's where real breaches come from.

Cipher reviews every change: continuously, at machine speed, with an attacker's depth of reasoning.

The familiar gap

Code compounds. Review capacity stays flat.

AI copilots multiply your team's commits. The AppSec team doesn't grow linearly, and shouldn't have to.

"We doubled engineering headcount this year. We cannot double AppSec."

— Head of Security, Series C fintech
Composite of customer interviews

The hidden cost

Most real risk is multi-step, and most scanners don't reason.

Business-logic flaws, auth-chain weaknesses, and vendor-path compromises are where real breaches come from. Pattern matching doesn't see them.

"Our SAST stack was green. The bug that mattered was a four-step logic flaw between two services."

— Staff Security Engineer, healthcare platform
Composite of customer interviews

How Cipher works

Context, first. Then reasoning. Then proof. Then fix.

Cipher runs six steps continuously. Each loop feeds the next. Each engagement makes the next review smarter about your specific system.

01 · Build context

Read the whole system.

Code, architecture docs, API specs, cloud config, workflows, tickets, ADRs, tribal knowledge. Built into a living security graph.

in · sourceout · graph

02 · Reason

Map attack paths.

Build a threat model of the live system: trust boundaries, privilege transitions, hidden assumptions, multi-step abuse flows. Prioritised hypotheses, not a list of lints.

in · graphout · threat model

03 · Plan

Plan, then adapt.

Cipher opens each review with an initial plan, then runs the loop: execute, learn from the environment, update hypotheses, execute again. The plan refines as evidence comes in.

in · hypothesesout · living plan

04 · Validate

Actually execute.

Code-aware inspection. Runtime checks. Authenticated flows against the real system: real auth, VPN, network access where the target lives. Only validated, exploitable findings make it through.

in · planout · validated exploit

05 · Remediate

Evidence + fix, together.

Validated finding, attack-path context, reproduction steps, remediation diff, and retest criteria. Audit-ready from the start.

in · proofout · fix

06 · Learn

Every review, smarter.

Findings, fixes, and resolutions write back to the graph. Every run picks up where the last one left off. Compounds against your system.

in · all of itout · memory

Last 30 days

1.1M+ lines reviewed

0 false positives on every validated finding

175+ exploitable findings

Field report · Engagement #04

A six-year compromise, wired into production.

What Cipher found in an environment that had already cleared SAST, DAST, and five rounds of pentesting.

Cipher Field Report · CPHR-FR-04 2026-03-12 · Confidential

What Cipher paused its own run for

Cipher stopped reviewing the app and surfaced something larger: an open vendor bucket leaking production data, and a long-running compromise behind it.

Cipher reverses the codebase and maps the live system.
During testing, unauthenticated endpoints surface on the primary service.
Data traces to an externally-hosted S3 bucket.
Bucket is open. Records match live production data, including PII.
Cipher pauses, alerts security leadership out-of-band. Authorized to continue.
Investigation enters the vendor environment. Web shells across vendor paths — one wired into the customer's production workflow. Admin escalation, auth bypasses, and HMAC signing keys in minified JS followed.

Human + AI

Autonomous, or approval-gated. You set the mode.

Cipher runs in two modes. Let it run end-to-end, every action logged. Or gate sensitive actions behind a reviewer sign-off. You set the policy. Cipher enforces it.

Cipher · planner15:42:07

Mapped an attack path from s3://vendor-feed through the API gateway into payments-svc. Hypothesis CPHR-EXP-04816. To validate exploitability, I need a single replay request that writes to a live payments record.

Cipher · planner15:42:09

This is a tier-2 action. Approve below to continue, or request details.

Approval requested · tier-2CPHR-PLAN-11932

Issue webhook-replay · live payments-svc

Risk · writes to one live payments record · single request

Scopescoped service-account · one write · no schema change Rollbackstate captured · auto-revert on exit Kill-switch<100 ms · any reviewer

Trust & governance

Enterprise-grade from day one.

Governance on every path that touches production. Every action logged, every connector scoped, every sensitive write approvals-gated.

SSO + lifecycle.

Enterprise SSO, SCIM deprovisioning, verified domains, session policy. Federated identity the only way in. Leaver lockout is automatic.

RBAC + scoped access.

Fine-grained roles for reviewers, auditors, approvers. Every connector, every repo, every action scoped.

Full audit trail.

Identity, access, connectors, reviews, approvals. Every action attributed and timestamped. Exportable. SIEM-ready.

Connector control.

Read-only by default. Write scopes explicit and approvals-gated. No secrets in Cipher's ownership.

Secrets at rest.

Credentials, service secrets, and network profiles encrypted with AES-256-GCM and envelope KMS. Never plaintext.

Hard-stop kill-switch.

Any reviewer, any time, halts any running Cipher task in under 100 ms. Out-of-band confirmation.

Compliance posture SOC 2 Type II · in progress ISO 27001 · in progress

Specific compliance, residency, or deployment requirements? Let's talk.

The ask

One repo. One target. One unattended review. Exploitable findings.

No slides. No demo environment. We connect Cipher to a system you own — securely, zero retention — and hand back the validated, exploitable findings. If we find nothing worth your time, you get a letter. Either way, you know where you stand.

Book a demo → Talk to the team

[email protected] SOC 2 Type II · in progress