Hull
whitebox · code-awareAgents read your source, model the architecture, and generate precise exploits validated against the live application.
Learn about Hull →Keelpin is the pin every line is belayed to. SAST, SCA, secrets, IaC, container, and pentest — fused into one canonical record per vulnerability and proven by an autonomous exploit before it reaches your inbox.
Most security platforms surface noise. Keelpin closes the gap between scattered scanner output and one canonical, exploit-validated truth. Every commit belayed to the same pin — not once a year.
SAST says one thing. SCA says another. Your pentester said something else last March. Nobody trusts any of it.
Your team merges 200 PRs a week. Your annual pentest tested code that's already six months gone.
Pattern-matchers flag the textbook patterns. Real exploits live in business logic, auth flows, and the seams between services.
Continuous application security across every layer of your stack — from static analysis of your code to runtime pentesting of your apps. Each module is structurally part of the same pin.
Agents read your source, model the architecture, and generate precise exploits validated against the live application.
Learn about Hull →Autonomous external pentesting against the running app. No code access. On-demand. Per repository. No subscription required.
Learn about Tide →Code Property Graph plus LLM reasoning. Real vulnerabilities with full data-flow context — never regex matches, never blind hits.
Learn about Weld →Authorization bypass, IDOR, state-machine flaws, race conditions, and workflow abuse. The vulnerabilities pattern-matchers miss.
Learn about Compass →Software composition analysis with reachability. Know which CVEs in your dependencies are actually reachable from attacker-controlled input.
Learn about Cargo →Find leaked credentials, tokens, and API keys across code and commit history. Validated, deduplicated, prioritized by blast radius.
Learn about Lockbox →Terraform, CloudFormation, Kubernetes manifests, and Helm charts — scanned for misconfigurations and policy violations before they sail.
Learn about Drydock →Scan container images for vulnerable packages, exposed secrets, and misconfigurations across every layer — before they ship to your registry.
Learn about Hold →Every Keelpin finding follows the same four-step process. Nothing is automated past the review gate. The pin holds because you decide it holds.
Push triggers SAST, SCA, secrets, IaC, and container scans across the changed surface. Source loads into ephemeral memory; nothing persists.
An agent generates an exploit and runs it against the live app. Confirmed exploits are filed as canonical findings with full reproduction.
You click a finding. An agent writes the patch and re-runs the original scanner. No patch is delivered unless the vulnerability is gone.
Patch lands as a clearly labeled bot PR in your normal workflow. You review. You merge. The pin holds. The finding closes.
Keelpin deduplicates SAST, SCA, secrets, IaC, container, and pentest results into a single canonical entry per vulnerability per repository — surfaced on a live dashboard and synced bidirectionally with Jira.
Content-hash plus LLM semantic matching. One entry per vulnerability per repo, persistent across refactors and rebases.
Risk, velocity, SLA, and MTTR trend charts. Drill into any repo, team, or severity. KPIs that map to how you actually ship.
One-click ticket creation. 15-minute status refresh. Hourly drift sweep on linked pairs. No manual reconciliation, ever.
| ID | FINDING | SOURCE | SEVERITY |
|---|---|---|---|
| KP-A38F | JWT alg:none auth bypass | HULL | CRIT |
| KP-29B1 | SQL injection on /rest/login | WELD+HULL | CRIT |
| KP-71C4 | [email protected] RCE | CARGO | HIGH |
| KP-44E2 | Hardcoded Alchemy API key | LOCKBOX | HIGH |
| KP-9A07 | IDOR on /api/baskets/:id | COMPASS | HIGH |
| KP-1F58 | Permissive CORS * | WELD | MED |
| KP-B321 | Unpinned base image | HOLD+DRYDOCK | HELD |
Deploys entirely inside your AWS, GCP, or Azure account. Source, scan results, and AI inference stay inside your security perimeter. No managed control plane. No externally operated data plane.
Run the entire platform inside your VPC. Fully air-gapped, no outbound calls required. Audited end-to-end on your infrastructure.
SAML 2.0 or OIDC for sign-in. SCIM for automated user provisioning, deprovisioning, and group sync.
GitHub, GitLab, Azure DevOps, Jira, Slack, plus Docker Hub, GHCR, Amazon ECR, and Google Artifact Registry.
┌─ your-vpc.aws.amazon.com │ ├─ keelpin-control ↪ kp-ctl.svc ├─ keelpin-scanner-pool ↪ 8x kp-worker ├─ keelpin-pentest-pool ↪ 4x kp-agent ├─ postgres + pgvector ↪ findings store ├─ bedrock-runtime ↪ your AWS account └─ github-app ↪ read-only by default → Outbound calls: 0 → External egress: none → Source persistence: nil
Keelpin is read-only by default. Source loads into ephemeral worker memory and is discarded when the scan completes. Only the canonical finding record persists.
Source loads into ephemeral worker memory and is discarded when the scan completes. Nothing written to disk.
Zero-retention enforced upstream with every model vendor. No prompts, completions, or embeddings feed training pipelines.
Route inference through your own Anthropic, OpenAI, Bedrock, or self-hosted endpoint. Tokens never traverse Keelpin.
Every scan runs on read-only scopes. The only feature that ever requests write access is Mend — opt-in per finding, never auto-applied.
Deploy the entire platform inside your VPC. Air-gapped, isolated, and audited end-to-end on your own infrastructure.
After a scan, source is gone. Only the canonical finding record persists: rule, path, line, severity, status, and a redacted snippet.
Schedule a structural review with the Keelpin team. We'll point Hull and Tide at a target you control, run a real exploit, and show you the canonical finding before the call ends.