// your autonomous purple team
Red team.Blue team.One swarm.
A swarm of AI agents hunts your repo and hands back the fix.
// watch it hunt
A live audit, from the inside.
unpwnd · swarm audit — acme/payments-api
LIVE
01Connect01 / 05
01 Connect a repository
acme/payments-apiTypeScriptConnecting…
acme/web-dashboardTypeScriptImport
acme/infraTerraformImport
acme/mobile-appSwiftImport
acme/ml-pipelinePythonImport
GitHub App installed · repo-scoped, read-only token minted
02 The swarm deploys
agents 0/12slices 14files 1,204coverage 0%
attack-surface graph
⟂ map · 1,204 files · 3,412 symbols · 61 entrypoints⟂ partition · 14 slices — every file assigned→ agent-03 · auth/* — tracing session issuance→ agent-07 · api/upload — following multer filename→ agent-11 · webhooks/* — verifying stripe signatures→ agent-05 · payments/* — checking amount tampering→ agent-09 · db/* — hunting raw SQL interpolation✓ agent-03 · CWE-347 confirmed — 3-hop exploit path◈ verify · 1 claim refuted — evidence didn’t hold, dropped✓ coverage 100% — every slice audited & verified
03 Findings, ranked by severity
0findings · deduped across scans
CriticalCWE-347
JWT alg:none accepted — signature bypass
auth/session.ts:88
HighCWE-22
Path traversal via unsanitized filename
api/upload.ts:42
MediumCWE-918
Outbound fetch to a user-supplied URL — SSRF
webhooks/relay.ts:27
LowCWE-209
Stack trace leaked in error responses
middleware/errors.ts:61
04 Proven → verified → fixed
Taint path — CWE-347
routes/login.ts:14 req.body.token◂ source · untrusted input
auth/session.ts:47 verifyToken()
lib/jwt.ts:88 jwt.verify(token, key)◂ sink · no algorithm pinned
re-read lib/jwt.ts:80–95 — no algorithm allow-list foundreplayed the trace with a forged alg:none token — accepted
Fix prompt — written for your coding agent
05 Keep it continuous
Re-audit on your cadence — unpwnd re-scans and auto-resolves what you've already fixed.
Dailyevery 24h
WeeklySun 03:00 UTC
Monthly1st of month
Next audit: in 6 days · Sun 03:00 UTC
Since last audit
4 findings auto-resolved
2 new since main advanced
Deduped by fingerprint — fixed issues close automatically, so your queue only ever shows what still matters.
Jun 01 22 findingsJun 08 9 new · 14 resolvedJun 15 3 new · 8 resolvedtoday 2 open
// why now
You ship at AI speed. Attackers do too.
Security that arrives quarterly can’t guard code that ships daily.
// red × blue = purpleOffense finds it.
Offense finds it.
Defense fixes it.
Red team · offense
It finds what’s exploitable.
The swarm thinks like an attacker — hunting reachable, provable bugs, not theoretical lint.
Confirmed source→sink pathsuntrusted input → dangerous sink, evidence at each hop
OWASP Top 10 & CWE familiesinjection, access control, SSRF, deserialization, secrets
Ranked by real riskcritical → low · impact × exploitability
Blue team · defense
It ships you the fix.
Every finding closes with remediation your coding agent can apply immediately.
Paste-ready fix promptsa self-contained handoff for Claude Code, Cursor, or a PR
Re-audit on your cadencefixed issues auto-resolve on the next scan
Resolve & tracktriage with a full audit trail behind it
// live telemetry
6,839 findings traced — and counting.
// point it at a repo
Stay unpwnd.
Connect a repository. The swarm takes it from there.
$ unpwnd audit your-org/your-repo