Architecture decisions, technique writeups, and product stories from building an agentic security platform. Updated when we ship something worth writing about.
Architecture·9 June 2026·6 min read
A rules engine can tell you a CVE exists. It can't tell you whether it matters in your repo. That judgement — the part a senior engineer does in their head before they bother you — is exactly what a language model is good at, and exactly where most scanners stop. Here's where the model helps, where it doesn't, and the guardrails that keep it honest.
Read →Architecture·9 June 2026·7 min read
Handing a third party read access to your source code is a real risk, and 'trust us' is not an answer. So we built the scanner so that even a fully compromised scan container can't exfiltrate your code or steal a credential. No long-lived secrets on the box, per-scan tokens, locked-down egress. Here is the actual architecture.
Read →Story·5 June 2026·6 min read
JFrog and Ox Security disclosed IronWorm: a self-propagating npm worm with a Rust infostealer that fires from a preinstall hook and hunts 86 env vars and 20 credential files. Here's exactly what our no-code-on-your-runner architecture buys you when a worm like this is live, and, honestly, where it doesn't help.
Read →Story·25 May 2026·7 min read
We pointed Pwnkemon at the most-scanned vulnerable web app in the world and let the agent decide what to look for. 13 minutes later: 11 confirmed findings including a critical SQL injection that took the app offline and a JWT key exposure path to admin takeover. Here's what the agent actually did, in order.
Read →Story·24 May 2026·4 min read
Six hours before launch, our own product caught seventeen CVEs we'd picked up overnight. Including a cryptography library advisory published less than twelve hours earlier. Here's what dogfooding actually looks like.
Read →Architecture·24 May 2026·6 min read
Every other security GitHub Action runs scanner code on your CI runner, the same runner that holds your deploy secrets. We think that's the wrong tradeoff. Here's the architecture we chose instead.
Read →Technique·23 May 2026·5 min read
A real scan of a small repo: seven 'high' npm-audit findings, all in dev-tool transitive dependencies, none reachable from production code. Why your scanner doesn't tell you that, and what we do instead.
Read →Architecture·23 May 2026·5 min read
Most scanners ship you a database query result and call it a report. We think the report IS the product. Here's the anatomy of a Pwnkemon scan output: what's in it, what's deliberately left out, and why.
Read →Reference·23 May 2026·5 min read
A 'removed' secret in commit history is still a leaked secret. Half the scanners on the market don't even look. The rest tell you the secret exists but not which commit introduced it. Here's what real git-history scanning needs to do.
Read →