// your autonomous purple team

Red team.Blue team.One swarm.

A swarm of AI agents hunts your repo and hands back the fix.

// watch it hunt

A live audit, from the inside.

unpwnd · swarm audit — acme/payments-api
LIVE
01Connect01 / 05
01 Connect a repository
acme/payments-apiupdated 2h agoTypeScriptConnecting…
acme/web-dashboardTypeScriptImport
acme/infraTerraformImport
acme/mobile-appSwiftImport
acme/ml-pipelinePythonImport
GitHub App installed · repo-scoped, read-only token minted
02 The swarm deploys
agents 0/12slices 14files 1,204coverage 0%
attack-surface graph
map · 1,204 files · 3,412 symbols · 61 entrypoints partition · 14 slices — every file assigned agent-03 · auth/* — tracing session issuance agent-07 · api/upload — following multer filename agent-11 · webhooks/* — verifying stripe signatures agent-05 · payments/* — checking amount tampering agent-09 · db/* — hunting raw SQL interpolation agent-03 · CWE-347 confirmed — 3-hop exploit path verify · 1 claim refuted — evidence didn’t hold, dropped coverage 100% — every slice audited & verified
03 Findings, ranked by severity
0findings · deduped across scans
Critical
JWT alg:none accepted — signature bypass
auth/session.ts:88
CWE-347
High
Path traversal via unsanitized filename
api/upload.ts:42
CWE-22
Medium
Outbound fetch to a user-supplied URL — SSRF
webhooks/relay.ts:27
CWE-918
Low
Stack trace leaked in error responses
middleware/errors.ts:61
CWE-209
04 Proven → verified → fixed
Taint path — CWE-347
routes/login.ts:14 req.body.token◂ source · untrusted input
auth/session.ts:47 verifyToken()
lib/jwt.ts:88 jwt.verify(token, key)◂ sink · no algorithm pinned
adversarially verified — evidence re-read, confirmed
re-read lib/jwt.ts:80–95 — no algorithm allow-list foundreplayed the trace with a forged alg:none token — accepted
Fix prompt — written for your coding agent
05 Keep it continuous
Re-audit on your cadence — unpwnd re-scans and auto-resolves what you've already fixed.
Dailyevery 24h
WeeklySun 03:00 UTC
Monthly1st of month
Since last audit
4 findings auto-resolved
2 new since main advanced
Deduped by fingerprint — fixed issues close automatically, so your queue only ever shows what still matters.
Jun 01 22 findingsJun 08 9 new · 14 resolvedJun 15 3 new · 8 resolvedtoday 2 open
// why now

You ship at AI speed. Attackers do too.
Security that arrives quarterly can’t guard code that ships daily.

// red × blue = purple

Offense finds it.
Defense fixes it.

Red team · offense

It finds what’s exploitable.

The swarm thinks like an attacker — hunting reachable, provable bugs, not theoretical lint.

Confirmed source→sink pathsuntrusted input → dangerous sink, evidence at each hop
OWASP Top 10 & CWE familiesinjection, access control, SSRF, deserialization, secrets
Ranked by real riskcritical → low · impact × exploitability
Blue team · defense

It ships you the fix.

Every finding closes with remediation your coding agent can apply immediately.

Paste-ready fix promptsa self-contained handoff for Claude Code, Cursor, or a PR
Re-audit on your cadencefixed issues auto-resolve on the next scan
Resolve & tracktriage with a full audit trail behind it
// live telemetry

6,838 findings traced — and counting.

// point it at a repo

Stay unpwnd.

Connect a repository. The swarm takes it from there.

$ unpwnd audit your-org/your-repo
unpwnd — Autonomous AI security audits for every repo you ship