LoginSign up

Trace, the AI
security engineer

The depth of a pentest. The speed of automation.

acme-corpVulnerabilities
Run Scan
Open Vulnerabilities
6
on default branch
Critical
2
vulnerabilities
High
3
vulnerabilities
Medium & Low
3
2 medium, 1 low
Showing 8 of 8 vulnerabilities
IDTitleTypeFound
Open5
In Progress1
Fixed2

Everything you need to secure
your applications

All in one, without the noise.

Static Analysis

Understands complex business logic and traces data across microservices to find vulnerabilities that rule-based scanners miss.

TRC-032Second-order SQL injection
User input is sanitized on write but trusted when read from the database in a different service.
acme/apidatabaseacme/reports
41async function generateReport(userId: string) {
42  const user = await db.users.findById(userId);
43  return db.raw(`SELECT * FROM reports WHERE author = '${user.name}'`);
44}

Secrets Detection

Follows how secrets flow through your code and systems. Validates which credentials are still live and surfaces the exposures that actually matter.

Supply Chain

Analyzes your dependency tree and identifies which vulnerable packages are actually reachable from your application code.

lodash@4.17.19
Critical
Prototype pollution via merge()
Fix: ≥4.17.21·CVE-2021-23337
Reachability path
lodash@4.17.19
merge()
express@4.18.2
body-parser middleware
src/app.ts
line 14 — app.use(bodyParser.json())
src/routes/users.ts
line 47 — _.merge(defaults, req.body)

PR Reviewer

Catches security issues in pull requests before they reach production. Runs on every commit.

feat: add user search endpoint#247
claudecodepusheda1f3c2d
claudecodepushede7b9a01
Some checks were not successful
1 failing, 4 successful checks
Lint (pull_request)
Successful in 10s
Test (pull_request)
Successful in 24s
Type Check (pull_request)
Successful in 17s
Trace Security Scan
2 issues detected
Vercel
Deployment has completed

Verified Vulnerabilities

Coming soon

Runs the exploit against your application locally or on a staging stack you provide, and captures a recorded proof of the vulnerability.

Worklog
 
Cloning repository

Integrates with
your entire stack

GitHub logo
GitHub
GitLab logo
GitLab
Bitbucket logo
Bitbucket
CircleCI logo
CircleCI
Jenkins logo
Jenkins
Docker logo
Docker
AWS logo
AWS
GCP logo
GCP
Azure logo
Azure
Vercel logo
Vercel
Supabase logo
Supabase
Cloudflare logo
Cloudflare
Kubernetes logo
Kubernetes
Terraform logo
Terraform
Vanta logo
Vanta
Drata logo
Drata
Secureframe logo
Secureframe
Slack logo
Slack
Jira logo
Jira
Linear logo
Linear
Datadog logo
Datadog
Sentry logo
Sentry
Grafana logo
Grafana
Tailscale logo
Tailscale
Confluence logo
Confluence
Notion logo
Notion
Request an integration

Pen Testing

Audit-ready pen tests
for SOC 2, ISO 27001, or HIPAA

Every finding comes with proof of exploitation and is reviewed by a security engineer before delivery.

Trace tests your web applications, APIs, and authentication flows for real vulnerabilities — SQL injection, broken auth, SSRF, XSS, and more. Every finding includes proof of exploitation.

Yes. Trace pen test reports can be used to satisfy SOC 2, ISO 27001, or HIPAA requirements.

Both. AI handles the testing at scale, then a security engineer reviews every finding before the report is delivered.

Most pen tests are completed within a few days depending on scope. You get continuous retesting included — as you ship new code, Trace retests automatically.

Trace performs whitebox testing, so we ask for as much access as possible — at a minimum, your GitHub repos and a staging URL or production environment.

Get a pen test