AI-Driven Offensive OperationsBeyond The Scan
From repository onboarding and attack-surface discovery to live engagements, remediation, sidecars, and MCP-powered AI orchestration
Target Repository Access
Install the Reaper GitHub App for fine-grained, tokenless repository access. Automatic webhook-driven scans on every push and pull request event. Full OAuth installation flow with zero PAT management overhead.
- GitHub App - One-click OAuth installation with fine-grained permissions
- Webhook Events - Automatic scans on push, PR, and installation events
- Tokenless Access - Short-lived JWT tokens, no PATs to rotate
- Enterprise Ready - GitHub.com and GitHub Enterprise Server support
- PAT Fallback - Personal Access Token auth for other VCS platforms
Technology Fingerprinting
Parse dependency files from all major package ecosystems. We extract exact versions from lock files when available for precise vulnerability matching.
go.mod/go.sum- Go modulespackage.json/yarn.lock/pnpm-lock.yaml- Node.js (npm, yarn, pnpm)requirements.txt/Pipfile.lock- PythonCargo.toml/Cargo.lock- Rustpom.xml/build.gradle- JavaDockerfile/docker-compose.yml- Container images & packagesMakefile/.mise.toml- Tool versions
Multi-Source Exploit Database
Aggregated exploit intelligence from four offensive security databases. Know which CVEs have working exploits, which are being actively exploited in the wild, and which have Metasploit modules ready to deploy.
- Exploit-DB - Curated public exploits with PoC code from Offensive Security
- GitHub PoCs - CVE proof-of-concept exploits collected from GitHub repositories
- InTheWild - Real-time tracking of vulnerabilities actively exploited in the wild
- Metasploit Modules - CVE-to-module mappings from the Metasploit Framework
- Full-text search across all exploit sources with CVE correlation
- Continuous synchronization with configurable source selection
Operation Notifications
Get notified the moment a new vulnerability affects your tracked versions. Configure alert rules by severity, ecosystem, or project.
- Email notifications
- Slack webhooks
- Configurable severity thresholds
- Project-specific rules
express@4.17.1Project Control Rooms And Reporting
Every project gets a deep workspace for alerts, vulnerabilities, logs, AI review, Semgrep coverage, access control, and reporting. Export project and organization reports as PDF or Markdown.
- Per-Project Views - Alerts, vulnerabilities, logs, history, AI audit, code, access, and settings in one place
- Executive Reports - Export PDF or Markdown reports with stakeholder-ready summaries
- Guardian Visibility - Review deterministic sidecar output next to offensive findings
- Email Delivery - Send generated reports directly to stakeholders
Vulnerability Scanning
Offensive scanning combines native tooling with optional sidecars. Tune tags, severities, scripts, and execution scope while mixing live recon with code and dependency signal.
- Nuclei - Configurable template tags (cve, rce, sqli, xss, lfi, ssrf), severity filters, custom template directories
- Nmap - NSE script categories (vuln, exploit, auth, brute, discovery), port selection, timing templates, full script output parsing
- Core Tooling - ffuf, subfinder, httpx, katana, semgrep, detect-secrets, grype, trivy
- Guardian Sidecar - Deterministic code, dependency, CVE, and license analysis merged into the offensive pipeline
- Kali Sidecar - Optional isolated execution for allowlisted tools such as hydra, nikto, wpscan, gobuster, and hashcat
- CWE and CVE correlation with exploit database cross-referencing
- Parallel scanning with smart deduplication and audit trails
Exploit Review, Reporting, And Remediation
Use AI to review exploitability, generate proof-of-concepts, write reports, and open remediation work without losing operator control.
- Finding Review - AI analyzes pentest findings to identify false positives vs true vulnerabilities
- CVE Impact Assessment - Evaluate real-world exploitability based on attack vectors and context
- PoC Generation - Generate proof-of-concepts for vulnerabilities and scan findings
- Security Report Generation - Create comprehensive incident and scan reports with remediation guidance
- Fix PR Workflows - Create and track AI-generated remediation pull requests
- Impact Summaries - Executive-level summaries explaining security posture in plain language
AI Orchestration
A full Model Context Protocol server with query, analysis, and action workflows. Let Claude Code, Cursor, Windsurf, or any MCP-compatible AI assistant directly query vulnerabilities, search exploit databases, trigger scans, create fix PRs, and manage your security posture conversationally.
- 18 Query Tools - Explore org overview, project details, dependencies, vulnerabilities, pentest findings, alerts, CVE info, exploit database search, exploits by CVE
- 6 Analysis Tools - PoC generation, license compliance, security report generation, report export
- 11 Action Tools - Create fix PRs, trigger scans, manage alerts, create incidents, import projects
- Guided Prompts - Security triage, project review, and license compliance audit workflows
- Auth Options - Per-org enablement with RBAC, API keys, and OAuth 2.1 for remote MCP clients
Deep Recon Agent
A specialized AI agent with code exploration tools performs comprehensive source code analysis using a 3-phase methodology. Finds logic flaws, race conditions, and insecure design patterns that automated scanning tools cannot detect.
- Phase 1: Reconnaissance - Maps project structure, identifies entry points, security-critical areas
- Phase 2: Code Analysis - Examines auth, access control, data handling, cryptography, database access
- Phase 3: Logic Review - Business logic flaws, race conditions, TOCTOU bugs, insecure design patterns
- Configurable Focus - Target auth, injection, crypto, data exposure, logic, or all areas
- Fix PR Generation - AI generates pull requests to fix discovered audit findings
AI Exploit Agent
Every Scan finding and CVE alert is reviewed by AI for real-world exploitability. The system clones your repo, analyzes actual code paths, and determines whether vulnerable functions are truly reachable -- eliminating noise so you focus on what matters.
- Relevance Scoring - 0.0 to 1.0 score based on code reachability and attack vector analysis
- False Positive Detection - Identifies test files, dead code, sanitized inputs, framework protections
- Dependency Usage Analysis - Checks if vulnerable functions are actually called in your code
- PoC Generation - Creates proof-of-concept exploits to validate true threats
- Auto Review - Automatically reviews all critical/high findings during scans
AI Attack Vector Analysis
A multi-agent AI pipeline generates custom Semgrep rules tailored to your exact codebase. Organization-level rules from natural language descriptions, plus project-specific rules that target your frameworks, APIs, and security patterns.
- 4-Agent Pipeline - Analysis, Implementation, Verification, and Fix agents collaborate to produce valid rules
- Project-Specific Rules - AI analyzes your codebase to generate 3-8 targeted rules per project
- Per-Project Config - Granular control: enable/disable rule groups, cherry-pick individual rules, override group defaults
- Batch Generation - Describe complex security patterns in natural language, AI breaks them into individual rules
- Auto-Validation - Every generated rule is validated with
nuclei -validateand auto-fixed if needed
Domains, Hosts, And Continuous Discovery
Monitor your external attack surface with passive DNS-based discovery. Automatically find subdomains, track live domains, and maintain visibility into all your internet-facing assets.
- Passive DNS Discovery - Find subdomains without active scanning using historical DNS data
- Live Domain Probing - Automatically check which discovered domains are active and responding
- IP Resolution - Resolve and track IP addresses for live domains
- Host Tracking - Maintain an inventory of all hosts associated with your projects
- Continuous Monitoring - Scheduled discovery and probing keeps your asset inventory current
Scheduled Operations And Incident Response
Run recurring engagements, inspect execution trees, and convert validated findings into incidents with AI-assisted reporting.
- Engagement Scheduling - Create recurring offensive runs and trigger them on demand
- Execution Trees - Inspect per-task progression, live logs, ETA, and operator checkpoints
- Incident Lifecycle - Track incidents through open, investigating, mitigating, resolved, and closed states
- Alert Linking - Connect vulnerability alerts to incidents for full context
- Timeline Tracking - Maintain a detailed timeline of all incident actions and updates
- AI Bootstrap - Create incidents from URLs, free text, or PDFs
- AI-Enhanced Reports - Generate comprehensive incident reports with remediation guidance
Identity, Governance, And Access Control
Manage collaboration at scale with multi-tenant organizations, RBAC, team-based access, and modern identity controls for operators and AI clients.
- Multi-Tenancy - Isolated organizations with separate projects, users, and settings
- Team Management - Organize users into teams with leads and members
- Role-Based Access - Admin, member, and viewer roles with granular permissions
- Project Access Control - Control which teams can access specific projects
- Identity Options - Passkeys, API keys, OAuth apps, SSO, and SCIM provisioning
Full Platform, Service Mode, And Sidecars
Deploy Reaper as the full web platform or as a headless service API, then layer in Guardian and Kali only where your environment needs them.
- Full Mode - UI, auth, org settings, billing, scheduling, and reporting
- Service Mode - Private-network, headless REST scanning for internal systems and CI/CD
- Guardian - Optional deterministic defensive scanning sidecar
- Kali - Optional isolated offensive sidecar with allowlisted remote execution
- Docker-First - Consistent local and self-hosted deployment story
Download the Reaper Whitepaper
Offensive security platform covering attack-surface discovery, live engagements, AI-powered auditing, remediation, and MCP integration.