Fig. 01: The audit
The audit hackersrun on you. Before they do.
Vigil is an AI security audit for web apps and codebases, built for teams that can't afford a $5k pentest, and can't afford to be the next breach in the news.
Not ready to apply? Run a free 10-second surface scan first →
~5 min
Per audit
40+
Checks per scan
Cohort 01
Now accepting applications
What Vigil checks
Two layers · One reportA · Surface
What your site exposes.
Paste a URL. Vigil scans the public surface for misconfigurations and the signals attackers look for first.
- Missing security headers (CSP, HSTS, X-Frame-Options)
- TLS / SSL misconfigurations
- Exposed admin panels and sensitive endpoints
- Open redirects and CORS gaps
- Information leakage (stack traces, versions)
B · Code
What your repo hides.
Connect a repo or upload files. Vigil reads code with an AI security model tuned to flag the patterns that actually ship to production.
- SQL injection and XSS patterns
- Hardcoded secrets and exposed API keys
- Insecure dependencies with known CVEs
- Weak authentication and session handling
- Missing rate limiting on sensitive routes
Mapped to recognised frameworks
MITRE ATT&CK · NIST CSF 2.0 · MITRE D3FEND
Every finding carries the attacker technique it enables and the defensive control it maps to, so your report speaks the language your auditors, insurers and board already use.
Built for, The teams that need it most
A–DIndie developers
The audit you can’t afford to pay for, run in minutes.
Startups
Get the same baseline a $5k pentest would catch, before launch.
Agencies
White-label reports you can ship to clients alongside the build.
Internal teams
Continuous audits on every deploy, fewer surprises in review.
Restricted access
Some tools should not be in everyone's hands.
A scanner that finds real vulnerabilities is also one that could find them in someone else. Vigil is invite-only by design: we review applications in cohorts, prioritise teams auditing systems they own, and gate code-level scans behind verified accounts.
- Cohort-based intake, small, deliberate batches.
- Verified ownership required before code scans.
- Reports are private to the requesting account.
- No retention of scanned source beyond the audit.
Apply for cohort 01
Ask to be let in.
Drop your email. If you're a fit for the current cohort we'll send your access link directly. Otherwise we'll hold your spot for the next one.