Open Methodology

See Exactly How We Scan. No Black Boxes.

Every scanner, every rule source, every output format — documented. We publish our stack because we have nothing to hide.

Semgrep

Pattern-based static analysis across 30+ languages. We maintain custom rulesets tuned from real-world pentest findings to eliminate false positives at the source.

SAST30+ LanguagesCustom Rules

CodeQL

GitHub's semantic analysis engine. Deep dataflow and taint tracking for complex vulnerability chains that pattern-matching misses.

Semantic AnalysisDataflowTaint Tracking

Custom Rule Engine

Proprietary detection rules built from active pentest engagements. Updated weekly as we discover new patterns across client codebases.

ProprietaryWeekly UpdatesPentest-Derived

SARIF Output

Industry-standard Static Analysis Results Interchange Format. Import into GitHub, Azure DevOps, or any SARIF-compatible tool. Full audit trail included.

SARIF 2.1InteroperableAudit Trail

AI Triage Layer

LLM-assisted proof-of-exploitability scoring eliminates 96% of false positives before a human sees them. Every remaining finding includes exploitation context.

96% FP EliminationLLM-AssistedPoE Scoring

Manual Pentest Overlay

OSCE3-certified testers validate automated findings and pursue adversarial attack chains that scanners cannot replicate. AI-accelerated recon, human depth.

OSCE3Manual ValidationAdversarial

Pipeline

How a Scan Works

1

Connect

Install the Kuzushi GitHub App. Select repos. Takes under 2 minutes.

2

Trigger

Every PR opened, reopened, or updated triggers an automatic scan. On-demand scans available anytime.

3

Multi-Engine Scan

Semgrep, CodeQL, and custom rules run in parallel. Results merged and deduplicated.

4

AI Triage

LLM-assisted analysis scores exploitability, eliminates false positives, and generates remediation guidance.

5

Deliver

Findings appear in your dashboard with severity, file paths, and fix suggestions. SARIF and markdown reports available for export.

Outputs

What You Receive

Every artifact is exportable. Verify independently, import into your tools, or hand directly to your auditor.

SARIF Reports

Machine-readable, importable into GitHub Security tab or any SARIF viewer.

Markdown Summaries

Human-readable reports with executive summary, findings, and remediation steps.

Compliance Evidence

Scan results mapped to ISO 27001, SOC 2, NIST 800-53, PCI DSS, and ISO 42001 controls.

Dashboard

Real-time vulnerability feed with severity, SLA tracking, and developer assignment.

Developer Tickets

Findings assigned to developers with remediation guidance and priority ranking.

Posture Reports

Monthly or quarterly security posture snapshots for leadership and board reporting.

Want to See It on Your Code?

Connect a repo and get your first findings in under 10 minutes. No black boxes, no surprises.

View Pricing