Skip to main content
Product / Keygraph

Continuous appsec and pentesting, enterprise ready.

Agentic pentesting that runs in your environment, on your terms. Static analysis paired with autonomous exploitation. Near-zero false positives, working proof-of-concept exploits on every finding.

BUILT FOR ENTERPRISE

Everything regulated enterprises need from day one.

SaaS-only pentesting is a non-starter when your code is regulated. Keygraph runs inside your perimeter with the controls your security, legal, and compliance teams already require.

0 1

Self-hosted by design.

Deploys into your VPC, on-prem, or air-gapped infrastructure. Code never leaves your perimeter. BYO LLM keys: Anthropic, OpenAI, AWS Bedrock, Azure OpenAI, or your own self-hosted model.

0 2

Granular permissions & SSO.

SSO via SAML 2.0 or OIDC, plus SCIM provisioning. Okta, Microsoft Entra ID, Auth0, OneLogin, or any standards-compliant IdP. Role-based access with scoped scan permissions, control exactly who can launch scans, view findings, and export reports per repository and team.

0 3

Deep integrations.

Native connectors for GitHub, GitLab, Bitbucket, Azure DevOps, Jira, Slack, Microsoft Teams, and the major cloud providers (AWS, GCP, Azure). Plus a REST + webhook API for everything else, no ticket-driven glue code required.

0 4

Full audit trail.

Every scan, every finding, every action, logged with actor, timestamp, and diff, exportable to your SIEM (Splunk, Datadog, Chronicle) or data lake. Compliance gets the evidence they need without hunting through spreadsheets.

Scan your code. Exploit the findings.

Keygraph runs as a two-stage pipeline. Agentic static analysis maps the codebase, then autonomous pentest agents exploit the live application. Both stages feed one correlated, high-confidence finding set, with every entry backed by a reproducible proof-of-concept exploit.

Product screenshot

Two-stage pipeline · agentic SAST → autonomous pentest.

EXPLORE THE PLATFORM

See each capability in depth.

Stage 2 / Whitebox
Whitebox Pentester →

Autonomous dynamic pentesting with full source-code awareness.
Stage 2 / Blackbox
Blackbox Pentester →

True black box testing. Point at a URL. We never see your code.
Stage 1 / Logic
Business Logic Testing →

Catch authorization, workflow, and state-machine flaws SAST tools miss.
Stage 1 / SAST
Agentic SAST →

LLM-driven taint analysis with near-zero false positives.
Stage 1 / Dependencies
SCA + Reachability →

Software composition analysis filtered by exploitable reachability.
Stage 1 / Secrets
Secrets Detection →

Live-credential validation, classified by impact and exposure.
SEE IT IN THE DASHBOARD

Built for security engineers who want signal, not noise.

Findings deduplicated across scanners. Drilldowns filtered by team. Every action audit-logged.

Canonical findings table

Canonical findings

One vulnerability, one entry. Cross-scanner deduplication.

Security dashboard

Security dashboard

Live KPIs and trend charts.

Severity drilldown

Severity drilldown

Filter by severity, source, repository, team.

Jira-linked findings

Jira-linked findings

Bidirectional sync across the lifecycle.

WATCH IT RUN

From the CLI to your CI, end to end.

The same canonical findings power both the dashboard and the command line. Drive Keygraph from a developer workstation, an automation runner, or a pipeline step.

$ keygraph scan ./

CLI workflow

Run a full scan from the CLI.

$ keygraph report --format sarif | tee findings.sarif

CI automation

Generate a SARIF report and pipe it to your CI.

CANONICAL FINDINGS

One vulnerability. One finding. No duplicates.

The deduplication layer that sits above every scanner. Findings from SAST, Secrets, SCA, and pentest agents pass through a two-stage pipeline that collapses them into a single canonical entry per unique vulnerability per repository. Teams triage once, track once, and remediate once.

THE DEDUPLICATION PIPELINE
STAGE 0 1

Content-based hashing.

Each finding gets a stable content fingerprint built from rule, file path, function signature, code scope, and organization context. Whitespace normalization ensures code formatting changes don’t create false duplicates. Matches resolve in milliseconds with no LLM call required.

STAGE 0 2

LLM semantic fallback.

On a hash miss, candidates are pre-filtered by rule, file path, repository, and function signature, then passed to an LLM for semantic comparison. If the comparison clears the confidence bar, the canonical entry is updated. If not, a new canonical is created. The system is biased conservative: when in doubt, a new canonical is created rather than suppressing a genuine finding.

CROSS-SCANNER DEDUPLICATION

The same vulnerability found by multiple scanners becomes one canonical finding with multiple observations. A SAST finding and a pentest exploit describing the same root cause link into a single entry, with found_by_scan_types tracking every scanner that detected it. Multi-scanner observation is a strong signal of real risk.

CANONICAL FINDING LIFECYCLE
ID
Human-readable IDs

Every canonical gets a unique ID (e.g., KG-000042) for reference across tools and teams.

Triage
Persistent triage

Assignment, risk acceptance decisions, and resolution status survive code refactors. The hash rolls forward when non-flagged code changes.

Reopen
Auto-reopen

If a resolved finding reappears in a subsequent scan, it automatically reopens.

Risk
Risk acceptance with expiry

Temporarily accept known risks with an expiration date. Findings auto-reopen when the acceptance expires.

Audit
Immutable audit trail

Every status transition is appended to finding_status_history with timestamp and author.

SECURITY DASHBOARD

Real-time and historical security posture at a glance.

The Security Dashboard gives security teams and engineering leadership a continuous view of application security health. Live KPI cards show current exposure; trend charts reveal whether the team is getting ahead of vulnerabilities or falling behind.

LIVE KPI CARDS
Severity
Open findings by severity

Critical, High, Medium, Low counts live from the canonical findings table.

SLA
SLA breach count

Open findings that have exceeded their remediation deadline.

MTTR
Mean Time to Remediation

Average days from first detection to resolution across the organization.

Source
Findings by source

Breakdown across SAST, SCA, Secrets, and Pentest.

TREND CHARTS · 30 / 60 / 90-DAY WINDOWS
0 1

Risk trend.

Open findings over time by severity. Shows whether the overall risk posture is improving.

0 2

Velocity chart.

New findings discovered per day vs. findings resolved per day. Shows whether remediation pace outruns discovery.

0 3

SLA compliance.

Percentage of open findings meeting remediation deadline over time.

0 4

MTTR trend.

Whether the team is getting faster or slower at remediation.

DRILL-DOWN
  • Top repositories by finding count with severity breakdown
  • Team and boundary views (scoped by service boundary or ownership)
  • Filtering by severity, status, resolution type, repository, team, scan source, ecosystem, assignee
DAILY SNAPSHOTS

Trend data is backed by daily snapshots that record end-of-day counts for every severity, status, and resolution category. Historical reporting stays accurate even as findings are triaged and resolved. The record of what was open on a given day is preserved permanently for compliance and audit purposes.

JIRA MANAGEMENT

Findings and tickets stay in sync, automatically.

Bidirectional sync between canonical findings and Jira issues. Create a ticket from any finding in one click. Keygraph polls Jira for status changes and pushes resolutions and reopens back as findings move through triage.

THREE-WAY SYNC
0 1 · OUTBOUND

Finding → Jira

One-click ticket creation from any canonical finding. Fetches encrypted Jira credentials, creates an issue in the configured project with title, severity, rule, and description. Stores the ticket key, ID, and URL.

0 2 · INBOUND

Jira → Finding

A sync workflow polls Jira every 15 minutes for all active linked tickets. Fetches current status and assignee, updates the canonical finding’s cached ticket status. Detects broken links (deleted tickets) and marks them as no longer synced.

0 3 · BIDIRECTIONAL

Bidirectional push

When a finding is resolved in Keygraph, the linked Jira ticket transitions automatically. An hourly sweep detects out-of-sync pairs and pushes the correct state. If a resolved finding reappears in a scan, the Jira ticket reopens too.

KEY CAPABILITIES
  • 01One-click ticket creation from any canonical finding.
  • 0215-minute polling keeps dashboard status current without manual refresh.
  • 03Automatic resolution push transitions linked tickets.
  • 04Automatic reopen push when findings resurface.
  • 05Out-of-sync detection catches divergent states.
  • 06Broken link handling for deleted tickets.
  • 07Integration health monitoring in the UI.
COMPLIANCE & REGULATION

Meets the frameworks that mandate pentesting.

Every scan produces a signed, timestamped, exportable report with working proof-of-concept exploits, the evidence your auditor actually wants, without the six-week engagement cycle.

HIPAA
2025 Update

Regular pentesting of systems handling ePHI is now mandated.

PCI-DSS
Req 11.4 · v4.0

Internal and external pentests annually and after significant change.

FedRAMP
800-53 CA-8

Annual third-party pentests for every authorized system.

ISO 27001
Annex A.12.6

Vulnerability management and ongoing technical review.

We don’t report
what might be vulnerable.
We prove what is.

See Keygraph running in your VPC, on-prem, or air-gapped environment, on a call with our engineering team.