Agentic pentesting that runs in your environment, on your terms. Static analysis paired with autonomous exploitation. Near-zero false positives, working proof-of-concept exploits on every finding.
SaaS-only pentesting is a non-starter when your code is regulated. Keygraph runs inside your perimeter with the controls your security, legal, and compliance teams already require.
Deploys into your VPC, on-prem, or air-gapped infrastructure. Code never leaves your perimeter. BYO LLM keys: Anthropic, OpenAI, AWS Bedrock, Azure OpenAI, or your own self-hosted model.
SSO via SAML 2.0 or OIDC, plus SCIM provisioning. Okta, Microsoft Entra ID, Auth0, OneLogin, or any standards-compliant IdP. Role-based access with scoped scan permissions, control exactly who can launch scans, view findings, and export reports per repository and team.
Native connectors for GitHub, GitLab, Bitbucket, Azure DevOps, Jira, Slack, Microsoft Teams, and the major cloud providers (AWS, GCP, Azure). Plus a REST + webhook API for everything else, no ticket-driven glue code required.
Every scan, every finding, every action, logged with actor, timestamp, and diff, exportable to your SIEM (Splunk, Datadog, Chronicle) or data lake. Compliance gets the evidence they need without hunting through spreadsheets.
Keygraph runs as a two-stage pipeline. Agentic static analysis maps the codebase, then autonomous pentest agents exploit the live application. Both stages feed one correlated, high-confidence finding set, with every entry backed by a reproducible proof-of-concept exploit.
Two-stage pipeline · agentic SAST → autonomous pentest.
Findings deduplicated across scanners. Drilldowns filtered by team. Every action audit-logged.
Canonical findings table
One vulnerability, one entry. Cross-scanner deduplication.
Security dashboard
Live KPIs and trend charts.
Severity drilldown
Filter by severity, source, repository, team.
Jira-linked findings
Bidirectional sync across the lifecycle.
The same canonical findings power both the dashboard and the command line. Drive Keygraph from a developer workstation, an automation runner, or a pipeline step.
$ keygraph scan ./
Run a full scan from the CLI.
$ keygraph report --format sarif | tee findings.sarif
Generate a SARIF report and pipe it to your CI.
The deduplication layer that sits above every scanner. Findings from SAST, Secrets, SCA, IaC, Container, and pentest agents pass through a two-stage pipeline that collapses them into a single canonical entry per unique vulnerability per repository. Teams triage once, track once, and remediate once.
Each finding gets a stable content fingerprint built from rule, file path, function signature, code scope, and organization context. Whitespace normalization ensures code formatting changes don’t create false duplicates. Matches resolve in milliseconds with no LLM call required.
On a hash miss, candidates are pre-filtered by rule, file path, repository, and function signature, then passed to an LLM for semantic comparison. If the comparison clears the confidence bar, the canonical entry is updated. If not, a new canonical is created. The system is biased conservative: when in doubt, a new canonical is created rather than suppressing a genuine finding.
The same vulnerability found by multiple scanners becomes one canonical finding with multiple observations. A SAST finding and a pentest exploit describing the same root cause link into a single entry, with found_by_scan_types tracking every scanner that detected it. Multi-scanner observation is a strong signal of real risk.
Every canonical gets a unique ID (e.g., KG-000042) for reference across tools and teams.
Assignment, risk acceptance decisions, and resolution status survive code refactors. The hash rolls forward when non-flagged code changes.
If a resolved finding reappears in a subsequent scan, it automatically reopens.
Temporarily accept known risks with an expiration date. Findings auto-reopen when the acceptance expires.
Every status transition is appended to finding_status_history with timestamp and author.
The Security Dashboard gives security teams and engineering leadership a continuous view of application security health. Live KPI cards show current exposure; trend charts reveal whether the team is getting ahead of vulnerabilities or falling behind.
Open findings over time by severity. Shows whether the overall risk posture is improving.
New findings discovered per day vs. findings resolved per day. Shows whether remediation pace outruns discovery.
Percentage of open findings meeting remediation deadline over time.
Whether the team is getting faster or slower at remediation.
Trend data is backed by daily snapshots that record end-of-day counts for every severity, status, and resolution category. Historical reporting stays accurate even as findings are triaged and resolved. The record of what was open on a given day is preserved permanently for compliance and audit purposes.
Bidirectional sync between canonical findings and Jira issues. Create a ticket from any finding in one click. Keygraph polls Jira for status changes and pushes resolutions and reopens back as findings move through triage.
Every scan produces a signed, timestamped, exportable report with working proof-of-concept exploits, the evidence your auditor actually wants, without the six-week engagement cycle.
Regular pentesting of systems handling ePHI is now mandated.
Internal and external pentests annually and after significant change.
Annual third-party pentests for every authorized system.
Vulnerability management and ongoing technical review.
See Keygraph running in your VPC, on-prem, or air-gapped environment, on a call with our engineering team.