Stop shipping
hackable code

The CLI runs 100% locally — your code never leaves your machine. The web scanner sends files to our API only for the duration of the scan: they're processed in memory, scanned against our rules, and discarded immediately. We never write your source code to disk or a database. We only persist scan metadata (grade, score, finding counts, file paths) — never the file contents themselves.

JavaScript, TypeScript, Python, Ruby, Go, Rust, Java, PHP, Swift, Kotlin, C#, and 30+ more. We also scan config files: Dockerfile, docker-compose, Terraform, Kubernetes manifests, CI/CD workflows, .env files, and package manifests.

Traditional SAST tools are designed for hand-written enterprise code. They produce hundreds of irrelevant findings and require security expertise to interpret. XploitScan is purpose-built for AI-generated code — our 210 rules target the specific patterns that AI tools produce, and every finding is explained in plain English with a copy-paste fix.

Detection quality is public and measured continuously. Every commit runs against a labeled corpus of 200+ fixtures covering 25+ vulnerability classes, and the numbers are live at xploitscan.com/benchmark. Current: 100% precision (zero false positives on the corpus) and 98%+ recall. We also run Semgrep and Bearer against the same corpus for side-by-side comparison. The corpus, runners, and methodology are open-source at github.com/bgage72590/xploitscan — you can reproduce the scores locally. Tracked-but-not-yet-detected cases are shown openly on the page rather than hidden.

CLI scans run locally — your source code never leaves your machine. The only network calls are a dependency-vulnerability lookup (package names and versions, never code) and, if you're logged in, an upload of the findings report (rule IDs, file paths, line numbers, short snippets) to power your dashboard. Web scans are analyzed in memory and never stored — we keep scan results for your dashboard, never your source files.

Free plan: 5 scans per day with 30 core security rules. Indie plan ($9/mo): 500 scans per month with all 210 rules and scan history dashboard. Pro plan ($19/mo): unlimited scans with all 210 rules, plus PDF reports, SBOM generation, compliance mapping, webhook integrations, and AI false-positive filter. Team plan ($99/mo): everything in Pro plus 5 team seats, shared scan history, RBAC, and portfolio reports. Annual plans save 40%.

Yes! Use our official GitHub Action to scan on every PR. It outputs SARIF for the GitHub Security tab and can block merges when critical vulnerabilities are found. Run 'npx xploitscan scan . --format sarif' in any CI pipeline.

Most scans complete in under 5 seconds. Large projects (1000+ files) may take up to 30 seconds. The CLI is even faster since it runs locally without network overhead.

Yes — paste a public repo URL in the web scanner, or use the CLI locally for private repos: 'npx xploitscan scan /path/to/repo'. The CLI never uploads your code.

Yes — save 40% with annual billing. Indie is $5/mo ($59/year), Pro is $10/mo ($119/year), and Team is $59/mo ($699/year) when billed annually. You can switch between monthly and annual at any time from Settings → Billing. Changes are prorated immediately.

Yes — the Team plan ($99/mo) includes 5 seats with additional seats at $15/month each. The team owner manages billing, invites members by email, and assigns roles (Owner, Admin, Member, Viewer). Each role has different permissions — for example, Viewers can see reports but cannot run scans. Team members get full Pro features through the owner's subscription — no separate payment needed.

Yes — the referral program is available to Pro and Team subscribers (owners and admins only). Go to Settings → Referral to get your unique referral link. When someone signs up using your link and subscribes to a paid plan, you receive a credit equal to 1 free month of your current plan applied to your next invoice.

No — each account is eligible for one 7-day free trial. If you've previously had a trial or paid subscription (on any plan), new subscriptions will start billing immediately without a trial period. This applies whether you're switching from Pro to Team or vice versa.

Go to Settings → Billing → Manage Subscription. You can cancel, upgrade, or downgrade anytime. Cancellations keep your access until the end of your billing period. Plan changes take effect immediately with prorated billing. No cancellation fees.

Yes — every finding is mapped to SOC2 Trust Service Criteria, ISO 27001 Annex A controls, OWASP Top 10, and CWE. Visit the Compliance page to see your coverage across all controls. Note: compliance mappings are informational — they help you understand your security posture but are not a substitute for a formal compliance audit.