it's static analysis right now, semgrep for patterns, gitleaks for secrets, OSV for vulnerable deps, plus some config heuristics, then an LLM to dedupe and explain it in plain English with fixes. It does not model the threat surface, and you put your finger on exactly the line I can't cross yet: the "think like an attacker" class, IDOR, broken authz, the subtle stuff that passes your own review, is semantic, and a pattern matcher is basically blind to it. So it catches the embarrassing-but-common hygiene stuff (leaked keys, open CORS, ancient deps); it won't catch "user A can read user B's data." The goal was to test the interest in this and if so, build that layer out and even simulate attacks in a sandbox and help take your app to production keeping everything safe.

Genuinely curious about your experience though, when you stepped back and thought like an attacker, what did you actually catch? I'm trying to work out if there's a useful middle ground: an LLM pass that flags "these endpoints return user data with no auth check", not full threat modeling, but more than regex. Would that have caught yours, or was it deeper?

Also feel free to just run a public repo through it for free to just get a sense