Hi HN – I'm Valentin (https://www.linkedin.com/in/cvalentinb/), founder of Kadag Security (https://kadagsecurity.com/), a new kind of application security testing platform. Kadag Security runs your app in an instrumented environment full of AI agents that test it like a security engineer would.
Kadag Security clones your repo, builds your app using `docker compose`, adds security instrumentation and runs the app in a sandboxed environment. From there, our agents explore and attack the app by:
- analyzing the codebase
- interacting with the application using a web browser or by running scripts
- having access to runtime instrumentation (like queries executed, spawned processes, file accesses) to guide deep testing and generate or refine real attack chains
The key difference: every vulnerability we report comes from a real, executed attack. We don't rely on static analysis, regex patterns, or signature matching. If a finding exists, it's because an agent actually found a way to exploit it inside the running app. Also, because we run your app in a testing environment, our agents can try any destructive action.
Right now we're in private beta and running a live demo on a Django app ("DjanGoat") to show how this works in practice. You can walk through the findings, see how the agent navigated the app, and what it exploited.
We're looking for early adopters — especially developers building web apps or APIs — who want better, automated security testing before pushing to production. If that sounds interesting, contact us or just say hi here. Would love to hear thoughts, feedback or ideas from the HN community.
valentin_k•6mo ago
Kadag Security clones your repo, builds your app using `docker compose`, adds security instrumentation and runs the app in a sandboxed environment. From there, our agents explore and attack the app by: - analyzing the codebase - interacting with the application using a web browser or by running scripts - having access to runtime instrumentation (like queries executed, spawned processes, file accesses) to guide deep testing and generate or refine real attack chains
The key difference: every vulnerability we report comes from a real, executed attack. We don't rely on static analysis, regex patterns, or signature matching. If a finding exists, it's because an agent actually found a way to exploit it inside the running app. Also, because we run your app in a testing environment, our agents can try any destructive action.
Right now we're in private beta and running a live demo on a Django app ("DjanGoat") to show how this works in practice. You can walk through the findings, see how the agent navigated the app, and what it exploited.
We're looking for early adopters — especially developers building web apps or APIs — who want better, automated security testing before pushing to production. If that sounds interesting, contact us or just say hi here. Would love to hear thoughts, feedback or ideas from the HN community.