Perfai

Security that ships as a pull request.

Perfai is black-box application security for engineers. Point it at a staging URL or an OpenAPI spec and Perfai builds a typed model of your API, runs adaptive attacks, and opens a scoped pull request with the patch.

What Perfai catches

  • BOLA and IDOR across tenants and roles (CWE-639)
  • SSRF on outbound fetch, including metadata and link-local probes (CWE-918)
  • SQL, NoSQL, OS command, and template injection (CWE-89, CWE-77)
  • Prompt injection, tool abuse, and system prompt leakage for LLM endpoints

How it fits your workflow

  1. Drop the Perfai action into GitHub Actions, GitLab CI, CircleCI, or Jenkins.
  2. Gate pull requests on severity. Every HIGH ships with a working curl repro.
  3. Fix Agent opens a scoped PR and re-tests the patch before marking the finding resolved.

Talk to an engineer · See pricing