Autonomous offensive security at machine speed.
Submit a target. A fleet of AI agents performs recon, finds bugs, validates exploits in a sandbox, and writes you an audit-ready report. Validated findings only. No false positives.
Built to ship signal.
Validators reject anything they can't reproduce.
Quick profile against a typical web app.
Median engagement: $20-60K. Mara starts at $499/mo.
Schedule weekly scans; diff against last run.
From target to validated finding in minutes.
Submit a target
Domain, IP range, or repo. Verify ownership via DNS TXT or .well-known token. No verify, no scan.
Agents explore
Recon, crawler, and hypothesis agents map the attack surface and propose vulnerability candidates.
Validate exploit
Exploit agent crafts adaptive payloads; the validator runs a deterministic PoC. Only confirmed bugs surface.
Get an audit-ready report
Markdown + PDF, every finding has request/response evidence and reproducible repro script.
Six phases. Audit-ready output.
The agent fleet runs a deterministic pipeline. The orchestrator decides which worker spawns next; the validator decides whether a finding ever surfaces.
- 01
Recon
Subdomain enumeration (subfinder + crt.sh), HTTP probing (httpx), tech fingerprinting, port discovery (naabu). Output: live hosts + tech matrix.
- 02
Crawl
Headless-browser spider (Playwright). Pulls SPA routes, parameters, GraphQL operations, JS endpoint hints. Discovers what the user-flow actually does.
- 03
Hypothesize
Per endpoint × parameter, the hypothesis agent proposes vulnerability candidates with payload strategies. Cites pattern + plausibility evidence.
- 04
Exploit
Adaptive payloads: send, observe, mutate, retry (max 5 attempts/hypothesis). Stops on the destructive denylist. Output: candidate request/response pair.
- 05
Validate
Deterministic Python — no LLM. Class-specific PoC: alert intercept for XSS, time delta for blind SQLi, OOB callback for SSRF, account replay for IDOR.
- 06
Report
Markdown + CVSS + remediation. Auto-rendered to PDF. Each finding ships with a reproducible script you can paste into a terminal.
A fleet, not a chatbot.
A long-lived orchestrator (Claude Opus 4.7) plans the attack and dispatches short-lived worker agents (Haiku 4.5). Workers exchange findings over a Redis stream; every tool call is scope-checked and audit-logged.
Recon
Subdomain enumeration, port and service discovery, tech fingerprinting.
Crawler
Headless-browser spider — endpoints, parameters, JS routes, GraphQL ops.
Hypothesis
Given context, proposes vulnerability hypotheses and payload strategies.
Exploit
Adaptive payloads: observes response, mutates, retries — never destructive.
Validator
Deterministic PoC runner. Only validated findings ever leave the sandbox.
Reporter
Audit-grade markdown + CVSS scoring + remediation, ready for your tracker.
Audit-grade by default.
Reflected XSS on /#/search (DOM sink)
The q query parameter is reflected into the DOM via the search component without escaping. Any HTML fragment is rendered as-is, allowing arbitrary script execution in the victim's browser.
Reproducible PoC
# repro.sh — emitted with every finding curl -s 'https://juice-shop/#/search?q=<iframe%20src=javascript:alert(1)>' \ | grep -F '<iframe src=javascript:alert(1)>' && echo "[+] reflected"
Remediation
- HTML-escape
qbefore injection into the DOM (use textContent, not innerHTML). - Set a strict CSP:
script-src 'self'. - Add a `lit-html`/Angular sanitizer at the search component boundary.
Validators are the difference.
Static and DAST scanners are graded on coverage; consultants on judgement. Mara combines reasoning agents with deterministic validators to give you both — at machine cadence.
| Capability | Mara | DAST scanner | Manual pen-test |
|---|---|---|---|
| Validated PoC for every finding | |||
| Adaptive payloads (mutate on failure) | |||
| Out-of-band callback validation (SSRF) | |||
| Headless-browser DOM-XSS validation | |||
| Scope-verified egress at network layer | |||
| Append-only audit log of every action | |||
| Coverage scales with budget, not staff | |||
| Reasoning surfaces unknown classes | |||
| Time-to-first-finding < 10 min | |||
| Fits in a CI/CD pipeline |
Capabilities reflect typical commercial DAST and median manual engagement. Specific tools and consultants may differ.
OWASP Top 10 and beyond.
Where Mara earns its keep.
Continuous AppSec
Wire Mara into your release pipeline. Every PR that touches a route triggers a scoped scan. Block merges on validated criticals.
- ▸ GitHub / GitLab CI
- ▸ Block on severity ≥ HIGH
- ▸ Auto-comment PR with PoC
Pre-launch hardening
Run a deep scan against a staging environment two weeks before launch. Reporter delivers an audit-ready PDF for the security committee.
- ▸ Staging-only with verified scope
- ▸ Deep profile (≤4h)
- ▸ PDF + JSON exports
Acquisition due-diligence
Scope-verify each acquired property. Mara runs a one-off deep scan to surface what you're inheriting. Single-tenant deployment available.
- ▸ Single-tenant cloud
- ▸ Customer-managed KMS
- ▸ Read-only by default
Bug-bounty triage
Reports come in. Mara replays the candidate against a sandbox, runs the matching validator, and tells you in seconds whether it's exploitable.
- ▸ Replay from H1/Bugcrowd JSON
- ▸ Sub-minute validation
- ▸ Slack handoff to triage
Move fast — within bounds.
Hard scope enforcement
Every outbound request is checked against a verified allowlist. Out-of-scope traffic is dropped at the egress layer.
Append-only audit log
Every prompt, tool call, and response is recorded. Auditable, exportable, immutable.
Just-in-time policy
policy_check(action, context) gates every tool invocation. Destructive paths are pre-flighted.
SOC 2 / ISO 27001 ready
Single-tenant deployment available. Customer-managed encryption keys, regional residency.
FAQ
- Does Mara prompt-inject itself?
- Every tool call passes through a deterministic policy gate (policy_check). The gate runs before the LLM sees a tool result, so even if a target tries to inject instructions into a response, the next call is bounded by the same scope, denylist, and rate-limit rules.
- What if a target is offline or rate-limits us?
- Each scan has wall-time and rate-limit budgets (default 5 req/s, configurable). Workers back off on 429s and log a partial result. The orchestrator continues with what it has.
- Can it test authenticated areas?
- Yes — provide credentials at scan creation. They're stored in customer-managed KMS for self-hosted, sealed in the agent's session memory and never logged.
- What classes does the validator support today?
- Reflected/DOM XSS (headless Chromium dialog interception), blind SQLi (time delta), SSRF (out-of-band callback via interactsh), open redirect (URL match after follow), IDOR (two-account replay diff). More land per release.
- How is this different from a DAST scanner with AI on top?
- Scanners run a fixed payload set; the LLM rewords reports. Mara's agents reason about what to try next from observation. The validator is what makes the reasoning safe to ship — only confirmed exploits surface.
- Can I self-host?
- Yes. Docker Compose stack out of the box; Fly.io and Render configs included. Enterprise gets single-tenant cloud or customer-managed Kubernetes.
Validated findings only. No noise.
Mara only surfaces vulnerabilities its validator could exploit in a sandbox. Stop drowning in scanner false positives.