mara
Sign inGet a demo
Platform

How Mara finds real bugs.

One orchestrator. Six specialized agents. Every action gated by a deterministic policy engine. Every finding reproducible by an isolated validator before it surfaces.

Coordinated AI agents

A fleet, not a chatbot.

A long-lived orchestrator (Claude Opus 4.7) plans the attack and dispatches short-lived worker agents (Haiku 4.5). Workers exchange findings over a Redis stream; every tool call is scope-checked and audit-logged.

Recon

Subdomain enumeration, port and service discovery, tech fingerprinting.

Crawler

Headless-browser spider — endpoints, parameters, JS routes, GraphQL ops.

Hypothesis

Given context, proposes vulnerability hypotheses and payload strategies.

Exploit

Adaptive payloads: observes response, mutates, retries — never destructive.

Validator

Deterministic PoC runner. Only validated findings ever leave the sandbox.

Reporter

Audit-grade markdown + CVSS scoring + remediation, ready for your tracker.

Built for assurance

Move fast — within bounds.

Hard scope enforcement

Every outbound request is checked against a verified allowlist. Out-of-scope traffic is dropped at the egress layer.

Append-only audit log

Every prompt, tool call, and response is recorded. Auditable, exportable, immutable.

Just-in-time policy

policy_check(action, context) gates every tool invocation. Destructive paths are pre-flighted.

SOC 2 / ISO 27001 ready

Single-tenant deployment available. Customer-managed encryption keys, regional residency.

Vulnerability classes covered

OWASP Top 10 and beyond.

SQL InjectionReflected XSSStored XSSDOM XSSSSRFRCEIDORAuth BypassOpen RedirectXXEPath TraversalSubdomain TakeoverMass AssignmentRace ConditionsServer-Side Template InjectionGraphQL Introspection AbuseJWT MisconfigCORS MisconfigNoSQL InjectionLDAP InjectionCSRFCRLF InjectionPrototype PollutionCache DeceptionDependency Confusion
Sample finding

Audit-grade by default.

High

Reflected XSS on /#/search (DOM sink)

Assethttps://juice-shop.mara.local/#/search?q=
CWECWE-79: Cross-site Scripting
CVSS v3.16.1 — AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Validator✓ alert(1) intercepted at frame:0 t=3.41s

The q query parameter is reflected into the DOM via the search component without escaping. Any HTML fragment is rendered as-is, allowing arbitrary script execution in the victim's browser.

Reproducible PoC

# repro.sh — emitted with every finding
curl -s 'https://juice-shop/#/search?q=<iframe%20src=javascript:alert(1)>' \
  | grep -F '<iframe src=javascript:alert(1)>' && echo "[+] reflected"

Remediation

  • HTML-escape q before injection into the DOM (use textContent, not innerHTML).
  • Set a strict CSP: script-src 'self'.
  • Add a `lit-html`/Angular sanitizer at the search component boundary.