Skip to content

Most security tools are good at pointing at problems. Almost none of them fix anything.

Fimil is built full-time by two people. Here's how it started and where it's headed.

The story

I spent years running security tooling across a fleet of internal apps, and the job was always the same shape: a dozen scanners, each with its own dashboard, alert format, and quirks. I kept spreadsheets to track which tool flagged which CVE, which findings were duplicates of each other, and which ones were worth anyone's time. Then I'd walk into a meeting and explain why 10,000 findings didn't mean the building was on fire.

The scanners were never the problem. They're very good at what they do. The gap was that nothing sat on top of them to normalize the output, drop the duplicates, and rank what was left. Every team rebuilds that same glue layer from scratch. So I built it once, properly: one pipeline, one finding schema, one signal coming out the other end.

The second problem took longer to see. A clean, deduplicated list is still a pile of homework. A finding nobody can reproduce gets argued about until it's forgotten, and a finding with no fix attached gets pushed to next quarter forever. So Fimil grew two more pieces: a pentest agent that proves a finding by actually replaying the exploit and a remediation engine that opens the pull request that closes it. Find it, prove it, fix it. That order isn't a slogan; it's just what the work requires.

If any of this sounds familiar, sign up free — early users have real influence over what we build next.

Who's behind Fimil

Ethan Aldrich

Ethan Aldrich

Founder

I work on Fimil full-time: the API, the agent, the scanner orchestration, this site. Working this small means you talk to the person who wrote the code, with nothing in between. It also means you should ask the hard question about what happens if we disappear. The answer is a self-hosted option, an open trust center, and a platform built entirely on open-source scanners you could keep running without us.

Seth Miller

Seth Miller

Co-Founder

I handle the business operations and marketing at Fimil, while Ethan builds the product. I was born and raised in San Francisco, and later lived in Taiwan long enough to call it my second home. These days I'm studying law and finance, which adds another lens to how I see this work. Before Fimil I served in the U.S. Army and spent years in network engineering, so the security and reliability problems we solve aren't theoretical to me — I've lived on the operations side of them.

Orchestrate, don't reinvent

The open-source community has already built the hard parts: Semgrep for static analysis, Trivy and Grype for dependencies, Gitleaks and TruffleHog for secrets, Checkov for infrastructure-as-code, ZAP and Nuclei for dynamic testing, Prowler for cloud posture. Each one is best-in-class.

We don't replace any of them. Fimil runs each scanner in an isolated environment, normalizes the results into one schema, removes duplicates across tools, and scores what's left on an auditable priority scale. The one place the community had no good answer — validated autonomous pentesting — is the one place we built our own.

Semgrep SAST
Bandit SAST · Python
Gosec SAST · Go
Trivy SCA
Grype SCA
OSV-Scanner SCA
Trivy Image Containers
Syft SBOM
Gitleaks Secrets
TruffleHog Secrets
Checkov IaC
Hadolint IaC · Docker
OWASP ZAP DAST
Nuclei DAST
Prowler CSPM
Pentest Agent AI Pentest

The road so far

Late 2025

Founded

Fimil started as an escape hatch from triaging a dozen scanners by spreadsheet.

Early 2026

Core platform + intelligence layer

Scanner orchestration, cross-tool dedup, finding groups, priority scoring, auto-triage, and auto-remediation PRs.

Spring 2026

AI Pentest engine

The autonomous agent: 15 attack vectors, replay validation, MFA login, browser-driven testing, PoC export.

Now

Early access

Onboarding teams in waves from the waitlist while the platform hardens in production.

Principles

Four rules that settle what we build and what we cut.

Claims require proof

A finding you can't reproduce is a guess. The pentest validator replays every exploit before it ships, and this site only describes what the code does today.

The fix is the product

Anyone can detect a problem. The thing that actually changes your security posture is the pull request that closes it.

Your code stays yours

Scans run in isolated, ephemeral environments, and sources are deleted the moment the scan finishes. For teams whose code can never leave the network, there are self-hosted and air-gapped installs.

Open source gets credit

Every scanner we orchestrate is named, on every finding. The community built the tools. What we add on top is validation, correlation, and the fix.

Help us make software more secure.

Get early access, point it at your own repos, and tell us what breaks. We read every message.

Start free