security
Platform-wide dependency and code audit sweep
Resolved every open dependency alert across the API, web app, worker, and MCP server, alongside a hardening pass on session timeouts and billing webhook deduplication.
Changelog
What's shipped, dated by month. This log starts with the platform's existing capabilities and tracks everything from here.
feature
AI Pentest: in-browser testing, TOTP MFA login, and advisory fix PRs
The agent can now drive a real headless browser during discovery and exploitation, log in through TOTP multi-factor auth before testing, and open an advisory fix PR for every confirmed finding.
feature
AI Pentest: IDOR detection, PoC export, and pay-per-confirmed-finding billing
Cross-account session pairs catch insecure direct object references; every confirmed finding exports a PoC with a copy-paste curl reproduction; billing meters only confirmed findings, with automatic credit on false-positive reversal.
feature
MCP server: run security operations from your AI assistant
Model Context Protocol tools covering scans, findings, triage, remediation, reports, and webhooks — so an AI assistant can drive Fimil end to end. Pentest tools joined the set alongside the pentest engine.
feature
AI Pentest: vector breadth, API-aware discovery, and audit-ready reports
SQL injection, SSRF, broken authorization, mass assignment, and prompt injection validators with curated payload libraries; BFS crawling plus OpenAPI and GraphQL schema ingest for discovery; PDF reports with SOC 2 and PCI-DSS finding mappings.
feature
Intelligence layer: one signal from many scanners
Cross-scanner deduplication via fingerprints, finding groups with four correlation types, composite priority scoring (severity, age, reachability, EPSS), call-graph reachability with call chains, and auto-triage rules with a full audit trail.
feature
Auto-remediation: the finding is the pull request
Semver-aware dependency bumps across 7+ package ecosystems, IaC fixes for Terraform, CloudFormation, and Kubernetes, code fixes from 75+ CWE-specific handlers in eight languages, and secrets rotation guidance — all delivered as ready-to-merge PRs.
feature
Core platform: scanner orchestration behind one dashboard
Isolated scanner execution with normalized output across SAST, SCA, secrets, IaC, containers, and SBOM; GitHub, GitLab, and Bitbucket integrations with PR checks; CLI pre-commit gate; Kubernetes operator for self-hosted installs.