Security that understands your code.

Tachyon finds business logic flaws and multi-step vulnerabilities that traditional SAST tools miss, without drowning you in noise.

View Pricing

Tachyon analyzing

auth.service.ts

15
if (!isValid) return null;
16
17
async generateToken(user: User): Promise<string> {
18
const payload = { sub: user.id, email: user.email };
19
// User-influenced alg/kid enables key substitution
20
const preferredAlg = user.preferences?.jwtAlg || 'HS256';
21
return jwt.sign(payload, process.env.JWT_PRIVATE_KEY, {
22
algorithm: preferredAlg,
23
keyid: user.kid || 'default',
24
expiresIn: '24h'
25
});
26
}

Find the real problems.

Tachyon finds the actual issues in your code, instead of drowning you in false positives.

Drop the spam

Cut through the noise with AI-powered analysis that eliminates false positives and surfaces only the vulnerabilities that matter.

Look beyond patterns

Our AI analyzes your business logic and developer intent to surface novel security issues that pattern-based scanners miss.

Not just your code

We look deep into your dependencies to find exploitable vulnerabilities across your entire software supply chain.

How it works

Full repo scans

Tachyon analyzes your entire codebase to understand context, data flows, and business logic across all services and frameworks.

Full repo scans

Security Research

27 vulnerabilities found (so far). Here are a few:

8.8 High

Smolagents - RCE via sandbox escape

huggingface/smolagents

The Docker executor maps Jupyter Kernel Gateway to 127.0.0.1:8888 with CORS wide open, so any web page can stage a forged FinalAnswerException in the persistent kernel. When the agent runs its next command on the executor, the orchestrator blindly pickle.loads that payload and escapes the sandbox, leading to arbitrary code execution on the host.

8.8 High

Tandoor Recipes - Path traversal via recipe name

TandoorRecipes/recipes

Path traversal via serializer - 1. `file_path` NOT in `RecipeSerializer.read_only_fields` 2. `Local.get_file()` - No validation before `open(recipe.file_path, &apos;rb&apos;)` 3. `Local.delete_file()` - No validation before `os.remove(recipe.file_path)`

7.5 High

InvokeAI - SSRF via API

invoke-ai/InvokeAI

The endpoint POST /api/v1/download_queue/i/ is exposed without authentication. It accepts attacker-supplied source (AnyHttpUrl) and dest (string) parameters, then enqueues a job that streams the remote content and writes it directly to the provided filesystem path. Within _do_download() (invokeai/app/services/download/download_default.py:315-390), the worker makes an HTTP GET to source, creates any missing parent directories, and renames the downloaded file into dest with no sandboxing or path restrictions

Pricing for teams of all sizes

Tachyon provides enterprise-grade security scanning with flexible pricing options for teams at any scale.

Free

Free

FEATURES

Perfect for open source projects

  • Public repositories only
  • 20 repository scans per month
  • Basic vulnerability scanning
  • Community support

Pro

$50/mo/user

FEATURES

Everything you need to get started

  • Up to 10 users
  • Unlimited repository scans
  • CI/CD integration
  • PR/MR automated scans
  • Advanced vulnerability detection
  • Priority support

Enterprise

Custom

FEATURES

Everything you need to get started

  • Unlimited users
  • Custom integrations
  • Dedicated support team
  • SLA guarantees
  • On-premise deployment option
  • Advanced threat modeling

Ship secure code with AI-native SAST

Run Tachyon on your repos in minutes. Reduce false positives, validate exploitability, and auto-generate patches where safe.