From code push to
security review

Tachyon connects to your repositories via a GitHub App. Installation takes minutes — select the repositories you want to protect, approve read-only permissions, and Tachyon begins monitoring.

The GitHub App requests the minimum permissions needed: read access to code and pull requests, and write access to PR comments (for posting findings). Tachyon cannot push code, create branches, or modify repository settings.

When a PR is opened or a deep scan is triggered, Tachyon provisions a dedicated, isolated sandbox for the analysis. Each sandbox is a fresh environment — not shared between customers, repositories, or scan runs.

Your code is cloned into the sandbox for the duration of the analysis. Sandboxes have no outbound network access, preventing data exfiltration even in a worst-case scenario. When the analysis completes, the sandbox is destroyed — code is never written to persistent storage.

Tachyon doesn't pattern-match against a rule database. It uses an AI agent that reads and reasons about your code the way a security engineer would — understanding data flows, authentication logic, trust boundaries, and business context.

The agent can navigate across files, trace function calls through multiple layers of abstraction, and evaluate whether a potential vulnerability is actually reachable and exploitable in practice. In some cases, it executes code paths in the sandbox to validate findings.

Findings are delivered as inline PR comments — right where developers are already reviewing code. Each finding includes:

• VulnerabilityWhat the issue is and which code paths are affected.
• ExploitabilityWhether the vulnerability is reachable and exploitable in practice, with the attack path traced.
• RemediationRecommended fix with code suggestions, plus structural defense recommendations where applicable.

For deep scans (full-repository analysis), findings are collected in a scan report accessible through the Tachyon dashboard.