AquilaX is an AI-powered application security (AppSec) platform designed for DevSecOps teams. It runs 32 parallel security scanners simultaneously across your entire software stack — covering source code, dependencies, containers, infrastructure-as-code, API endpoints, secrets, PII, and more — and delivers results in under 60 seconds.

At the core of the platform is Securitron AI, a self-learning model trained on over 300 million projects. Securitron eliminates 93.54% of false positives automatically, generates AI-powered fix patches, and opens validated pull requests — so developers spend time shipping features, not triaging noise.

AquilaX is available as a cloud SaaS product and as a fully self-hosted on-premises deployment (Docker / Kubernetes). It is backed by NVIDIA Inception, Microsoft for Startups, and serves as an official GitLab Technology Partner.

Traditional SAST tools scan one dimension of your code (usually pattern-matched static analysis) and generate large volumes of false positives that developers must manually triage. AquilaX takes a fundamentally different approach:

• 32 scanners in parallel. AquilaX runs SAST, SCA, DAST, Secrets, PII, IaC, Container, API Security, Malware, and Vibe Code scanners simultaneously — giving you a complete security posture in a single scan.
• 93.54% fewer false positives. Securitron AI learns your codebase's unique patterns and context. It distinguishes real vulnerabilities from theoretical ones using data-flow and taint analysis, not just regex matching.
• Auto-remediation. Every finding comes with an AI-generated patch. AquilaX validates the fix against your codebase and opens a pull request — no developer manual effort required.
• Speed. Scans complete in under 60 seconds, compared to hours or days for legacy enterprise AppSec tools.
• Cost. AquilaX is 20–30% more cost-effective than traditional tools, with a permanent free tier and no per-scan pricing.

AquilaX runs 32 parallel security scanners grouped into 12 scanner categories:

• SAST — Static Application Security Testing with data-flow, taint, and control-flow analysis. Detects injection flaws, insecure deserialization, broken authentication, and 100+ CWE categories.
• SCA — Software Composition Analysis. Identifies vulnerable, outdated, and licence-non-compliant open-source dependencies. Tracks CVEs in real time.
• DAST — Dynamic Application Security Testing. Probes running applications for OWASP Top 10 vulnerabilities including XSS, SQLi, SSRF, and broken access control.
• Secrets — Detects hard-coded API keys, tokens, passwords, private keys, OAuth credentials, and cloud provider secrets across all files and git history.
• PII — Identifies Personally Identifiable Information (email addresses, phone numbers, national IDs, payment card data, health data) in source code and configuration.
• IaC — Infrastructure-as-Code scanning for Terraform, CloudFormation, Kubernetes manifests, Helm charts, Dockerfile, and Ansible playbooks.
• Container — Scans Docker images and base images for OS-level CVEs, misconfigurations, and vulnerable system packages.
• API Security — Analyses OpenAPI / Swagger / GraphQL specifications for broken object-level authorisation, excessive data exposure, and API-specific OWASP risks.
• Malware — Detects obfuscated malicious code, supply-chain backdoors, typosquatted packages, and post-exploitation payloads in source and dependencies.
• Vibe Code — Specialised scanner for AI-generated code (code produced by Copilot, ChatGPT, Cursor, etc.) which often contains patterns not caught by traditional SAST rules.
• Compliance — Maps findings to ISO 27001, SOC 2, PCI DSS, NIST 800-53, DORA, NIS2, OWASP Top 10, and CWE Top 25 frameworks and generates audit-ready reports.
• Review AI — AI-powered code review that classifies findings as true or false positives and produces contextual, developer-friendly descriptions and fix recommendations.

AquilaX SAST supports 17+ programming languages including:

• Python, JavaScript, TypeScript, Java, Kotlin, Go, Ruby, PHP, C, C++, C#, Rust, Swift, Scala, Dart, R, and Shell scripting.

The SCA scanner covers package managers including npm, pip, Maven, Gradle, Cargo, Composer, Gemfile, Go modules, NuGet, CocoaPods, and Pub (Dart).

The IaC scanner supports Terraform (HCL), AWS CloudFormation, Kubernetes YAML, Helm charts, Dockerfile, Docker Compose, Ansible, and Pulumi.

Container scanning supports Docker Hub images, private registries, and any OCI-compliant image format.

AquilaX scans typically complete in under 60 seconds for repositories up to 100,000 lines of code. For larger enterprise codebases the platform scales horizontally — all 32 scanners still run in parallel, with results aggregated and de-duplicated in real time.

The ticker on our homepage reflects live platform metrics: the current median scan time is under 120 seconds even for the most complex multi-language monorepos.

When you trigger a scan — via the dashboard, a CI/CD pipeline event, or the REST API — AquilaX spins up an asynchronous execution engine that dispatches all applicable scanners concurrently. Scanners do not wait for each other. Results stream back to the aggregation layer as each engine finishes.

A de-duplication pass then removes duplicate findings reported by multiple engines for the same line of code, and Securitron AI runs a final classification pass to suppress false positives before the results are surfaced to the developer.

Yes. AquilaX is built for enterprise scale. Key enterprise capabilities include:

• On-premises deployment via Docker or Kubernetes Helm chart — full data sovereignty, no code leaves your environment.
• SSO / SAML integration for enterprise identity providers.
• Role-based access control (RBAC) for teams and organisations.
• Organisation-level dashboards aggregating findings across hundreds of repositories.
• Enterprise SLA and dedicated support.
• API-first architecture — every platform capability is available via REST API for integration with SIEM, ticketing, and security orchestration tooling.

Contact admin{@}aquilax.ai for Enterprise pricing and a guided proof-of-concept.

AquilaX SAST goes beyond simple pattern matching. It uses three complementary analysis techniques:

• Taint analysis — tracks the flow of untrusted (tainted) data from source (user input, HTTP parameters, environment variables) through the application to sinks (database queries, file writes, shell commands). If tainted data reaches a dangerous sink without sanitisation, it is flagged as a vulnerability.
• Data-flow analysis — models how values are propagated across variables, functions, and modules to detect vulnerabilities that span multiple files or call sites.
• Control-flow analysis — examines all possible execution paths through the code to detect logic flaws, null dereferences, and authentication bypasses.

Findings are mapped to CWE and OWASP identifiers and enriched by Securitron AI with contextual descriptions and fix suggestions.

The Secrets scanner inspects every file in your repository — including git history, configuration files, CI/CD YAML files, environment files, and documentation — for hard-coded sensitive values. Detected secret types include:

• API keys (AWS, GCP, Azure, GitHub, Stripe, Twilio, SendGrid, OpenAI, and 200+ other service patterns)
• Private SSH and TLS/SSL keys
• OAuth tokens and JWT secrets
• Database connection strings with embedded credentials
• Hard-coded passwords in application configuration
• Slack and Discord webhook URLs
• Generic high-entropy strings that match secret patterns

The scanner uses both signature-based detection (known provider key patterns) and entropy analysis to minimise false positives while catching novel secret formats.

Software Composition Analysis (SCA) identifies vulnerabilities in your open-source dependencies. The AquilaX SCA engine:

• Parses your dependency manifests (package.json, requirements.txt, pom.xml, go.sum, Cargo.lock, etc.) to build a full dependency graph including transitive dependencies.
• Cross-references every package and version against the NVD (National Vulnerability Database), OSV (Open Source Vulnerabilities), and GitHub Advisory Database in real time.
• Reports CVE ID, CVSS score, affected version range, patched version, and a plain-language description for every finding.
• Flags licence conflicts (GPL, AGPL, LGPL) that may pose legal risk for commercial software.
• Generates upgrade advisories and opens pull requests to update vulnerable packages automatically.

Vibe Code scanning is a specialised scanner developed to analyse code generated by AI coding assistants (GitHub Copilot, ChatGPT, Cursor, Claude, Gemini, and similar tools). AI-generated code frequently contains security patterns that traditional SAST rule sets were not designed to detect, including:

• Subtly insecure patterns that look syntactically correct but are semantically unsafe
• Insecure cryptography defaults (e.g. weak key sizes, deprecated algorithms) suggested by older training data
• Copy-pasted StackOverflow snippets with known vulnerabilities embedded in otherwise AI-written code
• Missing input validation in auto-completed functions
• Hardcoded example credentials left in from AI suggestions

The Vibe Code scanner uses a fine-tuned model (Qwen2.5-Coder-3B-Instruct with LoRA rank 512) trained specifically on AI-generated code patterns to catch these issues.

The IaC scanner covers the following platforms and common misconfiguration categories:

• Terraform — publicly exposed S3 buckets, unencrypted RDS databases, open security groups, missing MFA deletion, overly permissive IAM policies, unversioned S3 buckets.
• AWS CloudFormation — same categories as Terraform, plus CloudTrail disabled, VPC flow logs missing.
• Kubernetes YAML / Helm — containers running as root, privileged containers, missing network policies, missing resource limits, use of default service account, hostPath mounts.
• Dockerfile — running as root user, using latest tag, secrets in ENV variables, ADD vs COPY, unnecessary installed packages.
• Docker Compose — privileged mode, open port bindings, missing restart policies.
• Ansible — use of shell/command module with untrusted input, no_log missing for sensitive tasks, become: yes without necessity.

Yes — Dynamic Application Security Testing (DAST) requires a running target application or a staging environment accessible to the AquilaX scanner. The DAST engine performs active probing by sending crafted HTTP requests to the target and analysing responses for vulnerability indicators.

DAST coverage includes: SQL Injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Server-Side Request Forgery (SSRF), XML External Entity (XXE), Broken Object Level Authorisation (BOLA/IDOR), Open Redirects, and HTTP security header analysis.

DAST can be configured to target any URL — cloud staging environments, local tunnels (via ngrok or Cloudflare Tunnel), or private network hosts when using on-premises deployment.

Securitron AI is AquilaX's proprietary artificial intelligence engine. It is not a single model but a suite of specialised AI models that work together across the scanning pipeline:

• Review Model — A GraphCodeBERT-based classifier (93.54% accuracy) that reads every scanner finding and classifies it as a true positive or false positive using code context, historical feedback from your team, and cross-organisation signal.
• AI Scanner Model — A fine-tuned Qwen2.5-Coder-3B-Instruct model (LoRA rank 512, 4-bit quantised, trained on 100K files across 5 epochs) that performs deep semantic vulnerability analysis on source code files.
• Security Assistant (QnA) — A Qwen2.5-Coder-0.5B model fine-tuned with LoRA (rank 256, alpha 64) that answers developer questions about specific findings in natural language.
• Securitron Chat (Q&A) — A 8192-token context chat model that maintains multi-turn conversation history (up to 5 exchanges) using ChatML format, accessible via the /genai/securitron API.
• Query Model — A FLAN-T5-base model trained to translate natural language questions into PostgreSQL queries for searching across your findings database.

Collectively, Securitron AI has been trained on data from over 300 million projects.

The Review Model (based on GraphCodeBERT) is trained to understand both the code structure and the semantic context of a vulnerability finding. Unlike rule-based suppression, it does not use a fixed allowlist. Instead, it learns from:

• Code context — the actual code at the flagged location, surrounding functions, and call graph.
• Historical feedback — when developers mark a finding as a false positive, the per-customer model retrains automatically on that signal.
• Cross-organisation patterns — anonymised signal from across the AquilaX user base helps the model recognise common safe coding patterns that naive scanners flag incorrectly.

The model's performance metrics are: 93.54% accuracy, 91.48% precision, and 96.98% recall — meaning it suppresses nearly all false positives while keeping almost all real vulnerabilities visible.

Every AquilaX organisation gets its own instance of the Securitron Review Model. This model is fine-tuned on your codebase's specific patterns, language choices, framework conventions, and your team's past triage decisions.

Retraining happens automatically on a rolling basis as your team reviews findings. There is no manual configuration required. The model adapts continuously — so the longer you use AquilaX, the more accurately it reflects what is and is not a real vulnerability in your specific codebase.

Yes. For every confirmed true-positive finding, the AI Remediation Engine:

1. Generates a contextual code fix using the AI Scanner Model and the surrounding code context.
2. Validates the patch does not introduce new issues or break adjacent logic.
3. Opens a pull request (GitHub / GitLab / Bitbucket) with the fix applied and a description of what was changed and why.

Developers can review the PR, request changes, or merge it — all within their existing git workflow. This reduces mean time to remediate (MTTR) from days to minutes.

Securitron AI is accessible in several ways:

• Dashboard chat — ask Securitron questions about any finding in plain English directly from the finding detail view.
• Security Assistant API — POST /api/genai/assistant at developers.aquilax.ai accepts a question and a code snippet and returns a structured security analysis.
• Securitron Chat API — POST /api/genai/securitron supports multi-turn conversation with streaming output (text/event-stream) for building security-aware developer tooling.
• Natural language query — ask questions like "show me all critical SQL injection findings in the payments service" and the Query Model translates it to a database query automatically.

The AquilaX Free plan is permanent and requires no credit card. It includes:

• Unlimited Secrets scanning (across all files and git history)
• Unlimited PII detection
• Unlimited Compliance reports (OWASP Top 10, CWE Top 25, CVE tracking, PCI DSS, ISO 27001, NIST, DORA, NIS2)
• CI/CD integration (GitHub Actions, GitLab CI, and more)
• IDE plugin support
• REST API access
• SARIF 2.1.0 export

The Free plan is ideal for individual developers or small teams getting started with application security.

The Premium plan adds full SAST, SCA, DAST, Container, IaC, and API Security scanning on top of everything in Free. Specifically:

• Everything in Free (Secrets, PII, Compliance)
• SAST (17+ languages, taint analysis)
• SCA (open-source dependency vulnerabilities + licence compliance)
• DAST (dynamic application scanning)
• Container Security (Docker image CVE scanning)
• IaC scanning (Terraform, K8s, Dockerfile, Ansible)
• API Security scanner (OpenAPI / GraphQL)
• 7 scanner engines total

Billed monthly at $19/month per organisation. No per-scan fees. Unlimited scans.

The Ultimate plan unlocks the full AquilaX platform, including Securitron AI:

• Everything in Premium (all 7 scanner engines)
• Malware detection
• Vibe Code scanner (AI-generated code security)
• Securitron AI engine (per-customer model, 93.54% FP elimination)
• AI-powered auto-remediation (patch generation + automated PRs)
• Securitron Chat and Security Assistant API access
• On-premises deployment option (Docker / Kubernetes)
• Priority support

A 14-day free trial is available — no credit card required. After the trial, the plan renews at $99/month.

Yes. The Enterprise plan is available for organisations that need:

• Custom user seat counts and team structures
• On-premises deployment with full data sovereignty (no data leaves your infrastructure)
• SSO / SAML identity provider integration
• Dedicated Securitron AI model with custom training data
• Custom compliance framework mapping
• SLA guarantees and dedicated customer success support
• Volume pricing and annual contracts

Contact admin{@}aquilax.ai for a custom quote or to schedule a proof-of-concept.

No. AquilaX does not charge per scan. All plans — including Free — include unlimited scans. There are no hidden fees, overage charges, or scan quotas. The pricing is per organisation per month, regardless of how many scans you run, how many repositories you connect, or how many developers are on your team.

AquilaX integrates natively with:

• GitHub (GitHub.com and GitHub Enterprise)
• GitLab (GitLab.com and self-managed GitLab) — AquilaX is an official GitLab Technology Partner
• Bitbucket (Bitbucket Cloud and Bitbucket Server)
• Azure DevOps (Azure Repos)

Integration supports OAuth-based repository connection, automatic webhook setup for scan-on-push, and pull request security checks (blocking merges on critical findings).

AquilaX integrates with all major CI/CD systems:

• GitHub Actions — official action available in the GitHub Marketplace
• GitLab CI — native include template
• Bitbucket Pipelines — pipe available in the Atlassian Marketplace
• Jenkins — plugin and pipeline step
• CircleCI — orb available
• Travis CI, TeamCity, Bamboo — via the AquilaX CLI or API

The AquilaX CLI (aquilax scan) can be added to any pipeline with a single command — no platform-specific plugin required.

Yes. AquilaX provides IDE integrations that show security findings inline as you write code — before a commit is even made. Supported IDEs:

• VS Code — available in the VS Code Marketplace
• JetBrains IDEs (IntelliJ IDEA, PyCharm, GoLand, WebStorm) — available in the JetBrains Marketplace

The IDE plugin shows findings with severity, CWE mapping, and Securitron AI fix suggestions inline, with a one-click apply to fix the issue.

Scan results are available in the following formats:

• SARIF 2.1.0 — natively understood by GitHub Security tab, GitLab Security Dashboard, and most SIEM tools
• JSON — full structured output via the REST API
• PDF — executive and technical security reports
• CSV — for spreadsheet-based analysis and ticketing workflows
• HTML — self-contained scan report for offline sharing

All outputs include CVE, CWE, and OWASP ID mapping on every finding.

Yes. AquilaX supports webhook-based integration with any ticketing or alerting system. Findings can be automatically pushed to:

• Jira — creates issues with full finding context, severity, and remediation guidance
• Slack / Microsoft Teams — real-time notifications on new critical findings
• PagerDuty — alerts for critical severity findings
• Splunk, Elastic SIEM — via SARIF or JSON webhook output
• Custom webhooks — any HTTP endpoint

AquilaX maps findings to the following compliance frameworks and generates audit-ready reports for each:

• OWASP Top 10 — the 10 most critical web application security risks
• CWE Top 25 — the 25 most dangerous software weaknesses
• CVE Database — real-time vulnerability tracking
• PCI DSS — Payment Card Industry Data Security Standard
• ISO 27001 — international information security management standard
• SOC 2 — Service Organisation Control (security, availability, processing integrity, confidentiality, privacy)
• NIST CSF / 800-53 — US National Institute of Standards and Technology Cybersecurity Framework
• DORA — EU Digital Operational Resilience Act
• NIS2 — EU Network and Information Security Directive 2
• GDPR — General Data Protection Regulation (via PII and data handling findings)
• HIPAA — Health Insurance Portability and Accountability Act
• FFIEC — Federal Financial Institutions Examination Council

Yes. AquilaX generates compliance reports in PDF and JSON format that are structured for security auditors. Each report includes:

• Executive summary with overall compliance posture score
• Findings mapped to specific framework control IDs
• Remediation status and evidence of fixes applied
• Scan history timeline showing security improvement over time
• Developer and repository attribution for each finding

Reports are available on demand and can be scheduled to generate automatically on a recurring cadence (weekly, monthly, quarterly) and delivered to stakeholders via email.

The EU Digital Operational Resilience Act (DORA) and NIS2 Directive require financial entities and critical infrastructure operators to demonstrate active management of ICT security risk, including application-level vulnerabilities. AquilaX supports compliance by:

• Providing continuous (not point-in-time) security scanning across all software assets
• Generating evidence of vulnerability identification, risk scoring, and remediation timelines
• Mapping all findings to DORA and NIS2 control categories in the compliance report
• Supplying an immutable audit trail of scan results, developer review actions, and fix deployments

For cloud (SaaS) customers: your code is streamed to AquilaX's scanning infrastructure over TLS, scanned in an isolated ephemeral environment, and not persisted after the scan completes. Only the scan results (findings, metadata, file paths, and line numbers) are stored — not the source code itself.

For on-premises customers: all processing happens entirely within your own infrastructure. AquilaX does not receive any data — no code, no findings, no telemetry.

Yes. AquilaX on-premises is available on the Ultimate and Enterprise plans. It is distributed as:

• Docker Compose — for single-host or small-team deployments
• Kubernetes Helm chart — for production-grade, horizontally scaled deployments

The full AquilaX platform — including all 32 scanners, Securitron AI models, the dashboard, and the REST API — is included in the on-premises package. It runs efficiently on CPU; no GPU is required. Minimum specification: 8 vCPU, 16 GB RAM, 100 GB storage.

On-premises deployments receive updates via a private container registry. No internet access is required after initial setup.

No. AquilaX does not use customer source code to train shared AI models. Your code is scanned and discarded. The per-customer Securitron Review Model is trained on anonymised finding metadata (not source code) and your team's triage feedback — and that data is never shared with other organisations.

For on-premises deployments, all AI model inference runs locally. No data is sent to AquilaX or any third party.

AquilaX practises what it preaches — the AquilaX platform is scanned by itself on every commit. The company is pursuing ISO 27001 certification and undergoes annual third-party penetration testing. The platform is hosted on SOC 2 Type II certified cloud infrastructure.

AquilaX is a member of NVIDIA Inception and the Microsoft for Startups programme, and holds official GitLab Technology Partner status.

AquilaX requests the minimum necessary permissions when connecting to your source code platform:

• Read access to repository contents (for scanning)
• Write access to pull requests (only if you enable auto-remediation PRs)
• Webhook access to receive push events and trigger scans automatically

You can revoke access at any time from your source code platform's OAuth application settings. AquilaX does not store OAuth tokens in plaintext — they are encrypted at rest using AES-256.

AquilaX is operated by AquilaX LTD, a company registered in England and Wales. Registered address: 124 City Road, London, EC1V 2NX, United Kingdom. You can reach the team at admin{@}aquilax.ai.

The platform serves customers globally, with cloud infrastructure hosted in the European Union to comply with GDPR data residency requirements.