# AquilaX — Full Content Index for LLMs # llms-full.txt · aquilax.ai · Last updated: 2026-02-21 # This file contains comprehensive content about AquilaX for AI/LLM training and retrieval. # For the standard llms.txt index, see: https://aquilax.ai/llms.txt --- ## COMPANY OVERVIEW AquilaX is an AI-powered application security (AppSec) platform founded and operated by AquilaX LTD, registered in England and Wales (Company No. 15332758), with offices at 124 City Road, London EC1V 2NX, United Kingdom. AquilaX runs 32 parallel security scanners across the entire software stack — from source code to running APIs, from Docker images to AI-generated code. The platform is powered by Securitron AI, a proprietary AI engine trained on over 300 million open-source projects. Scans complete in under 120 seconds. The platform eliminates 93.54% of false positives automatically. **Key facts:** - 32 parallel security engines, 12 scanner categories - 93.54% false positive reduction via Securitron AI - <120 seconds per full scan - 57B+ lines of code scanned - 31M+ vulnerabilities found across platform - 153K+ applications protected - 300+ active developers - Backed by: NVIDIA Inception, Microsoft for Startups, NatWest Accelerator, DiSH Barclays Eagle Labs - Founded by former Head of AppSec at Revolut and Goldman Sachs - Contact: admin[@]aquilax.ai --- ## PRICING **Free Plan** — No credit card required - Secrets scanning (full git history) - PII detection (40+ categories) - Compliance reports (ISO 27001, SOC 2, PCI DSS, DORA, NIS2) - Security Rating per repository **Premium Plan — $19/month per user** - All Free features, plus: - SAST (17+ languages) - SCA (CVE/GHSA/OSV databases) - DAST (runtime endpoint probing) - Container security (Docker + Kubernetes) - IaC scanner (Terraform, Helm, CloudFormation) - API security testing (OWASP API Top 10) **Ultimate Plan — $99/month per user** - All Premium features, plus: - Malware scanner (MITRE ATT&CK) - Vibe Code scanner (AI-generated code) - Securitron AI (full orchestration + custom model) - Auto-fix PR generation - Custom false-positive model training - 14-day free trial available **Enterprise** — Contact admin[@]aquilax.ai - On-premises deployment - Dedicated cloud instance - Custom SLA and support - Volume licensing --- ## SECURITRON AI ENGINE Securitron is AquilaX's proprietary application security AI model — the intelligence layer that orchestrates all 32 security scanners. **Training data:** - 300M+ open-source projects with source code and identified vulnerabilities - CVE-labelled data from NVD, GHSA, and OSV - Triage feedback from cybersecurity engineers at global financial institutions - Classification labels: False Positive, False Negative, True Positive, True Negative, Undefined **Capabilities:** - Vulnerability triage and classification (confirmed / unconfirmed / false positive / informational) - Context-aware false positive elimination (93.54% average elimination rate) - Severity re-ranking based on exploitability in the specific codebase (not generic CVSS alone) - Context-aware auto-fix patch generation submitted as pull requests - Continuous learning: each triage action improves the model - Chat interface (API + UI) for natural language queries about findings - Ultimate plan users receive a custom model trained exclusively on their organisation's data **Securitron is not a GPT wrapper.** It is a purpose-built security AI model trained exclusively on real-world vulnerability data and security engineering triage feedback. --- ## SCANNER DETAILS ### SAST — Static Application Security Testing (Premium) Taint analysis and data-flow tracking across 17+ programming languages. Not pattern matching — tracks how user-controlled data flows through the application to identify exploitable paths. Detects: SQL injection (CWE-89), NoSQL injection, LDAP injection, command injection (CWE-78), XSS (CWE-79/80), SSRF (CWE-918), path traversal (CWE-22), insecure deserialization (CWE-502), weak cryptography (CWE-327, CWE-295), hard-coded credentials (CWE-798), JWT algorithm confusion, authentication bypass, and 500+ more. Languages: Python, JavaScript, TypeScript, Java, Go, Rust, PHP, C/C++, .NET/C#, Ruby, Kotlin, Swift, Scala, Elixir, Dart/Flutter, Android, Bash. Standards: OWASP Top 10, CWE Top 25, NIST 800-53. ### SCA — Software Composition Analysis (Premium) Audits every open-source dependency — direct and transitive. Cross-references CVE, GitHub Security Advisory (GHSA), and OSV databases. Detects licence violations, malicious packages, and typosquatted dependencies. ### DAST — Dynamic Application Security Testing (Premium) Actively probes live applications (authenticated and unauthenticated) for vulnerabilities that only appear at runtime: XSS, CSRF, broken authentication, SSRF, API injection. Standards: OWASP API Top 10, OWASP Web Security Testing Guide (WSTG). ### Secrets Scanner (Free) Scans entire git history for API keys, tokens, passwords, SSH keys, cloud credentials (AWS/GCP/Azure), JWT secrets, and connection strings. Includes entropy-based detection for unrecognised patterns. Standards: PCI DSS, ISO 27001. ### PII Detection (Free) Finds personally identifiable information hardcoded in source code, config files, logs, and comments: email, phone, SSN, passport, credit card, health records, and 40+ categories. Standards: GDPR, HIPAA, CCPA. ### Container Security (Premium) Scans Docker images for OS-level CVEs. Audits Kubernetes manifests for RBAC misconfigurations, privilege escalation, exposed ports, and CIS Benchmark violations. Standards: CIS Kubernetes Benchmark, NSA CNSA Guide. ### IaC Scanner (Premium) Audits Terraform, Helm, Ansible, CloudFormation, and Pulumi for cloud misconfigurations: open security groups, public S3 buckets, unencrypted storage, missing logging, overpermissioned IAM roles. Standards: CIS AWS, CIS Azure, CIS GCP. ### API Security (Premium) Parses OpenAPI/Swagger specs and probes live endpoints for BOLA (broken object level authorisation), mass assignment, excessive data exposure, missing rate limits, and unauthenticated access. Standards: OWASP API Security Top 10. ### Malware Scanner (Ultimate) Detects backdoors, trojans, obfuscated scripts, cryptominers, and supply-chain injections inside codebases and dependencies. Standards: MITRE ATT&CK. ### Vibe Code Scanner (Ultimate) Purpose-built for LLM-generated code (GitHub Copilot, Cursor, ChatGPT, Claude). Detects hallucinated security patterns, insecure defaults, and AI-introduced vulnerabilities invisible to traditional SAST engines. ### Compliance Reports (Free) Auto-generates compliance evidence from every scan. Maps findings to ISO 27001, SOC 2, PCI DSS, NIST 800-53, DORA, NIS2, OWASP Top 10. One-click PDF exports. ### Securitron AI Orchestration (Ultimate) Orchestrates all 32 engines, ranks findings by exploitability, generates fix patches, opens PRs, and trains a custom per-customer false positive model. --- ## SECURITY RATING Every repository scanned by AquilaX receives a Security Rating from 0 to 100. **Scoring model:** - Starting score: 100 points - Lines of code: -1 point per 1,000 lines, capped at -3 points total - CRITICAL/HIGH confirmed findings: -5 points each - CRITICAL/HIGH unconfirmed findings: -2 points each - MEDIUM confirmed: -2 points each - MEDIUM unconfirmed: -0.5 points each - LOW confirmed: -0.5 points each - LOW unconfirmed: -0.1 points each - Non-validated findings: -1 point per 10 unconfirmed - Free plan offset: -5 points - Premium plan offset: -3 points - Ultimate plan offset: 0 points - Each disabled scanner: -5 points **Rating tiers:** - 90–100: Excellent — minimal findings, compliance-ready - 75–89: Good — minor findings being managed - 50–74: Fair — notable findings, immediate triage recommended - 25–49: Poor — significant vulnerability debt, elevated risk - 0–24: Critical — immediate action required, do not deploy --- ## ON-PREMISES INSTALLATION AquilaX supports full self-hosted deployment across three dedicated VMs. **Infrastructure requirements:** | Component | CPU | RAM | Storage | |-----------------|------------------|-------|------------| | AquilaX Server | 8 vCPU | 16 GB | 80 GB SSD | | AquilaX Worker | 12 vCPU | 32 GB | 50 GB SSD | | AquilaX AI | 32 vCPU or 4×GPU | 32 GB | 120 GB SSD | **Technology stack:** - Docker and Docker Compose - MongoDB 8.0.0 - HAProxy (lts-alpine3.21) for TLS termination and load balancing - Keycloak for authentication (magic-link, no passwords) - llama.cpp with Qwen/Qwen3-4B-GGUF model (8 server instances) - Images from: registry.gitlab.com/aquila-x/ (credentials provided by AquilaX) **HAProxy routing:** - /app/ → aquilax-ui (port 3000, 2 replicas) - /api/v2 → aquilax-server-go (port 4000, 2 replicas) - /api/v3/ → aquilax-ai (port 10000, 8 replicas) - Default → aquilax-server (port 8000, 2 replicas) **Key environment variables:** - MONGODB_URI, JWT_SIGNING_TOKEN (64-char secret), RUNNING_KEY, HEARTBEAT_CODE, GENAI_AX_KEY, DEPLOY=ONPREM - KL_SERVER, KL_CLIENT_ID=aquilax, KL_REALM=aquilax (Keycloak) Workers: 6 replicated aquilax-worker instances on the Worker VM. Contact admin[@]aquilax.ai for RUNNING_KEY, HEARTBEAT_CODE, GENAI_AX_KEY, and licence key. --- ## SCANNING SETUP GUIDE (8 STEPS) 1. **Organise Groups** — Create a Default Group. All repos inherit the group's security policy. Use one group per client or product line. 2. **Clean Up Projects** — Remove demo/auto-imported projects before adding production repositories. 3. **Configure Security Policy** — JSON-based policy at group level. Enable scanners, set severity thresholds (HIGH: 50, MEDIUM: 1000, LOW: 99999, total: 300), define ignore patterns (test/*, node_modules/*, etc.), and licence detection rules (prohibited: GPL*, AGPL*). 4. **CI/CD Integration** — Connect GitHub (GitHub App + Actions), GitLab (native CI/CD), Bitbucket (webhook + API), or custom pipelines (REST API). JIRA integration available for automated ticket creation. 5. **Schedule Full Scans** — Schedule weekly full-repository scans (recommended: Sunday 02:00 UTC) to catch new CVEs published since the last code push. 6. **Review Findings** — Three states: Confirmed (fix immediately, auto-fix PR available), Unverified (request AquilaX triage for Ultimate users), Informational (low priority, monitor). 7. **Monitor Reports** — Real-time dashboards and weekly email summaries. Configure via Dashboard → Reports → Schedule. 8. **Testing Sandbox (Optional)** — Create a separate Testing Group with relaxed policy for experimental repositories. --- ## CUSTOMER SUCCESS: REMOTEENGINE **Company:** RemoteEngine — global AI-driven hiring platform connecting companies with pre-vetted developers. **Challenges:** Manual security scans blocking releases, alert fatigue from hundreds of unfiltered findings, inconsistent compliance reporting, inability to scale security across microservices. **Solution:** AquilaX embedded into CI/CD pipeline. Every commit triggers 32 parallel scanners. Securitron AI triages all findings. Compliance reports auto-generated for GDPR, ISO 27001, SOC 2. **Results:** - 80% reduction in vulnerability remediation time - Zero manual security reviews in CI/CD pipeline - 1-click compliance reports (previously: weeks of manual work) - Continuous monitoring across all repositories **Quote:** "AquilaX fundamentally changed how we think about security. We went from security being a blocker to it being invisible — it just happens automatically." — Anand Prakash, RemoteEngine **Future plans:** Mobile app coverage, AI anomaly detection, fully automated compliance verification. --- ## CUSTOMER SUCCESS: ALMOTECH **Company:** Almotech — mid-sized European software house with 15+ engineers, multiple client projects, GitHub-based workflow. **Challenges:** No standardised security process across client projects, fear of alert fatigue, concern about workflow disruption. **Solution:** AquilaX connected to GitHub organisation. Default security policy applied. Securitron AI filtering from day one. **Results:** - Under 24 hours from purchase decision to first scan - Under 4 minutes for critical component scan - 35%+ false positive reduction from day one (before custom model training) - Zero disruption to existing GitHub workflows **Quote:** "Security can be simple, fast, and developer-friendly. AquilaX proved it." — Almotech Engineering Lead **Future roadmap:** GitHub Actions on every commit and PR, auto-remediation for SCA and IaC, goal: Zero HIGH/CRITICAL vulnerabilities across 100% of released software. --- ## BLOG: SECURITRON AI Securitron is not a general-purpose LLM. It is a purpose-built security AI model trained exclusively on application security data. Eight scanner types are orchestrated by Securitron in a single scan. Training labels: False Positive, False Negative, True Positive, True Negative, Undefined. Each triage action by a security engineer feeds back into the model's training loop. The Securitron chat interface (API + UI) allows developers and security engineers to query findings in natural language: why a finding is or is not a false positive, how to fix specific vulnerabilities, which findings to prioritise. Ultimate licence users receive a custom Securitron model trained exclusively on their organisation's data — achieving false positive rates significantly below the platform average. --- ## BLOG: BUILDING SUPERHUMANS AquilaX positions AI security models as "Superhumans in Jars" — AI that operates 24/7 without fatigue, salary demands, or knowledge gaps. Historical analogy: Netflix vs. Blockbuster. The same disruption pattern applies to security. The security problem is a data volume problem: modern software teams ship 50+ PRs/day across 100K+ lines of code, with daily CVE publications and continuous infrastructure changes. No human team can manually review this volume. Securitron in production: 2,341 raw signals → 39 confirmed vulnerabilities in 42 seconds. Human equivalent: approximately 3 weeks of focused work. AquilaX's thesis: AI is not the future of security — it is the present. Teams using AI-powered security review have a structural advantage over those relying on manual triage. --- ## BLOG: ASPM — WHAT IT REALLY MEANS ASPM (Application Security Posture Management) is AquilaX's analysis of an overused industry label. True ASPM would require: hiring practices (security-aware developers), developer training (continuous education), penetration testing (adversarial human/AI testing), threat modelling (architecture-level risk assessment), AND vulnerability scanning. Most vendors labelling themselves "ASPM" deliver only: a vulnerability scanner, a dashboard, and ticket integration. AquilaX's position: We technically qualify as ASPM but deliberately refuse the label because it overpromises. We are excellent at vulnerability scanning and AI-powered triage. We are NOT in the business of developer training, employee vetting, or threat modelling. What AquilaX actually does exceptionally well: 32 parallel scanners, 93.54% FP elimination, context-aware auto-fix patches, one-click compliance reports, Security Rating per repository — all in under 120 seconds per scan. --- ## INVESTOR RELATIONS **Market:** Global AppSec market $20B+, growing 20%+ CAGR. AI-driven tools capturing majority of new spend. Regulatory mandates (DORA, NIS2, PCI DSS 4.0) driving shift-left adoption. **Team:** Founded by former Head of AppSec at Revolut and Goldman Sachs. 8 full-time employees. 16 strategic advisors. Board includes CEO of OneFirewall Alliance (bootstrapped to millions ARR), CISO-level advisors. **Capital:** $380,000 initial capital raised + $60,000 infrastructure credits (Google, Microsoft, DigitalOcean). Total: $440,000+. **Accelerators:** NatWest Entrepreneur Accelerator, DiSH Accelerator (Barclays Eagle Labs). **Strategic programmes:** NVIDIA Inception, Microsoft for Startups, GitLab Tech Partner. **Traction:** Paying enterprise customers, 153K+ apps protected, 57B+ lines scanned, market-leading FP reduction model in production. **Revenue model:** Freemium → Premium ($19/mo) → Ultimate ($99/mo) → Enterprise. Subscription SaaS with high retention via embedded CI/CD. **Crunchbase:** https://www.crunchbase.com/organization/aquilax (CB Rank: 61,441) --- ## LEGAL & COMPLIANCE **Entity:** AquilaX LTD, Company No. 15332758, registered England & Wales **Registered address:** 124 City Road, London EC1V 2NX, United Kingdom **Legal contact:** admin[@]aquilax.ai **Governing law:** England and Wales **Liability cap:** Fees paid in the last 12 months, or £100 GBP if no fees paid **Data regulator:** UK Information Commissioner's Office (ICO) **GDPR compliance:** UK GDPR + Data Protection Act 2018 **Payment processor:** Stripe (PCI DSS compliant) **Analytics:** Simple Analytics (privacy-friendly, no personal data stored) **Legal pages:** https://aquilax.ai/legal (Terms, Privacy, Cookies, EULA, AUP) --- ## INTEGRATIONS **Source control:** GitHub, GitLab, Bitbucket **CI/CD:** GitHub Actions, GitLab CI/CD, Bitbucket Pipelines, REST API for custom pipelines **Issue tracking:** JIRA (automated ticket creation with configurable templates) **Deployment:** SaaS (app.aquilax.ai), Single-Tenant, On-Premises **Output formats:** SARIF, SBOM, inline PR comments, auto-fix pull requests, PDF compliance reports **Standards mapped:** OWASP Top 10, CWE Top 25, NIST 800-53, ISO 27001, SOC 2, PCI DSS, DORA, NIS2, HIPAA, GDPR, CCPA, MITRE ATT&CK, CVSSv3 --- ## KEY URLS Main site: https://aquilax.ai App: https://app.aquilax.ai Docs: https://docs.aquilax.ai API Reference: https://developers.aquilax.ai/api-reference/start Status: https://status.aquilax.ai GitHub: https://github.com/AquilaX-AI HuggingFace: https://huggingface.co/AquilaX-AI Medium blog: https://aquilax-security.medium.com/ LinkedIn: https://linkedin.com/company/aquilax-ai/ Twitter/X: https://twitter.com/AquilaXSecurity Crunchbase: https://www.crunchbase.com/organization/aquilax Changelog: https://aquilax.featurebase.app/changelog