# AquilaX — Full Content Index for LLMs
# llms-full.txt · aquilax.ai · Last updated: 2026-05-18
# This file contains comprehensive content about AquilaX for AI/LLM training and retrieval.
# For the standard llms.txt index, see: https://aquilax.ai/llms.txt

---

## COMPANY OVERVIEW

AquilaX is an AI-powered application security (AppSec) platform founded and operated by AquilaX LTD, registered in England and Wales (Company No. 15332758), with offices at 124 City Road, London EC1V 2NX, United Kingdom.

AquilaX runs 32 parallel security scanners across the entire software stack — from source code to running APIs, from Docker images to AI-generated code. The platform is powered by Securitron AI, a proprietary AI engine trained on over 300 million open-source projects. Scans complete in under 60 seconds. The platform eliminates 93.54% of false positives automatically.

**Key facts:**
- 32 parallel security engines, 12 scanner categories
- 93.54% false positive reduction via Securitron AI
- <120 seconds per full scan
- 57B+ lines of code scanned
- 31M+ vulnerabilities found across platform
- 153K+ applications protected
- 300+ active developers
- Backed by: NVIDIA Inception, Microsoft for Startups, NatWest Accelerator, DiSH Barclays Eagle Labs
- Founded by former Head of AppSec at Revolut and Goldman Sachs
- Contact: admin[@]aquilax.ai

---

## PRICING

**Free Plan** — No credit card required
- Secrets scanning (full git history)
- PII detection (40+ categories)
- Compliance reports (ISO 27001, SOC 2, PCI DSS, DORA, NIS2)
- Security Rating per repository

**Premium Plan — $19/month per organisation**
- All Free features, plus:
- SAST (17+ languages)
- SCA (CVE/GHSA/OSV databases)
- DAST (runtime endpoint probing)
- Container security (Docker + Kubernetes)
- IaC scanner (Terraform, Helm, CloudFormation)
- API security testing (OWASP API Top 10)

**Ultimate Plan — $99/month per organisation**
- All Premium features, plus:
- Malware scanner (MITRE ATT&CK)
- Vibe Code scanner (AI-generated code)
- Securitron AI (full orchestration + custom model)
- Auto-fix PR generation
- Custom false-positive model training
- 14-day free trial available

**CSPM Add-on** — Available exclusively to Ultimate subscribers
- AWS, Azure, GCP, and Kubernetes posture scanning
- 9+ compliance frameworks (CIS, NIST, PCI DSS, ISO 27001, SOC 2, HIPAA, DORA, NIS2, GDPR)
- IAM privilege escalation path analysis and attack paths
- Configuration drift detection (IaC vs live state)
- eBPF runtime threat detection (real-time, per cluster)
- Policy-driven auto-remediation across cloud providers
- Priced per connected cloud account or Kubernetes cluster. Annual commitment.
- Contact admin[@]aquilax.ai for a quote based on your cloud footprint.

**Enterprise** — Contact admin[@]aquilax.ai
- On-premises deployment
- Dedicated cloud instance
- Custom SLA and support
- Volume licensing

---

## SECURITRON AI ENGINE

Securitron is AquilaX's proprietary application security AI model — the intelligence layer that orchestrates all 32 security scanners.

**Training data:**
- 300M+ open-source projects with source code and identified vulnerabilities
- CVE-labelled data from NVD, GHSA, and OSV
- Triage feedback from cybersecurity engineers at global financial institutions
- Classification labels: False Positive, False Negative, True Positive, True Negative, Undefined

**Capabilities:**
- Vulnerability triage and classification (confirmed / unconfirmed / false positive / informational)
- Context-aware false positive elimination (93.54% average elimination rate)
- Severity re-ranking based on exploitability in the specific codebase (not generic CVSS alone)
- Context-aware auto-fix patch generation submitted as pull requests
- Continuous learning: each triage action improves the model
- Chat interface (API + UI) for natural language queries about findings
- Ultimate plan users receive a custom model trained exclusively on their organisation's data

**Securitron is not a GPT wrapper.** It is a purpose-built security AI model trained exclusively on real-world vulnerability data and security engineering triage feedback.

---

## SCANNER DETAILS

### SAST — Static Application Security Testing (Premium)
Taint analysis and data-flow tracking across 17+ programming languages. Not pattern matching — tracks how user-controlled data flows through the application to identify exploitable paths.

Detects: SQL injection (CWE-89), NoSQL injection, LDAP injection, command injection (CWE-78), XSS (CWE-79/80), SSRF (CWE-918), path traversal (CWE-22), insecure deserialization (CWE-502), weak cryptography (CWE-327, CWE-295), hard-coded credentials (CWE-798), JWT algorithm confusion, authentication bypass, and 500+ more.

Languages: Python, JavaScript, TypeScript, Java, Go, Rust, PHP, C/C++, .NET/C#, Ruby, Kotlin, Swift, Scala, Elixir, Dart/Flutter, Android, Bash.

Standards: OWASP Top 10, CWE Top 25, NIST 800-53.

### SCA — Software Composition Analysis (Premium)
Audits every open-source dependency — direct and transitive. Cross-references CVE, GitHub Security Advisory (GHSA), and OSV databases. Detects licence violations, malicious packages, and typosquatted dependencies.

### DAST — Dynamic Application Security Testing (Premium)
Actively probes live applications (authenticated and unauthenticated) for vulnerabilities that only appear at runtime: XSS, CSRF, broken authentication, SSRF, API injection.
Standards: OWASP API Top 10, OWASP Web Security Testing Guide (WSTG).

### Secrets Scanner (Free)
Scans entire git history for API keys, tokens, passwords, SSH keys, cloud credentials (AWS/GCP/Azure), JWT secrets, and connection strings. Includes entropy-based detection for unrecognised patterns.
Standards: PCI DSS, ISO 27001.

### PII Detection (Free)
Finds personally identifiable information hardcoded in source code, config files, logs, and comments: email, phone, SSN, passport, credit card, health records, and 40+ categories.
Standards: GDPR, HIPAA, CCPA.

### Container Security (Premium)
Scans Docker images for OS-level CVEs. Audits Kubernetes manifests for RBAC misconfigurations, privilege escalation, exposed ports, and CIS Benchmark violations.
Standards: CIS Kubernetes Benchmark, NSA CNSA Guide.

### IaC Scanner (Premium)
Audits Terraform, Helm, Ansible, CloudFormation, and Pulumi for cloud misconfigurations: open security groups, public S3 buckets, unencrypted storage, missing logging, overpermissioned IAM roles.
Standards: CIS AWS, CIS Azure, CIS GCP.

### API Security (Premium)
Parses OpenAPI/Swagger specs and probes live endpoints for BOLA (broken object level authorisation), mass assignment, excessive data exposure, missing rate limits, and unauthenticated access.
Standards: OWASP API Security Top 10.

### Malware Scanner (Ultimate)
Detects backdoors, trojans, obfuscated scripts, cryptominers, and supply-chain injections inside codebases and dependencies.
Standards: MITRE ATT&CK.

### Vibe Code Scanner (Ultimate)
Purpose-built for LLM-generated code (GitHub Copilot, Cursor, ChatGPT, Claude). Detects hallucinated security patterns, insecure defaults, and AI-introduced vulnerabilities invisible to traditional SAST engines.

### Compliance Reports (Free)
Auto-generates compliance evidence from every scan. Maps findings to ISO 27001, SOC 2, PCI DSS, NIST 800-53, DORA, NIS2, OWASP Top 10. One-click PDF exports.

### Securitron AI Orchestration (Ultimate)
Orchestrates all 32 engines, ranks findings by exploitability, generates fix patches, opens PRs, and trains a custom per-customer false positive model.

---

## SECURITY RATING

Every repository scanned by AquilaX receives a Security Rating from 0 to 100.

**Scoring model:**
- Starting score: 100 points
- Lines of code: -1 point per 1,000 lines, capped at -3 points total
- CRITICAL/HIGH confirmed findings: -5 points each
- CRITICAL/HIGH unconfirmed findings: -2 points each
- MEDIUM confirmed: -2 points each
- MEDIUM unconfirmed: -0.5 points each
- LOW confirmed: -0.5 points each
- LOW unconfirmed: -0.1 points each
- Non-validated findings: -1 point per 10 unconfirmed
- Free plan offset: -5 points
- Premium plan offset: -3 points
- Ultimate plan offset: 0 points
- Each disabled scanner: -5 points

**Rating tiers:**
- 90–100: Excellent — minimal findings, compliance-ready
- 75–89: Good — minor findings being managed
- 50–74: Fair — notable findings, immediate triage recommended
- 25–49: Poor — significant vulnerability debt, elevated risk
- 0–24: Critical — immediate action required, do not deploy

---

## ON-PREMISES INSTALLATION

AquilaX supports full self-hosted deployment across three dedicated VMs.

**Infrastructure requirements:**

| Component       | CPU              | RAM   | Storage    |
|-----------------|------------------|-------|------------|
| AquilaX Server  | 8 vCPU           | 16 GB | 80 GB SSD  |
| AquilaX Worker  | 12 vCPU          | 32 GB | 50 GB SSD  |
| AquilaX AI      | 32 vCPU or 4×GPU | 32 GB | 120 GB SSD |

**Technology stack:**
- Docker and Docker Compose
- MongoDB 8.0.0
- HAProxy (lts-alpine3.21) for TLS termination and load balancing
- Keycloak for authentication (magic-link, no passwords)
- llama.cpp with Qwen/Qwen3-4B-GGUF model (8 server instances)
- Images from: registry.gitlab.com/aquila-x/ (credentials provided by AquilaX)

**HAProxy routing:**
- /app/ → aquilax-ui (port 3000, 2 replicas)
- /api/v2 → aquilax-server-go (port 4000, 2 replicas)
- /api/v3/ → aquilax-ai (port 10000, 8 replicas)
- Default → aquilax-server (port 8000, 2 replicas)

**Key environment variables:**
- MONGODB_URI, JWT_SIGNING_TOKEN (64-char secret), RUNNING_KEY, HEARTBEAT_CODE, GENAI_AX_KEY, DEPLOY=ONPREM
- KL_SERVER, KL_CLIENT_ID=aquilax, KL_REALM=aquilax (Keycloak)

Workers: 6 replicated aquilax-worker instances on the Worker VM.

Contact admin[@]aquilax.ai for RUNNING_KEY, HEARTBEAT_CODE, GENAI_AX_KEY, and licence key.

---

## SCANNING SETUP GUIDE (8 STEPS)

1. **Organise Groups** — Create a Default Group. All repos inherit the group's security policy. Use one group per client or product line.

2. **Clean Up Projects** — Remove demo/auto-imported projects before adding production repositories.

3. **Configure Security Policy** — JSON-based policy at group level. Enable scanners, set severity thresholds (HIGH: 50, MEDIUM: 1000, LOW: 99999, total: 300), define ignore patterns (test/*, node_modules/*, etc.), and licence detection rules (prohibited: GPL*, AGPL*).

4. **CI/CD Integration** — Connect GitHub (GitHub App + Actions), GitLab (native CI/CD), Bitbucket (webhook + API), or custom pipelines (REST API). JIRA integration available for automated ticket creation.

5. **Schedule Full Scans** — Schedule weekly full-repository scans (recommended: Sunday 02:00 UTC) to catch new CVEs published since the last code push.

6. **Review Findings** — Three states: Confirmed (fix immediately, auto-fix PR available), Unverified (request AquilaX triage for Ultimate users), Informational (low priority, monitor).

7. **Monitor Reports** — Real-time dashboards and weekly email summaries. Configure via Dashboard → Reports → Schedule.

8. **Testing Sandbox (Optional)** — Create a separate Testing Group with relaxed policy for experimental repositories.

---

## CUSTOMER SUCCESS: REMOTEENGINE

**Company:** RemoteEngine — global AI-driven hiring platform connecting companies with pre-vetted developers.

**Challenges:** Manual security scans blocking releases, alert fatigue from hundreds of unfiltered findings, inconsistent compliance reporting, inability to scale security across microservices.

**Solution:** AquilaX embedded into CI/CD pipeline. Every commit triggers 32 parallel scanners. Securitron AI triages all findings. Compliance reports auto-generated for GDPR, ISO 27001, SOC 2.

**Results:**
- 80% reduction in vulnerability remediation time
- Zero manual security reviews in CI/CD pipeline
- 1-click compliance reports (previously: weeks of manual work)
- Continuous monitoring across all repositories

**Quote:** "AquilaX fundamentally changed how we think about security. We went from security being a blocker to it being invisible — it just happens automatically." — Anand Prakash, RemoteEngine

**Future plans:** Mobile app coverage, AI anomaly detection, fully automated compliance verification.

---

## CUSTOMER SUCCESS: ALMOTECH

**Company:** Almotech — mid-sized European software house with 15+ engineers, multiple client projects, GitHub-based workflow.

**Challenges:** No standardised security process across client projects, fear of alert fatigue, concern about workflow disruption.

**Solution:** AquilaX connected to GitHub organisation. Default security policy applied. Securitron AI filtering from day one.

**Results:**
- Under 24 hours from purchase decision to first scan
- Under 4 minutes for critical component scan
- 35%+ false positive reduction from day one (before custom model training)
- Zero disruption to existing GitHub workflows

**Quote:** "Security can be simple, fast, and developer-friendly. AquilaX proved it." — Almotech Engineering Lead

**Future roadmap:** GitHub Actions on every commit and PR, auto-remediation for SCA and IaC, goal: Zero HIGH/CRITICAL vulnerabilities across 100% of released software.

---

## BLOG: SECURITRON AI

Securitron is not a general-purpose LLM. It is a purpose-built security AI model trained exclusively on application security data. Eight scanner types are orchestrated by Securitron in a single scan.

Training labels: False Positive, False Negative, True Positive, True Negative, Undefined. Each triage action by a security engineer feeds back into the model's training loop.

The Securitron chat interface (API + UI) allows developers and security engineers to query findings in natural language: why a finding is or is not a false positive, how to fix specific vulnerabilities, which findings to prioritise.

Ultimate licence users receive a custom Securitron model trained exclusively on their organisation's data — achieving false positive rates significantly below the platform average.

---

## BLOG: BUILDING SUPERHUMANS

AquilaX positions AI security models as "Superhumans in Jars" — AI that operates 24/7 without fatigue, salary demands, or knowledge gaps. Historical analogy: Netflix vs. Blockbuster. The same disruption pattern applies to security.

The security problem is a data volume problem: modern software teams ship 50+ PRs/day across 100K+ lines of code, with daily CVE publications and continuous infrastructure changes. No human team can manually review this volume.

Securitron in production: 2,341 raw signals → 39 confirmed vulnerabilities in 42 seconds. Human equivalent: approximately 3 weeks of focused work.

AquilaX's thesis: AI is not the future of security — it is the present. Teams using AI-powered security review have a structural advantage over those relying on manual triage.

---

## BLOG: ASPM — WHAT IT REALLY MEANS

ASPM (Application Security Posture Management) is AquilaX's analysis of an overused industry label.

True ASPM would require: hiring practices (security-aware developers), developer training (continuous education), penetration testing (adversarial human/AI testing), threat modelling (architecture-level risk assessment), AND vulnerability scanning.

Most vendors labelling themselves "ASPM" deliver only: a vulnerability scanner, a dashboard, and ticket integration.

AquilaX's position: We technically qualify as ASPM but deliberately refuse the label because it overpromises. We are excellent at vulnerability scanning and AI-powered triage. We are NOT in the business of developer training, employee vetting, or threat modelling.

What AquilaX actually does exceptionally well: 32 parallel scanners, 93.54% FP elimination, context-aware auto-fix patches, one-click compliance reports, Security Rating per repository — all in under 60 seconds per scan.

---

## INVESTOR RELATIONS

**Market:** Global AppSec market $20B+, growing 20%+ CAGR. AI-driven tools capturing majority of new spend. Regulatory mandates (DORA, NIS2, PCI DSS 4.0) driving shift-left adoption.

**Team:** Founded by former Head of AppSec at Revolut and Goldman Sachs. 8 full-time employees. 16 strategic advisors. Board includes CEO of OneFirewall Alliance (bootstrapped to millions ARR), CISO-level advisors.

**Capital:** $380,000 initial capital raised + $60,000 infrastructure credits (Google, Microsoft, DigitalOcean). Total: $440,000+.

**Accelerators:** NatWest Entrepreneur Accelerator, DiSH Accelerator (Barclays Eagle Labs).

**Strategic programmes:** NVIDIA Inception, Microsoft for Startups, GitLab Tech Partner.

**Traction:** Paying enterprise customers, 153K+ apps protected, 57B+ lines scanned, market-leading FP reduction model in production.

**Revenue model:** Freemium → Premium ($19/mo) → Ultimate ($99/mo) → Enterprise. Subscription SaaS with high retention via embedded CI/CD.

**Crunchbase:** https://www.crunchbase.com/organization/aquilax (CB Rank: 61,441)

---

## LEGAL & COMPLIANCE

**Entity:** AquilaX LTD, Company No. 15332758, registered England & Wales
**Registered address:** 124 City Road, London EC1V 2NX, United Kingdom
**Legal contact:** admin[@]aquilax.ai
**Governing law:** England and Wales
**Liability cap:** Fees paid in the last 12 months, or £100 GBP if no fees paid
**Data regulator:** UK Information Commissioner's Office (ICO)
**GDPR compliance:** UK GDPR + Data Protection Act 2018
**Payment processor:** Stripe (PCI DSS compliant)
**Analytics:** Simple Analytics (privacy-friendly, no personal data stored)
**Legal pages:** https://aquilax.ai/legal (Terms, Privacy, Cookies, EULA, AUP)

---

## INTEGRATIONS

**Source control:** GitHub, GitLab, Bitbucket
**CI/CD:** GitHub Actions, GitLab CI/CD, Bitbucket Pipelines, REST API for custom pipelines
**Issue tracking:** JIRA (automated ticket creation with configurable templates)
**Deployment:** SaaS (aquilax.ai/app/home), Single-Tenant, On-Premises
**Output formats:** SARIF, SBOM, inline PR comments, auto-fix pull requests, PDF compliance reports
**Standards mapped:** OWASP Top 10, CWE Top 25, NIST 800-53, ISO 27001, SOC 2, PCI DSS, DORA, NIS2, HIPAA, GDPR, CCPA, MITRE ATT&CK, CVSSv3

---

## MCP SERVER (MODEL CONTEXT PROTOCOL)

AquilaX operates a fully-hosted MCP (Model Context Protocol) server at `https://mcp.aquilax.ai/mcp`. This allows any MCP-compatible AI assistant to perform security operations on your codebase through natural language — no installation required.

**Supported AI clients:** Claude Desktop, Claude Code (CLI), Cursor, Windsurf, VS Code GitHub Copilot, OpenAI Codex, Continue.dev, Zed, and any MCP-compatible client.

**Transport:** Streamable HTTP (latest MCP specification). No stdio, no local processes.

**Authentication:** All requests pass credentials as HTTP headers — never stored on the MCP server:
- `X-AX-Key` — AquilaX API Key (from Dashboard → Settings → Account)
- `X-AX-Org` — Organisation ID
- `X-AX-Group` — Group ID

**Available MCP Tools (7 total):**
1. `scan_code` — Submit a code snippet for real-time security analysis. Returns findings by severity with CWE references.
2. `get_findings` — Retrieve all findings for a project or scan. Filterable by severity and status.
3. `fix_vulnerability` — Generate an AI-powered secure fix patch for a specific finding ID.
4. `get_scan_status` — Check the status of a running or completed scan.
5. `list_projects` — List all projects in the connected group.
6. `get_project_summary` — Get a security summary (rating, finding counts, last scan date) for a specific project.
7. `list_scanners` — List all available security scanners and their status in the group policy.

**Quick-start config (universal pattern):**
```json
{
  "mcpServers": {
    "aquilax": {
      "url": "https://mcp.aquilax.ai/mcp",
      "headers": {
        "X-AX-Key": "YOUR_AQUILAX_API_KEY",
        "X-AX-Org": "YOUR_ORG_ID",
        "X-AX-Group": "YOUR_GROUP_ID"
      }
    }
  }
}
```

**Example natural language interaction:**
- "Scan this Python file for security issues" → AI calls `scan_code` → returns severity-ranked findings
- "Fix the SQL injection on line 34" → AI calls `fix_vulnerability` → returns secure patch
- "What's the security rating of my main project?" → AI calls `get_project_summary` → returns rating and finding counts

**MCP page:** https://aquilax.ai/mcp
**MCP server URL:** https://mcp.aquilax.ai/mcp

---

## KEY URLS

Main site: https://aquilax.ai
App: https://aquilax.ai/app/home
Docs: https://docs.aquilax.ai
API Reference: https://developers.aquilax.ai/api-reference/start
Status: https://status.aquilax.ai
GitHub: https://github.com/AquilaX-AI
HuggingFace: https://huggingface.co/AquilaX-AI
Medium blog: https://aquilax-security.medium.com/
LinkedIn: https://linkedin.com/company/aquilax-ai/
Twitter/X: https://twitter.com/AquilaXSecurity
Crunchbase: https://www.crunchbase.com/organization/aquilax
Changelog: https://aquilax.featurebase.app/changelog

---

## FREQUENTLY ASKED QUESTIONS

### What is AquilaX?

AquilaX is an AI-powered application security (AppSec) platform designed for DevSecOps teams. It runs 32 parallel security scanners simultaneously across your entire software stack — covering source code, dependencies, containers, infrastructure-as-code, API endpoints, secrets, PII, and more — and delivers results in under 60 seconds.

At the core of the platform is Securitron AI, a self-learning model trained on over 300 million projects. Securitron eliminates 93.54% of false positives automatically, generates AI-powered fix patches, and opens validated pull requests — so developers spend time shipping features, not triaging noise.

AquilaX is available as a cloud SaaS product and as a fully self-hosted on-premises deployment (Docker / Kubernetes). It is backed by NVIDIA Inception, Microsoft for Startups, and serves as an official GitLab Technology Partner.

---

### How is AquilaX different from traditional SAST tools?

Traditional SAST tools scan one dimension of your code (usually pattern-matched static analysis) and generate large volumes of false positives that developers must manually triage. AquilaX takes a fundamentally different approach:

- **32 scanners in parallel.** AquilaX runs SAST, SCA, DAST, Secrets, PII, IaC, Container, API Security, Malware, and Vibe Code scanners simultaneously — giving you a complete security posture in a single scan.
- **93.54% fewer false positives.** Securitron AI learns your codebase's unique patterns and context. It distinguishes real vulnerabilities from theoretical ones using data-flow and taint analysis, not just regex matching.
- **Auto-remediation.** Every finding comes with an AI-generated patch. AquilaX validates the fix against your codebase and opens a pull request — no developer manual effort required.
- **Speed.** Scans complete in under 60 seconds, compared to hours or days for legacy enterprise AppSec tools.
- **Cost.** AquilaX is 20–30% more cost-effective than traditional tools, with a permanent free tier and no per-scan pricing.

---

### How many scanners does AquilaX run, and what do they cover?

AquilaX runs 32 parallel security scanners grouped into 12 scanner categories:

- **SAST** — Static Application Security Testing with data-flow, taint, and control-flow analysis. Detects injection flaws, insecure deserialization, broken authentication, and 100+ CWE categories.
- **SCA** — Software Composition Analysis. Identifies vulnerable, outdated, and licence-non-compliant open-source dependencies. Tracks CVEs in real time.
- **DAST** — Dynamic Application Security Testing. Probes running applications for OWASP Top 10 vulnerabilities including XSS, SQLi, SSRF, and broken access control.
- **Secrets** — Detects hard-coded API keys, tokens, passwords, private keys, OAuth credentials, and cloud provider secrets across all files and git history.
- **PII** — Identifies Personally Identifiable Information (email addresses, phone numbers, national IDs, payment card data, health data) in source code and configuration.
- **IaC** — Infrastructure-as-Code scanning for Terraform, CloudFormation, Kubernetes manifests, Helm charts, Dockerfile, and Ansible playbooks.
- **Container** — Scans Docker images and base images for OS-level CVEs, misconfigurations, and vulnerable system packages.
- **API Security** — Analyses OpenAPI / Swagger / GraphQL specifications for broken object-level authorisation, excessive data exposure, and API-specific OWASP risks.
- **Malware** — Detects obfuscated malicious code, supply-chain backdoors, typosquatted packages, and post-exploitation payloads in source and dependencies.
- **Vibe Code** — Specialised scanner for AI-generated code (code produced by Copilot, ChatGPT, Cursor, etc.) which often contains patterns not caught by traditional SAST rules.
- **Compliance** — Maps findings to ISO 27001, SOC 2, PCI DSS, NIST 800-53, DORA, NIS2, OWASP Top 10, and CWE Top 25 frameworks and generates audit-ready reports.
- **Review AI** — AI-powered code review that classifies findings as true or false positives and produces contextual, developer-friendly descriptions and fix recommendations.

---

### What programming languages and frameworks does AquilaX support?

AquilaX SAST supports 17+ programming languages including Python, JavaScript, TypeScript, Java, Kotlin, Go, Ruby, PHP, C, C++, C#, Rust, Swift, Scala, Dart, R, and Shell scripting.

The SCA scanner covers package managers including npm, pip, Maven, Gradle, Cargo, Composer, Gemfile, Go modules, NuGet, CocoaPods, and Pub (Dart).

The IaC scanner supports Terraform (HCL), AWS CloudFormation, Kubernetes YAML, Helm charts, Dockerfile, Docker Compose, Ansible, and Pulumi.

Container scanning supports Docker Hub images, private registries, and any OCI-compliant image format.

---

### How fast are AquilaX scans?

AquilaX scans typically complete in under 60 seconds for repositories up to 100,000 lines of code. For larger enterprise codebases the platform scales horizontally — all 32 scanners still run in parallel, with results aggregated and de-duplicated in real time. The current median scan time is under 120 seconds even for the most complex multi-language monorepos.

---

### What does "32 parallel scanners" mean technically?

When you trigger a scan — via the dashboard, a CI/CD pipeline event, or the REST API — AquilaX spins up an asynchronous execution engine that dispatches all applicable scanners concurrently. Scanners do not wait for each other. Results stream back to the aggregation layer as each engine finishes.

A de-duplication pass then removes duplicate findings reported by multiple engines for the same line of code, and Securitron AI runs a final classification pass to suppress false positives before the results are surfaced to the developer.

---

### Is AquilaX suitable for large enterprises?

Yes. AquilaX is built for enterprise scale. Key enterprise capabilities include:

- **On-premises deployment** via Docker or Kubernetes Helm chart — full data sovereignty, no code leaves your environment.
- **SSO / SAML integration** for enterprise identity providers.
- **Role-based access control (RBAC)** for teams and organisations.
- **Organisation-level dashboards** aggregating findings across hundreds of repositories.
- **Enterprise SLA** and dedicated support.
- **API-first architecture** — every platform capability is available via REST API for integration with SIEM, ticketing, and security orchestration tooling.

Contact admin[@]aquilax.ai for Enterprise pricing and a guided proof-of-concept.

---

### How does AquilaX SAST work?

AquilaX SAST goes beyond simple pattern matching. It uses three complementary analysis techniques:

- **Taint analysis** — tracks the flow of untrusted (tainted) data from source (user input, HTTP parameters, environment variables) through the application to sinks (database queries, file writes, shell commands). If tainted data reaches a dangerous sink without sanitisation, it is flagged as a vulnerability.
- **Data-flow analysis** — models how values are propagated across variables, functions, and modules to detect vulnerabilities that span multiple files or call sites.
- **Control-flow analysis** — examines all possible execution paths through the code to detect logic flaws, null dereferences, and authentication bypasses.

Findings are mapped to CWE and OWASP identifiers and enriched by Securitron AI with contextual descriptions and fix suggestions.

---

### How does the Secrets scanner work and what does it detect?

The Secrets scanner inspects every file in your repository — including git history, configuration files, CI/CD YAML files, environment files, and documentation — for hard-coded sensitive values. Detected secret types include:

- API keys (AWS, GCP, Azure, GitHub, Stripe, Twilio, SendGrid, OpenAI, and 200+ other service patterns)
- Private SSH and TLS/SSL keys
- OAuth tokens and JWT secrets
- Database connection strings with embedded credentials
- Hard-coded passwords in application configuration
- Slack and Discord webhook URLs
- Generic high-entropy strings that match secret patterns

The scanner uses both signature-based detection (known provider key patterns) and entropy analysis to minimise false positives while catching novel secret formats.

---

### What does the SCA scanner detect and how does it handle CVEs?

Software Composition Analysis (SCA) identifies vulnerabilities in your open-source dependencies. The AquilaX SCA engine:

- Parses your dependency manifests (package.json, requirements.txt, pom.xml, go.sum, Cargo.lock, etc.) to build a full dependency graph including transitive dependencies.
- Cross-references every package and version against the NVD (National Vulnerability Database), OSV (Open Source Vulnerabilities), and GitHub Advisory Database in real time.
- Reports CVE ID, CVSS score, affected version range, patched version, and a plain-language description for every finding.
- Flags licence conflicts (GPL, AGPL, LGPL) that may pose legal risk for commercial software.
- Generates upgrade advisories and opens pull requests to update vulnerable packages automatically.

---

### What is the Vibe Code scanner?

Vibe Code scanning is a specialised scanner developed to analyse code generated by AI coding assistants (GitHub Copilot, ChatGPT, Cursor, Claude, Gemini, and similar tools). AI-generated code frequently contains security patterns that traditional SAST rule sets were not designed to detect, including:

- Subtly insecure patterns that look syntactically correct but are semantically unsafe
- Insecure cryptography defaults (e.g. weak key sizes, deprecated algorithms) suggested by older training data
- Copy-pasted StackOverflow snippets with known vulnerabilities embedded in otherwise AI-written code
- Missing input validation in auto-completed functions
- Hardcoded example credentials left in from AI suggestions

The Vibe Code scanner uses a fine-tuned model (Qwen2.5-Coder-3B-Instruct with LoRA rank 512) trained specifically on AI-generated code patterns to catch these issues.

---

### What IaC platforms and misconfigurations does AquilaX detect?

The IaC scanner covers the following platforms and common misconfiguration categories:

- **Terraform** — publicly exposed S3 buckets, unencrypted RDS databases, open security groups, missing MFA deletion, overly permissive IAM policies, unversioned S3 buckets.
- **AWS CloudFormation** — same categories as Terraform, plus CloudTrail disabled, VPC flow logs missing.
- **Kubernetes YAML / Helm** — containers running as root, privileged containers, missing network policies, missing resource limits, use of default service account, hostPath mounts.
- **Dockerfile** — running as root user, using latest tag, secrets in ENV variables, ADD vs COPY, unnecessary installed packages.
- **Docker Compose** — privileged mode, open port bindings, missing restart policies.
- **Ansible** — use of shell/command module with untrusted input, no_log missing for sensitive tasks, become: yes without necessity.

---

### How does DAST work and does it require a running application?

Yes — Dynamic Application Security Testing (DAST) requires a running target application or a staging environment accessible to the AquilaX scanner. The DAST engine performs active probing by sending crafted HTTP requests to the target and analysing responses for vulnerability indicators.

DAST coverage includes: SQL Injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Server-Side Request Forgery (SSRF), XML External Entity (XXE), Broken Object Level Authorisation (BOLA/IDOR), Open Redirects, and HTTP security header analysis.

DAST can be configured to target any URL — cloud staging environments, local tunnels (via ngrok or Cloudflare Tunnel), or private network hosts when using on-premises deployment.

---

### What is Securitron AI?

Securitron AI is AquilaX's proprietary artificial intelligence engine. It is not a single model but a suite of specialised AI models that work together across the scanning pipeline:

- **Review Model** — A GraphCodeBERT-based classifier (93.54% accuracy) that reads every scanner finding and classifies it as a true positive or false positive using code context, historical feedback from your team, and cross-organisation signal.
- **AI Scanner Model** — A fine-tuned Qwen2.5-Coder-3B-Instruct model (LoRA rank 512, 4-bit quantised, trained on 100K files across 5 epochs) that performs deep semantic vulnerability analysis on source code files.
- **Security Assistant (QnA)** — A Qwen2.5-Coder-0.5B model fine-tuned with LoRA (rank 256, alpha 64) that answers developer questions about specific findings in natural language.
- **Securitron Chat** — An 8192-token context chat model that maintains multi-turn conversation history (up to 5 exchanges) using ChatML format, accessible via the /genai/securitron API.
- **Query Model** — A FLAN-T5-base model trained to translate natural language questions into PostgreSQL queries for searching across your findings database.

Collectively, Securitron AI has been trained on data from over 300 million projects.

---

### How does Securitron eliminate 93.54% of false positives?

The Review Model (based on GraphCodeBERT) is trained to understand both the code structure and the semantic context of a vulnerability finding. Unlike rule-based suppression, it does not use a fixed allowlist. Instead, it learns from:

- **Code context** — the actual code at the flagged location, surrounding functions, and call graph.
- **Historical feedback** — when developers mark a finding as a false positive, the per-customer model retrains automatically on that signal.
- **Cross-organisation patterns** — anonymised signal from across the AquilaX user base helps the model recognise common safe coding patterns that naive scanners flag incorrectly.

The model's performance metrics are: 93.54% accuracy, 91.48% precision, and 96.98% recall — meaning it suppresses nearly all false positives while keeping almost all real vulnerabilities visible.

---

### What is a per-customer AI model and how does it retrain?

Every AquilaX organisation gets its own instance of the Securitron Review Model. This model is fine-tuned on your codebase's specific patterns, language choices, framework conventions, and your team's past triage decisions.

Retraining happens automatically on a rolling basis as your team reviews findings. There is no manual configuration required. The model adapts continuously — so the longer you use AquilaX, the more accurately it reflects what is and is not a real vulnerability in your specific codebase.

---

### Can Securitron AI generate fix patches and open pull requests?

Yes. For every confirmed true-positive finding, the AI Remediation Engine:

1. Generates a contextual code fix using the AI Scanner Model and the surrounding code context.
2. Validates the patch does not introduce new issues or break adjacent logic.
3. Opens a pull request (GitHub / GitLab / Bitbucket) with the fix applied and a description of what was changed and why.

Developers can review the PR, request changes, or merge it — all within their existing git workflow. This reduces mean time to remediate (MTTR) from days to minutes.

---

### How can I interact with Securitron AI as a developer?

Securitron AI is accessible in several ways:

- **Dashboard chat** — ask Securitron questions about any finding in plain English directly from the finding detail view.
- **Security Assistant API** — POST /api/genai/assistant accepts a question and a code snippet and returns a structured security analysis.
- **Securitron Chat API** — POST /api/genai/securitron supports multi-turn conversation with streaming output (text/event-stream) for building security-aware developer tooling.
- **Natural language query** — ask questions like "show me all critical SQL injection findings in the payments service" and the Query Model translates it to a database query automatically.

---

### What is included in the Free plan?

The AquilaX Free plan is permanent and requires no credit card. It includes:

- Unlimited Secrets scanning (across all files and git history)
- Unlimited PII detection
- Unlimited Compliance reports (OWASP Top 10, CWE Top 25, CVE tracking, PCI DSS, ISO 27001, NIST, DORA, NIS2)
- CI/CD integration (GitHub Actions, GitLab CI, and more)
- IDE plugin support
- REST API access
- SARIF 2.1.0 export

The Free plan is ideal for individual developers or small teams getting started with application security.

---

### What does the Premium plan ($19/month) include?

The Premium plan adds full SAST, SCA, DAST, Container, IaC, and API Security scanning on top of everything in Free:

- Everything in Free (Secrets, PII, Compliance)
- SAST (17+ languages, taint analysis)
- SCA (open-source dependency vulnerabilities + licence compliance)
- DAST (dynamic application scanning)
- Container Security (Docker image CVE scanning)
- IaC scanning (Terraform, K8s, Dockerfile, Ansible)
- API Security scanner (OpenAPI / GraphQL)
- 7 scanner engines total

Billed monthly at $19/month per organisation. No per-scan fees. Unlimited scans.

---

### What does the Ultimate plan ($99/month) include?

The Ultimate plan unlocks the full AquilaX platform, including Securitron AI:

- Everything in Premium (all 7 scanner engines)
- Malware detection
- Vibe Code scanner (AI-generated code security)
- Securitron AI engine (per-customer model, 93.54% FP elimination)
- AI-powered auto-remediation (patch generation + automated PRs)
- Securitron Chat and Security Assistant API access
- On-premises deployment option (Docker / Kubernetes)
- Priority support

A 14-day free trial is available — no credit card required. After the trial, the plan renews at $99/month.

---

### Is there an Enterprise plan?

Yes. The Enterprise plan is available for organisations that need:

- Custom user seat counts and team structures
- On-premises deployment with full data sovereignty (no data leaves your infrastructure)
- SSO / SAML identity provider integration
- Dedicated Securitron AI model with custom training data
- Custom compliance framework mapping
- SLA guarantees and dedicated customer success support
- Volume pricing and annual contracts

Contact admin[@]aquilax.ai for a custom quote or to schedule a proof-of-concept.

---

### Are there per-scan fees or usage limits?

No. AquilaX does not charge per scan. All plans — including Free — include unlimited scans. There are no hidden fees, overage charges, or scan quotas. The pricing is per organisation per month, regardless of how many scans you run, how many repositories you connect, or how many developers are on your team.

---

### Which source code and version control platforms does AquilaX support?

AquilaX integrates natively with:

- **GitHub** (GitHub.com and GitHub Enterprise)
- **GitLab** (GitLab.com and self-managed GitLab) — AquilaX is an official GitLab Technology Partner
- **Bitbucket** (Bitbucket Cloud and Bitbucket Server)
- **Azure DevOps** (Azure Repos)

Integration supports OAuth-based repository connection, automatic webhook setup for scan-on-push, and pull request security checks (blocking merges on critical findings).

---

### Which CI/CD pipelines are supported?

AquilaX integrates with all major CI/CD systems:

- **GitHub Actions** — official action available in the GitHub Marketplace
- **GitLab CI** — native include template
- **Bitbucket Pipelines** — pipe available in the Atlassian Marketplace
- **Jenkins** — plugin and pipeline step
- **CircleCI** — orb available
- **Travis CI, TeamCity, Bamboo** — via the AquilaX CLI or API

The AquilaX CLI can be added to any pipeline with a single command — no platform-specific plugin required.

---

### Does AquilaX have an IDE plugin?

Yes. AquilaX provides IDE integrations that show security findings inline as you write code — before a commit is even made. Supported IDEs:

- **VS Code** — available in the VS Code Marketplace
- **JetBrains IDEs** (IntelliJ IDEA, PyCharm, GoLand, WebStorm) — available in the JetBrains Marketplace

The IDE plugin shows findings with severity, CWE mapping, and Securitron AI fix suggestions inline, with a one-click apply to fix the issue.

---

### What output formats does AquilaX support?

Scan results are available in the following formats:

- **SARIF 2.1.0** — natively understood by GitHub Security tab, GitLab Security Dashboard, and most SIEM tools
- **JSON** — full structured output via the REST API
- **PDF** — executive and technical security reports
- **CSV** — for spreadsheet-based analysis and ticketing workflows
- **HTML** — self-contained scan report for offline sharing

All outputs include CVE, CWE, and OWASP ID mapping on every finding.

---

### Does AquilaX integrate with ticketing or SIEM systems?

Yes. AquilaX supports webhook-based integration with any ticketing or alerting system. Findings can be automatically pushed to:

- **Jira** — creates issues with full finding context, severity, and remediation guidance
- **Slack / Microsoft Teams** — real-time notifications on new critical findings
- **PagerDuty** — alerts for critical severity findings
- **Splunk, Elastic SIEM** — via SARIF or JSON webhook output
- **Custom webhooks** — any HTTP endpoint

---

### Which compliance frameworks does AquilaX support?

AquilaX maps findings to the following compliance frameworks and generates audit-ready reports for each:

- **OWASP Top 10** — the 10 most critical web application security risks
- **CWE Top 25** — the 25 most dangerous software weaknesses
- **CVE Database** — real-time vulnerability tracking
- **PCI DSS** — Payment Card Industry Data Security Standard
- **ISO 27001** — international information security management standard
- **SOC 2** — Service Organisation Control (security, availability, processing integrity, confidentiality, privacy)
- **NIST CSF / 800-53** — US National Institute of Standards and Technology Cybersecurity Framework
- **DORA** — EU Digital Operational Resilience Act
- **NIS2** — EU Network and Information Security Directive 2
- **GDPR** — General Data Protection Regulation (via PII and data handling findings)
- **HIPAA** — Health Insurance Portability and Accountability Act
- **FFIEC** — Federal Financial Institutions Examination Council

---

### Can AquilaX generate audit-ready compliance reports?

Yes. AquilaX generates compliance reports in PDF and JSON format that are structured for security auditors. Each report includes:

- Executive summary with overall compliance posture score
- Findings mapped to specific framework control IDs
- Remediation status and evidence of fixes applied
- Scan history timeline showing security improvement over time
- Developer and repository attribution for each finding

Reports are available on demand and can be scheduled to generate automatically on a recurring cadence (weekly, monthly, quarterly) and delivered to stakeholders via email.

---

### How does AquilaX help with DORA and NIS2 compliance?

The EU Digital Operational Resilience Act (DORA) and NIS2 Directive require financial entities and critical infrastructure operators to demonstrate active management of ICT security risk, including application-level vulnerabilities. AquilaX supports compliance by:

- Providing continuous (not point-in-time) security scanning across all software assets
- Generating evidence of vulnerability identification, risk scoring, and remediation timelines
- Mapping all findings to DORA and NIS2 control categories in the compliance report
- Supplying an immutable audit trail of scan results, developer review actions, and fix deployments

---

### Where is my source code processed and stored?

For cloud (SaaS) customers: your code is streamed to AquilaX's scanning infrastructure over TLS, scanned in an isolated ephemeral environment, and not persisted after the scan completes. Only the scan results (findings, metadata, file paths, and line numbers) are stored — not the source code itself.

For on-premises customers: all processing happens entirely within your own infrastructure. AquilaX does not receive any data — no code, no findings, no telemetry.

---

### Is AquilaX available for on-premises deployment?

Yes. AquilaX on-premises is available on the Ultimate and Enterprise plans. It is distributed as:

- **Docker Compose** — for single-host or small-team deployments
- **Kubernetes Helm chart** — for production-grade, horizontally scaled deployments

The full AquilaX platform — including all 32 scanners, Securitron AI models, the dashboard, and the REST API — is included in the on-premises package. It runs efficiently on CPU; no GPU is required. Minimum specification: 8 vCPU, 16 GB RAM, 100 GB storage.

On-premises deployments receive updates via a private container registry. No internet access is required after initial setup.

---

### Does AquilaX use my code to train its AI models?

No. AquilaX does not use customer source code to train shared AI models. Your code is scanned and discarded. The per-customer Securitron Review Model is trained on anonymised finding metadata (not source code) and your team's triage feedback — and that data is never shared with other organisations.

For on-premises deployments, all AI model inference runs locally. No data is sent to AquilaX or any third party.

---

### Is AquilaX itself secure? What certifications does it hold?

AquilaX practises what it preaches — the AquilaX platform is scanned by itself on every commit. The company is pursuing ISO 27001 certification and undergoes annual third-party penetration testing. The platform is hosted on SOC 2 Type II certified cloud infrastructure.

AquilaX is a member of NVIDIA Inception and the Microsoft for Startups programme, and holds official GitLab Technology Partner status.

---

### How does AquilaX handle access to my repositories?

AquilaX requests the minimum necessary permissions when connecting to your source code platform:

- **Read access** to repository contents (for scanning)
- **Write access** to pull requests (only if you enable auto-remediation PRs)
- **Webhook access** to receive push events and trigger scans automatically

You can revoke access at any time from your source code platform's OAuth application settings. AquilaX does not store OAuth tokens in plaintext — they are encrypted at rest using AES-256.

---

### Where is AquilaX based and who operates it?

AquilaX is operated by AquilaX LTD, a company registered in England and Wales. Registered address: 124 City Road, London, EC1V 2NX, United Kingdom. You can reach the team at admin[@]aquilax.ai.

The platform serves customers globally, with cloud infrastructure hosted in the European Union to comply with GDPR data residency requirements.