Your AI SecurityTeam
A security team on retainer for people who ship. Three AI agents that review your code, triage your dependencies, and keep you ready for incidents — powered by the strongest models in the catalog.
Meet Your AI Team
Three specialists working together to review, watch, and defend what you ship
Silas
AppSec Reviewer
Security review of your diffs, files, and flows — injection, broken auth, secrets, unsafe deserialization.
AI Model
GPT-5.6 Sol Ultra
"Reads code the way an attacker does, then hands you the patch. Calm and exact — never scaremongers, never inflates severity."
Example prompts
Wren
Dependency & Exposure Watch
CVE triage against your real dependency tree, plus public-surface checks — headers, CORS, TLS, EOL runtimes.
AI Model
GPT-5.6 Sol
"Methodical and immune to hype. Asks 'does this vuln even reach your code?' before you panic. Cuts thirty alerts down to the three that matter."
Example prompts
Rhea
Incident & Hardening Coach
Incident triage and runbooks, prioritized hardening plans, and honest breach-disclosure drafts.
AI Model
GPT-5.6 Sol
"The steady hand in a crisis. Gives the next three actions in order, not a wall of everything. Nudges you to write the runbook before the 2am page."
Example prompts
See It In Action
Real conversations showing how your AI security team works
Silas
AppSec Reviewer
Quick check before I ship: `app.get('/avatar', (req, res) => res.sendFile(req.query.path))`. Anything wrong?
Yes — this is a path traversal vulnerability, and it's shipping a critical. **The issue (severity: critical):** `req.query.path` is attacker-controlled and passed straight to `sendFile`. A request like `/avatar?path=../../../../etc/passwd` reads arbitrary files off your server — source code, `.env`, SSH keys, anything the process can read. **Proof:** ``` GET /avatar?path=../../.env ``` returns your environment file. **The fix — never let user input choose the path:** ```js import path from "node:path"; const AVATAR_DIR = "/var/app/avatars"; app.get("/avatar/:id", (req, res) => { // whitelist the filename, resolve, and confirm it stays in the dir const file = path.resolve(AVATAR_DIR, path.basename(req.params.id)); if (!file.startsWith(AVATAR_DIR + path.sep)) { return res.status(400).end(); } res.sendFile(file); }); ``` `path.basename` strips directory components, `path.resolve` + the `startsWith` check is your belt-and-suspenders. Ship this instead. Want me to check the rest of your route handlers for the same pattern?
Wren
Dependency & Exposure Watch
Dependabot is screaming about 12 vulnerabilities in my project. I'm one person. Where do I even start?
Twelve alerts, but you don't have twelve problems. Paste your `package.json` (or the lockfile) and I'll cut it down. Here's how I'll rank them: **Fix now** — reachable + high severity: - Vulns in packages you call directly, on the code path an attacker can hit (e.g. a parser handling user input, an auth library) **Fix soon** — high severity but indirect: - Deep transitive deps, or vulns in a function you don't call **Monitor / ignore** — and I'll tell you *why*: - Dev-only dependencies (build tools, test runners) — not in your production runtime - Vulns in code paths your usage never triggers **The honest truth:** most Dependabot noise is transitive dev dependencies that never touch production. The one that matters is usually the parser or the auth lib. Send the file and I'll give you a ranked list — probably 2-3 real fixes, and permission to ignore the rest with a clear conscience.
Rhea
Incident & Hardening Coach
I just realized I committed my Stripe secret key to a public GitHub repo three days ago. I'm panicking.
Breathe. This is recoverable, and you're going to do four things in order. Don't skip to step 3. **1. Roll the key — right now (next 5 minutes).** Stripe Dashboard → Developers → API keys → roll the secret key. This *immediately* invalidates the leaked one. A key in a public repo for three days should be assumed compromised, so this is non-negotiable and comes first. **2. Check for abuse (next 30 minutes).** Stripe Dashboard → Payments and Logs. Look for charges, refunds, or API calls you didn't make in the last three days. Note anything suspicious — you may need it for step 4. **3. Purge it from history.** Rotating the key makes the leak harmless, but scrub it anyway: use `git filter-repo` (or BFG) to remove the key from history, then force-push. GitHub also caches — the key is burned regardless, which is why step 1 was first. **4. Decide on disclosure.** If step 2 found unauthorized charges affecting customers, you have a notification obligation — I'll draft that email with you, honest and measured. If there was no abuse, no disclosure is needed. Start with step 1. Tell me when the key is rolled and we'll move down the list together.
Quick Start
Get your security team running in under 5 minutes
Download and extract the pack ZIP file
Share your stack, repos, and what data you store in USER.md
Paste a diff to Silas before your next release
Give Wren your package.json and let Rhea write your first runbook
Works with all major platforms
Pro Tips
Get the most out of your AI security team
Paste the diff to Silas before you merge, not after you ship — reviews are cheapest pre-merge
Give Wren your actual lockfile; reachability judgment beats a generic CVE list every time
Have Rhea write runbooks for your top 3 scenarios now, while you're calm
Silas defaults to the ultra tier — the strongest model in the catalog — because security judgment is the highest-stakes reasoning you'll ask for
FAQ
Is this offensive or defensive security?
Do I need to be a security expert to use this?
Why does this pack use more powerful models?
Can Silas actually find real vulnerabilities?
Does Wren scan my dependencies automatically?
What runtimes does this work on?
Ready to Ship With Confidence?
Get Silas, Wren, and Rhea working for you today. Your AI security team is ready to review, watch, and defend.
Instant download • Works with OpenClaw + Hermes • Lifetime access
Live in 15 minutes — or we set it up together, free. Stuck at any step? Book a free setup call and we'll get your agent running together.