12 scanner engines including a brand-new Wireless Security engine (Wi-Fi / BT / BLE / RF / NFC / IoT). 91 secret patterns. 18 compliance frameworks. IDE-native via Claude Code. OpenSSF malicious-package intelligence. One unified Security Factor Score that tells you exactly where you stand.
Scanner Engines
Secret Patterns
MCP Tools
Compliance Frameworks
From the first line of code to production. One platform, one score, complete visibility.
AI-powered static code analysis. 30+ detection rules, multi-language support, CWE/OWASP mapping, Best Fix Location.
Software Composition Analysis backed by a DB-driven malicious-package registry (OpenSSF Malicious Packages + SF-curated seed, synced daily from OSV.dev). CVE/NVD lookup, license compliance (GPL, AGPL), exploitable path analysis, SBOM generation (SPDX/CycloneDX).
91 high-signal patterns (pre-compiled) grouped by vendor — AWS/Azure/GCP, GitHub variants, AI APIs (OpenAI, Anthropic, Hugging Face, Groq), Slack/Discord/Telegram, Stripe/Square/Shopify, Datadog/Sentry, DB connection strings, private keys, plus 10 IoT/wireless cloud patterns (Azure IoT Hub SAS, AWS IoT, ESP-IDF Wi-Fi creds, MQTT URLs).
25+ rules for Terraform, Kubernetes, Docker, CloudFormation, Ansible, Helm. Public buckets, open security groups, privileged containers, hardcoded credentials.
Dockerfile and docker-compose analysis. Root user detection, exposed ports, secrets in ENV, base image vulnerabilities, HEALTHCHECK validation.
AI Supply Chain Security. Detect prompt injection, model poisoning, insecure deserialization, RAG poisoning, agent hijacking. OWASP LLM Top 10 + MITRE ATLAS mapping.
Proprietary compliance engine for Ansible, Terraform and Kubernetes. Evaluates ten maturity factors — version control, config decoupling, multi-env inventories, idempotency, role modularity, dependency management, secrets separation, declarative simplicity, testing, documentation.
Six-surface engine for Wi-Fi (WEP/WPA/WPS), Bluetooth Classic, BLE pairing (Just Works, KNOB, LESC), sub-GHz RF, NFC/RFID (MIFARE) and IoT transports (Zigbee, MQTT, CoAP, LoRa). 18 detection rules backed by a 24-control Wireless Security Baseline mapped to NIST SP 800-153 / 121 R2 / 97 and IEEE 802.11i.
SF365 ships fast. These are the seven capabilities that position us ahead of SonarQube, Snyk and Checkmarx for teams operating in the Claude Code / Cursor / Copilot workflow — now extended to Bluetooth, Wi-Fi and IoT firmware.
Install one Claude Code skill and run /sf365 scan from any repo. JWT-authenticated, Python-stdlib only, zero external deps. Findings persist in the full portal so the team still has compliance reports + dashboards.
Curated registry seeded with documented incidents (event-stream, ua-parser-js, ctx, typosquats) and refreshed daily from OSV.dev's OpenSSF feed. Every SCA scan cross-checks dependencies; matches raise Critical findings with full provenance.
One-click scan of deliberately-vulnerable reference apps — WebGoat, Juice Shop, NodeGoat, DVWA, Pygoat, Railsgoat. Prove detection accuracy live in a demo. No more vendor claims you can't verify.
Pre-compiled vendor-aware catalog: 14 cloud providers, 8 GitHub variants (fine-grained PATs, App tokens), 9 AI APIs (OpenAI, Anthropic, Hugging Face, Replicate, Groq, Gemini, Cohere, Pinecone), payments, monitoring, databases, private keys, and 10 IoT/wireless cloud patterns (Azure IoT Hub SAS, AWS IoT, Particle, Tuya, ESP-IDF Wi-Fi creds, MQTT URLs).
Color-coded scan summaries to Slack Incoming Webhooks after every scan. High/Critical findings confirmed in the portal auto-create Jira Cloud issues via REST API v3, with CWE/OWASP context and deep links back to the finding.
Our own compliance domain for Ansible, Terraform and Kubernetes — a dedicated scanner that grades ten factors from version control to documentation. Vendable as its own product to platform/SRE teams.
12th scanner for the Bluetooth, Wi-Fi and IoT era. 18 detection rules across six surfaces — Wi-Fi (WEP/WPA/WPS, KRACK), Bluetooth Classic (legacy pairing, default PINs), BLE (Just Works, KNOB, LESC off, GATT without encryption), sub-GHz RF, NFC/RFID (MIFARE Classic), and IoT transports (Zigbee TC key, plain MQTT, CoAP without DTLS) — plus a 24-control Wireless Security Baseline mapped to NIST + IEEE 802.11i and a dedicated /wireless-security dashboard.
Four hand-crafted utilities that run entirely in your browser. No uploads, no logins, no telemetry. Built from the same rule engines that power SF365.
Explore Free ToolsA proprietary 0-100 score that makes security measurable, understandable, and actionable for both developers and executives.
SAST findings, vulnerability density, AI code risks
Dependencies, CVEs, malicious packages, SBOM
DAST, API exposure, endpoint risks, shadow APIs
IaC misconfigs, secrets, cloud/container security
OWASP, PCI DSS, HIPAA, GDPR, SOC 2, NIST, ISO 27001, MITRE
AI correlations, trend analysis, threat hunting
SENTINEL logs, anomaly detection, incident MTTR
Not just scanning tools - intelligent AI agents that triage, remediate, advise, and model threats autonomously.
Prioritizes findings by real-world exploitability and business impact. Not just CVSS - actual risk.
Generates production-ready code fixes with confidence scores. Copy-paste remediation.
Interactive AI chat. Ask about OWASP, CWE, secure coding, compliance. Your personal security expert.
STRIDE/DREAD threat models with Mermaid data-flow diagrams. Visual threat analysis.
AI-Powered Log Intelligence & Observability Platform.
Works standalone or integrated with Security Factor 365.
REST API and gRPC. Structured and unstructured logs. Automatic format normalization and security context enrichment.
Brute force, credential stuffing, slow attacks, data exfiltration, privilege escalation. Pattern learning, not static rules.
Correlate isolated events into attack timelines. Detect multi-phase attacks: Account Takeover, APT, Data Breach attempts.
For small teams getting started
5 Applications
SAST + SCA Engines
Security Factor Score
SBOM Generation
Basic Reports (PDF/CSV)
10 Core Features
For growing security teams
25 Applications
All 11 Scanner Engines (incl. 12-Factor IaC)
AI Copilot + Triage + Remediation
Compliance Hub (17 frameworks)
Threat Modeler (STRIDE/DREAD)
Remediation Kanban + Robot Builder
SF Lab + SBOM + CBOM
22 Features
For large organizations
Unlimited Applications
Everything in Professional
SENTINEL Log Intelligence
MCP Server (28 tools)
White-Label Branding
AIBOM + MLBOM + SARIF Import
MITRE ATT&CK Mapping
Executive View + Security Matrix
30+ Features
Experience Security Factor 365's intelligence with these free tools. Results are instant and 100% private.
Check security headers, HTTPS, and common misconfigurations
Enter a URL above and click Scan to check security headers.
Paste server logs and get instant security intelligence
Real-time monitoring of threats detected across our platform. SF365 never sleeps.
Start your free trial today. No credit card required. See your Security Factor Score in minutes.
Start Free TrialAI-Powered Source Code Analysis
Static Application Security Testing analyzes your source code without executing it to find vulnerabilities early in the development lifecycle. Security Factor 365's SAST engine uses AI-enhanced pattern matching and data-flow analysis to detect issues with minimal false positives.
C#, Java, Python, JavaScript, TypeScript, PHP, Go, Rust, Kotlin, Swift, Ruby, C/C++, Scala, JSX/TSX, Vue, Razor
Unlike simple regex-based scanners, Security Factor 365's SAST engine combines three layers of analysis:
VULNERABLE CODE
var query = "SELECT * FROM Users WHERE Id = " + userId; var cmd = new SqlCommand(query, connection);
SECURE CODE (AI-Generated Fix)
var query = "SELECT * FROM Users WHERE Id = @Id";
var cmd = new SqlCommand(query, connection);
cmd.Parameters.AddWithValue("@Id", userId);
| OWASP Category | CWEs Detected | Rules |
|---|---|---|
| A01 Broken Access Control | CWE-862, CWE-863 | 3 |
| A02 Cryptographic Failures | CWE-327, CWE-328, CWE-321, CWE-330 | 5 |
| A03 Injection | CWE-89, CWE-78, CWE-79, CWE-90, CWE-918 | 8 |
| A05 Security Misconfiguration | CWE-489, CWE-209, CWE-942, CWE-614 | 5 |
| A06 Vulnerable Components | CWE-326 | 1 |
| A07 Auth Failures | CWE-798 | 1 |
| A09 Logging Failures | CWE-532 | 1 |
| A10 SSRF | CWE-918 | 1 |
ASPM Correlation: When our SAST engine finds an SQL Injection and our Config scanner finds a database password in appsettings.json, the Correlation Engine flags this as a Critical Attack Chain — a compound vulnerability that neither scanner would catch alone. This is what separates Security Factor 365 from basic scanners.
Supply Chain Security & Dependency Analysis
Software Composition Analysis identifies security vulnerabilities, malicious code, and license risks in open-source and third-party dependencies. Our engine scans package manifests, detects transitive dependencies, and cross-references the CVE/NVD databases.
35+ Patterns for API Keys, Passwords, Tokens & Credentials
Hardcoded secrets in source code are one of the most common and dangerous vulnerabilities. A single exposed API key can lead to full account compromise, data breaches, and financial loss. Our engine continuously scans your codebase for 35+ secret patterns.
Infrastructure-as-Code Misconfiguration Detection
Infrastructure-as-Code security scanning detects misconfigurations before deployment. Catch public S3 buckets, open security groups, privileged containers, and hardcoded credentials in your Terraform, Kubernetes, Docker, and Ansible files.
Proprietary 7-Pillar Security Health Index (0-100)
The Security Factor Score is a weighted composite of 7 security pillars, each measuring a critical dimension of your application's security posture. The score makes security measurable, understandable, and actionable for both developers and executives.
| Pillar | Weight | What It Measures |
|---|---|---|
| Code Security | 20% | SAST findings, vulnerability density, AI code risks |
| Supply Chain | 15% | Dependency CVEs, malicious packages, license risks, SBOM |
| Runtime & API | 15% | DAST findings, API exposure, shadow/zombie APIs |
| Infrastructure | 15% | IaC misconfigs, secrets in code, cloud/container security |
| Compliance | 15% | OWASP, PCI DSS, HIPAA, GDPR, SOC 2, ISO 27001, NIST |
| Proactive Intel | 10% | AI trend analysis, threat hunting, attack prediction |
| Observability | 10% | SENTINEL log intelligence, anomaly detection, MTTR |
Most security tools give you a list of findings. Security Factor 365 gives you a number. That number tells you exactly where you stand, how you compare to your other applications, and whether you're improving or regressing over time.
Each pillar starts at 100 and loses points based on the severity and quantity of findings:
| Finding Severity | Points Deducted | Example |
|---|---|---|
| Critical | -20 per finding | SQL Injection, Exposed Private Key |
| High | -10 per finding | XSS, Weak Encryption, Open S3 Bucket |
| Medium | -4 per finding | CORS Wildcard, Debug Mode, Insecure Cookie |
| Low | -1.5 per finding | Deprecated Package, Missing HEALTHCHECK |
| Info | -0.3 per finding | Hardcoded Role Check, ADD vs COPY |
Every scan saves a score snapshot. The portal shows trend lines, historical comparisons, and delta indicators so you can see the impact of each sprint on your security posture. The Security Matrix view shows all applications x all 7 pillars in a NASA-style grid for instant portfolio visibility.
Executive View: The CISO dashboard shows fleet-wide Security Factor Score with gauges, KPI cards, compliance status across all 17 frameworks, and AI-generated quick wins. Perfect for board presentations and audit reviews.
17 Security & Compliance Frameworks
Web application security risks. A01-A10 mapped to findings.
API-specific security risks. BOLA, broken auth, SSRF.
Payment card industry. Code review, vulnerability management.
Healthcare data. ePHI protection, encryption, audit controls.
EU data protection. Privacy by design, data minimization.
Trust service criteria. Security, availability, confidentiality.
Information security management systems standard.
Federal security controls. Identify, Protect, Detect, Respond, Recover.
Adversary tactics and techniques. Finding-to-tactic mapping.
Most dangerous software weaknesses.
Also supports: FISMA, SLSA, CIS Benchmarks, CCPA, FINRA, FedRAMP, SAMATE
Agentic AI — Not tools, intelligent agents that think, prioritize, and act
Traditional security tools generate reports. Our AI agents understand context, prioritize by business impact, generate fixes, and learn from your codebase. They work autonomously within your workflow — not as a post-scan afterthought, but as active participants in your security process.
Prioritizes findings by real-world exploitability, not just CVSS score. Combines heuristic scoring with AI analysis to identify what attackers would actually exploit first.
Generates production-ready code fixes with confidence scoring. Not generic advice — actual code you can copy-paste into your codebase.
Your personal security expert, available 24/7. An interactive AI assistant that understands your application context and answers security questions in real-time.
AI-assisted threat modeling that transforms application descriptions into structured threat analyses with visual diagrams.
The four agents work together as a pipeline: the Triage Agent prioritizes what matters, the Remediation Agent generates fixes, the Copilot answers questions along the way, and the Threat Modeler provides the strategic view. All powered by the same AI engine, all sharing context about your application.
Pro Tip: Combine AI Triage with ASPM Correlation Engine results. When the Triage Agent scores a correlated finding (one found by multiple engines), its priority automatically increases because cross-engine validation confirms exploitability.
AI Supply Chain, LLM Vulnerability & Model Security Analysis
Traditional application security tools were built for a world without AI. They scan for SQL injection, XSS, and dependency vulnerabilities — but miss an entirely new class of threats introduced by LLMs, ML models, AI agents, and vector databases. Security Factor 365 is the first platform to include a dedicated AI Security scanner alongside traditional AppSec engines.
While scanning, the engine automatically discovers and inventories all AI components in your codebase:
OpenAI, Anthropic, Cohere, Replicate, HuggingFace model imports and API calls.
LangChain, AutoGen, CrewAI, custom agent implementations with tool execution.
Model Context Protocol server implementations and tool registrations.
FAISS, Chroma, Pinecone, Weaviate, Qdrant — RAG infrastructure discovery.
System prompts, chat templates, and prompt engineering patterns.
.h5, .pkl, .pt, .onnx, .safetensors files — model storage and deployment paths.
VULNERABLE CODE
prompt = f"You are a helpful assistant. Answer this: {user_input}"
response = openai.ChatCompletion.create(
model="gpt-4", messages=[{"role": "user", "content": prompt}]
)
SECURE CODE
system_prompt = "You are a helpful assistant. Only answer factual questions."
sanitized_input = sanitize_user_input(user_input, max_length=500)
response = openai.ChatCompletion.create(
model="gpt-4",
messages=[
{"role": "system", "content": system_prompt},
{"role": "user", "content": sanitized_input}
],
max_tokens=1000,
temperature=0.7
)
| Framework | Coverage | Categories |
|---|---|---|
| OWASP LLM Top 10 | 10/10 | LLM01-LLM10 |
| MITRE ATLAS | 12 tactics | AML.TA0001-TA0012 |
| EU AI Act | Art. 9, 10, 15 | High-risk system requirements |
| ISO 42001 | Clause 6, 8 | AI risk assessment & controls |
| NIST AI RMF | Govern, Map, Measure, Manage | AI risk functions |
| CSA MAESTRO | All 7 layers | Multi-agent security |
ASPM Correlation: When our AI Security scanner finds a prompt injection vulnerability and our Secrets scanner finds an exposed OpenAI API key in the same project, the Correlation Engine flags this as a Critical AI Attack Chain — an attacker could use the exposed key to exploit the injection point. This compound risk is invisible to traditional scanners.
Runtime Vulnerability Discovery & API Fuzzing
Dynamic Application Security Testing analyzes running applications from the outside — just like an attacker would. Unlike SAST (which reads source code), DAST sends actual HTTP requests, fuzzes inputs, and observes responses to find vulnerabilities that only manifest at runtime.
Automatically discovers endpoints, forms, APIs, and hidden parameters. Maps the full attack surface before testing.
Tests for SQL injection, XSS, command injection, SSRF, and LDAP injection using thousands of attack payloads.
Tests session management, cookie security, CSRF protection, brute force resistance, and MFA bypass attempts.
OWASP API Top 10 coverage. Tests REST, GraphQL, and gRPC endpoints for BOLA, broken auth, mass assignment.
Validates security headers (CSP, HSTS, X-Frame-Options), TLS configuration, CORS policies, and server information leaks.
Detects rate limiting gaps, privilege escalation paths, insecure direct object references, and workflow bypass opportunities.
When DAST confirms a vulnerability that SAST also found in source code, the ASPM Correlation Engine elevates its priority — a finding validated by two engines is far more likely to be a real, exploitable issue. This dramatically reduces false positives.
Cross-Engine Validation: A SQL injection found by SAST in source code AND confirmed by DAST at runtime gets a correlated risk score up to 2x higher — because it's proven exploitable.
Docker, Kubernetes, Helm & Cloud-Native Security
Container security covers the entire lifecycle of containerized applications — from base image selection through build-time scanning to runtime policy enforcement. As organizations adopt Docker and Kubernetes at scale, the attack surface expands with misconfigured containers, vulnerable base images, overprivileged workloads and secrets leaked into environment variables.
A single Dockerfile line like USER root or --privileged=true in a Kubernetes pod spec can turn a minor bug into a full cluster compromise. Container images inherit every CVE in their base layer, and one leaked AWS_SECRET_ACCESS_KEY in a build-arg can grant production access to anyone who pulls the image.
USER root, :latest tags, ADD misuse, COPY . . overreach, missing HEALTHCHECK, multi-stage build opportunities.ARG / ENV get caught before they land in the image's immutable history.privileged, runAsNonRoot, allowPrivilegeEscalation, readOnlyRootFilesystem, capabilities.drop, seccompProfile.hostNetwork: true, hostPID: true, missing resource limits, default service accounts, secrets mounted as env vars.SF365's container checks run as part of both the Full scan and a standalone Container scan type. In CI, failing the build on any Critical Container finding (via quality gate) is a one-line policy. Slack and Jira integrations fire automatically when a new Critical lands — for containers, that usually means "stop the deployment, rotate the credential, rebuild the image."
Pro tip: Shift container scanning left of the registry push. A vulnerability found in CI costs one build minute; the same vulnerability found by an auditor three months later costs a board meeting.
Real-Time Anomaly Detection & Attack Chain Correlation
SENTINEL is Security Factor 365's companion product for AI-powered log intelligence. It works standalone or fully integrated with SF365, providing real-time anomaly detection, attack chain correlation, and intelligent alerting that goes far beyond traditional SIEM rule matching.
REST API and gRPC endpoints ingest logs from any source — application logs, web servers, firewalls, cloud providers, databases, and custom sources.
Normalizes diverse log formats into a unified schema with automatic enrichment — geo-IP, threat intelligence, application context, user identity.
Machine learning models detect brute force, credential stuffing, data exfiltration, privilege escalation, and slow/low attacks that rule-based systems miss.
Connects related events across time and sources to reconstruct full attack timelines. Classifies attack chains by MITRE ATT&CK tactics.
Alerts based on behavioral baselines, not static rules. Detects deviations from normal patterns — new access patterns, unusual data volumes, off-hours activity.
Full-text search, filtering, timeline visualization, and drill-down analysis. Real-time streaming view for active incident response.
SENTINEL + SF365: When SENTINEL detects an attack targeting a vulnerability that SF365 already found in your code, it automatically escalates both the finding and the alert — closing the loop between AppSec and runtime security.
Security Log Audit as a Service — No agents, no installation, no access to client systems required. Simply upload log files and SENTINEL does the rest.
Upload .log, .json, .csv, .txt, IIS W3C, Apache, nginx, syslog files. Auto-format detection.
Every file goes through: Ingestion → Normalization → AI Analysis → Correlation → Report.
Cross-file correlation detects multi-phase attacks: reconnaissance → brute force → escalation → exfiltration.
Export PDF/CSV reports with anomalies, attack chains, severity breakdown, top source IPs, and recommendations.
Perfect for Consultants & MSSPs: Offer security log auditing to your clients without deploying any software. Upload their logs, generate AI-powered findings, and deliver a professional audit report — all from the SENTINEL portal.
28 AI Tools for Security Automation
The Model Context Protocol (MCP) server exposes SF365's entire security platform as 28 AI-callable tools. This means AI assistants like Claude, GPT, or custom agents can directly trigger scans, query findings, generate reports, and manage remediations — all through a standardized protocol.
RunSastScan, RunScaScan, RunDastScan, RunFullScan — trigger any scan type programmatically.
GetSecurityScore, GetFindings, GetFindingDetail, AnalyzeCode — query security data and analyze code snippets.
ListApplications, GetAppDetail, GetDependencyTree — explore the application portfolio.
GetComplianceStatus, GetComplianceGaps, MapToFramework — audit compliance against any framework.
GenerateReport, GetSbom, ExportFindings — create PDF/CSV reports and SBOM documents.
SuggestFix, GetRemediationPlan, PrioritizeFindings — AI-powered fix generation and prioritization.
QueryLogs, GetAnomalies, GetAlerts — interact with log intelligence and anomaly detection.
HealthCheck, TestConnection, GetScanHistory, GetPlatformStats, ValidateLicense — system management.
AI-Native Security: Connect SF365 MCP to Claude Code, VS Code Copilot, or any MCP-compatible AI — your security platform becomes part of the developer's natural workflow.
SBOM, CBOM, MLBOM & AIBOM
Modern applications aren't just code and libraries. They include containers, ML models, AI components, and infrastructure. SF365 generates a complete inventory across all dimensions:
Complete inventory of all software components, libraries, and dependencies. Supports SPDX 2.3 and CycloneDX 1.5 formats. Required by US Executive Order 14028.
Full inventory of every package, binary, and library inside container images. Tracks base image lineage and layer-by-layer composition.
Documents ML model dependencies, training data sources, framework versions, and model provenance for AI governance and compliance.
Inventories AI components: LLM integrations, prompt templates, vector stores, fine-tuned models, and AI pipeline dependencies.
Auto-Generated: SF365 generates xBOM documents automatically during scans — no manual inventory required. Export in SPDX or CycloneDX format for regulatory submissions.
The Most Critical Web Application Security Risks
The Open Worldwide Application Security Project (OWASP) is a nonprofit foundation dedicated to improving the security of software. The OWASP Top 10 is the most widely recognized standard for web application security awareness, updated periodically based on real-world vulnerability data from hundreds of organizations.
94% of apps tested had some form of broken access control. Users acting outside their intended permissions.
Failures related to cryptography that lead to exposure of sensitive data — weak algorithms, missing encryption, improper key management.
SQL, NoSQL, OS, LDAP injection. User-supplied data sent to an interpreter as part of a command or query without validation.
Missing or ineffective security controls in the design phase. Threat modeling and secure design patterns are needed.
Default configs, open cloud storage, unnecessary features enabled, verbose error messages, missing security headers.
Using components with known vulnerabilities. Libraries, frameworks, and other software modules running with the same privileges.
Weak authentication mechanisms — credential stuffing, brute force, weak passwords, missing MFA, improper session management.
Assumptions about software updates, critical data, and CI/CD pipelines without verifying integrity. Deserialization attacks.
Insufficient logging, detection, monitoring, and active response. Breaches take 200+ days to detect without proper monitoring.
Server-Side Request Forgery occurs when a web app fetches a remote resource without validating the user-supplied URL.
Every finding detected by our SAST, SCA, DAST, and IaC engines is automatically mapped to the relevant OWASP category. The Compliance Hub shows your coverage percentage for each A01-A10 category, identifies gaps, and tracks remediation progress over time.
Real-Time Compliance: Your OWASP compliance score updates in real-time after every scan. No more manual mapping spreadsheets — SF365 does it automatically across all 10 categories.
Payment Card Industry Data Security Standard
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. Version 4.0 (effective March 2024) introduces significant new requirements for application security.
Software developed securely using secure coding practices. Vulnerability identification and remediation processes.
Known vulnerabilities identified and managed. CVE tracking, dependency scanning, timely patching.
Public-facing web applications protected against attacks. WAF deployment or automated vulnerability assessment.
All changes documented, tested, and approved. Security impact assessed for every code change.
Regular penetration testing. Internal and external, application-layer testing including injection and auth flaws.
Network and application-level intrusion detection. Real-time monitoring and alerting on suspicious activity.
SF365 Compliance: Our SAST and SCA engines satisfy Requirement 6.2.4 (automated code review) and 6.3.2 (vulnerability management). The Compliance Hub generates PCI DSS-ready audit reports with evidence mapping.
Health Insurance Portability and Accountability Act
HIPAA is a US federal law that mandates the protection of sensitive patient health information (PHI/ePHI). Any organization that handles electronic Protected Health Information must implement administrative, physical, and technical safeguards to ensure confidentiality, integrity, and availability.
Unique user identification, emergency access, automatic logoff, encryption/decryption of ePHI at rest.
Hardware, software, and procedural mechanisms to record and examine access to ePHI systems.
Policies and procedures to protect ePHI from improper alteration or destruction. Data validation mechanisms.
Verify that a person seeking access to ePHI is who they claim to be. Strong authentication mechanisms.
Technical measures to guard against unauthorized access to ePHI transmitted over electronic networks. TLS/encryption.
Must notify affected individuals, HHS, and media (500+ records) within 60 days of discovering a breach.
Application vulnerabilities are the #1 vector for healthcare data breaches. SQL injection, broken authentication, and misconfigured APIs can expose millions of patient records. HIPAA violations carry penalties up to $1.5 million per violation category per year.
SF365 for Healthcare: Our Secrets Scanner detects hardcoded ePHI, API keys, and connection strings. SAST finds authentication and encryption weaknesses. The Compliance Hub maps every finding to specific HIPAA sections.
General Data Protection Regulation (EU)
The General Data Protection Regulation is the EU's comprehensive data privacy law, effective since May 2018. It governs how organizations collect, process, store, and protect personal data of EU residents. Non-compliance can result in fines up to €20 million or 4% of global annual turnover.
Data protection must be integrated into processing activities from the design stage. Security controls built in, not bolted on.
Implement appropriate technical measures: pseudonymization, encryption, confidentiality, integrity, availability, and resilience.
Report breaches to supervisory authority within 72 hours. Notification must describe nature, consequences, and measures taken.
Data Protection Impact Assessment required for high-risk processing. Systematic description, necessity assessment, risk evaluation.
Personal data must be adequate, relevant, and limited to what is necessary. Applications must not collect excessive data.
Users have the right to be forgotten. Applications must support complete data deletion when requested.
GDPR doesn't prescribe specific technologies but requires "appropriate technical measures." This means vulnerability management, encryption validation, access control testing, and logging are all implicitly required. A data breach caused by a known, unpatched vulnerability is a clear compliance failure.
SF365 for GDPR: Our scanners detect personal data exposure, insecure data storage, missing encryption, and logging gaps. The Compliance Hub shows your GDPR readiness across all articles and generates audit-ready documentation.
Service Organization Control — Trust Service Criteria
SOC 2 is an auditing standard developed by the AICPA for service organizations. It evaluates an organization's information systems against five Trust Service Criteria (TSC). Type II reports cover a period of time (typically 6-12 months) and verify that controls are not only designed but also operating effectively.
Protection against unauthorized access. Firewalls, intrusion detection, MFA, vulnerability management, security monitoring.
System availability for operation and use as committed. Performance monitoring, disaster recovery, incident handling.
System processing is complete, valid, accurate, timely, and authorized. Data validation, error handling, QA processes.
Information designated as confidential is protected as committed. Encryption, access controls, data classification.
Personal information collected, used, retained, and disclosed conforms to commitments. Notice, consent, access rights.
SF365 for SOC 2: Continuous vulnerability scanning satisfies CC6.1 and CC7.1. Our audit trail covers CC8.1 change management. The Compliance Hub provides evidence mapping for your SOC 2 auditor.
NIST 800-53 & Cybersecurity Framework (CSF) 2.0
The National Institute of Standards and Technology (NIST) publishes cybersecurity frameworks used globally. NIST SP 800-53 provides a catalog of security and privacy controls, while the Cybersecurity Framework (CSF) 2.0 (released February 2024) provides a voluntary framework for managing cybersecurity risk.
Establish and monitor cybersecurity risk management strategy, expectations, and policy. Organizational context and supply chain risk.
Understand assets, business environment, governance, risk assessment, and supply chain. Asset management and risk strategies.
Develop and implement safeguards. Access control, awareness training, data security, protective technology, maintenance.
Develop and implement activities to identify cybersecurity events. Continuous monitoring, anomaly detection, security events.
Take action regarding detected cybersecurity incidents. Response planning, communications, analysis, mitigation, improvements.
Maintain resilience plans and restore capabilities impaired by cybersecurity incidents. Recovery planning, improvements, comms.
SF365 for NIST: Our platform maps findings to NIST 800-53 controls (SA-11, SI-2, SI-5, RA-5) and CSF 2.0 subcategories. SENTINEL covers the DETECT function. The Compliance Hub generates NIST-ready assessment reports.
Run SF365 from inside your AI coding workflow
A first-party Claude Code skill that wraps the SF365 REST API. Install once, then use natural language from any repository: "scan this repo", "list critical findings for the Billing app", "run SAST on application 7". Findings still persist in the full SF365 portal so your team keeps dashboards, compliance reports, and history — the skill is just the frictionless entry point.
Developers are no longer copy-pasting into standalone tools. They live inside Claude Code, Cursor and Copilot. Security that doesn't meet them there isn't adopted. The SF365 skill takes the enterprise-grade platform and makes it a one-command reach from the developer's prompt.
~/.sf365/credentials.json (0600 on Unix)./api/mobile/applications, ready to pick by name./api/webhooks/generic; synchronous return with finding counts.Time to value: 60 seconds from claude plugin install sf365 to a first scan. The skill is MIT-licensed and lives in the SF365 repo under SF.Skill/skills/sf365.
OpenSSF + curated registry, daily OSV.dev sync
A dedicated DB-backed registry of known-malicious open-source packages. Every SCA scan cross-references it against the dependencies declared in package.json, requirements.txt, *.csproj and friends. A match raises a Critical finding with full provenance: advisory id, source feed, summary, and reference URL.
The registry ships with a curated seed of documented incidents and is refreshed daily by SfMaliciousPackageSyncService, which queries OSV.dev for MAL-* advisories (OpenSSF's Malicious Packages dataset). Failures degrade gracefully: the local DB is always usable even if the feed is unreachable.
(Ecosystem, PackageName); version ranges reserved for phase 2./malicious-packages page with a Sync Now button.Why this is not optional: Supply-chain attacks bypass every SAST rule you have. SonarQube added malicious-package detection as a headline feature in 2026.1 — SF365 has it end-to-end today with OpenSSF as the authoritative feed.
Verifiable detection against OWASP-grade vulnerable apps
A first-class feature in the SF365 portal that clones a well-known deliberately-vulnerable application and runs a full 12-engine scan against it with one click. Results are real ScanSessions — visible in the normal findings grid, Application 360 view, reports, and dashboards. No vendor claims you can't verify. The benchmark catalog also includes IoT-Goat, DVRF (Damn Vulnerable Router Firmware) and BLE CTF for verifying wireless / firmware detection.
--depth 50) via the platform's SourceProviderService.ScanOrchestrator.Run it yourself: Log in to SF365, open /benchmarks and click Run Benchmark on any target. Requires git on PATH and outbound access to GitHub.
Vendor-aware catalog, pre-compiled at startup — now with IoT / wireless cloud
A ground-up rewrite of the SecretScanner pattern catalog: 91 high-signal regexes, organized by vendor, compiled once at static init so every scan line iterates ready-to-match automata instead of rebuilding patterns. Each pattern has a name, regex, vendor group, and severity — so findings land with clear attribution instead of "generic secret detected". The 2026 expansion adds 10 dedicated IoT / wireless cloud patterns aimed at firmware repositories and connected-device platforms.
Leaking an AI API key is a 2026 mistake. SF365 detects dedicated formats for OpenAI (sk- / sk-proj-), Anthropic (sk-ant-), Hugging Face (hf_), Replicate (r8_), Groq (gsk_), Gemini / Google AI Studio, Cohere and Pinecone. None of these show up in a generic "API key" regex.
Connected-device codebases routinely embed device-pairing material as constants. The new patterns catch:
HostName=*.azure-devices.net;SharedAccessKey=...IotHubConnectionString=... in source*.iot.<region>.amazonaws.commqtt.googleapis.com/projects/…/registries/…NNN-NN-NNNmqtt://user:pass@brokerCONFIG_ESP_WIFI_SSID / CONFIG_ESP_WIFI_PASSWORDheroku key name prefix, eliminating false positives on any UUID in source.node_modules/, .git/, vendor/, images, archives, fonts, lockfiles all skipped.Benchmark vs SonarQube 2026.1: Sonar advertises "450+ secret patterns" across all product tiers. SF365's 91 are hand-curated for precision — zero false positives on well-known GUID and bare-hex fixtures, and uniquely tuned for AI APIs and IoT firmware.
Post-scan summaries and auto-ticketing where your team already lives
After every scan, SF365 posts a colour-coded summary to an Incoming Webhook URL configured on the Integrations page. Critical > 0 renders red, High > 0 renders yellow, everything else renders green. Six fields are attached (Critical, High, Medium, Low, Total, Duration) plus a deep link to Application 360.
When a High or Critical finding is Confirmed in the portal, SF365 calls POST /rest/api/3/issue with Basic Auth (user email + API token) and creates a ticket in your configured project. Severity is mapped to priority (Critical → Highest). The CWE, CVE, OWASP category, file path and AI remediation summary go into the description as rich ADF content. The returned key and URL are stored on the Finding so the dashboard shows an inline Linked Jira issue badge.
Zero new infrastructure: Both integrations use standard HTTPS with the provider's public endpoints. No mTLS, no broker, no sidecar — one webhook URL, one API token, done.
The Twelve-Factor manifesto applied to Infrastructure-as-Code
IaC has hit the same maturity wall application code hit in 2011, when Heroku published the Twelve-Factor App. Teams ship Ansible playbooks, Terraform modules and Kubernetes manifests with wildly different levels of discipline — some versioned and tested, others hardcoded and unrepeatable. The SF365 12-Factor IaC Engine is a proprietary compliance domain that grades a codebase against ten auditable factors.
git. No .git/ → finding.*.tfvars are flagged.shell: / command: without creates: / when: is a rerun bomb.roles/.requirements.yml / versions.tf.molecule/, no .ansible-lint, no .tflint.hcl.README.md.Every violation lands as a regular SF365 Finding with Category = "12-Factor IaC", so you can filter the global findings grid, build a dashboard per factor, or export PDF / CSV compliance reports. The engine is wired into both the standalone IacTwelveFactor scan type and the Full scan, alongside the other 11 engines.
Sellable as its own product: Platform and SRE teams who don't need a full AppSec suite can still benefit from a 12-Factor IaC gate. SF365 ships it bundled today; an SKU is on the roadmap.
Six surfaces, 18 detection rules, 24-control baseline — for the Bluetooth + Wi-Fi + IoT era
Most AppSec platforms treat firmware repositories like any other codebase — they grep for SQL injection patterns and walk away. But the real risk in a connected device is rarely a SQL bug. It's a hardcoded SSID + PSK in a build flag, a BLE peripheral that pairs with Just Works, a Zigbee controller compiled with the well-known default trust-centre key ZigBeeAlliance09, an MQTT URL with embedded credentials, or a Bluetooth Classic stack still doing legacy pairing in 2026. SF365's WirelessScanner is purpose-built for these patterns and runs as the 12th engine in the standard ScanOrchestrator.
0000, 1234, 123456), legacy pairing without SSP, permanent discoverable mode.mqtt:// port 1883), CoAP without DTLS.Findings ride a brand-new compliance framework synthesising NIST SP 800-153 (Wi-Fi), SP 800-121 Rev 2 (Bluetooth), SP 800-97 (802.1X) and IEEE 802.11i. Twenty-four auditable controls grouped as WIFI.01–07, BT.01–08, RF.01–03, NFC.01–02 and IOT.01–04, exportable as a dedicated PDF.
Per-surface KPIs (Wi-Fi / BT / BLE / RF / NFC / IoT), severity breakdown, top wireless findings, baseline coverage progress, and the full 24-control table — all on a single page so a hardware / firmware lead has one view they can show to a board or auditor.
The Wireless engine ships alongside 10 new patterns in the SecretScanner catalog: Azure IoT Hub Device SAS, Azure IoT connection strings, AWS IoT MQTT endpoints, GCP IoT device JWTs, Particle.io tokens, Tuya cloud secrets, SmartThings PATs, HomeKit pairing setup codes, MQTT URLs with embedded credentials, and ESP-IDF CONFIG_ESP_WIFI_SSID / CONFIG_ESP_WIFI_PASSWORD defines.
Three deliberately-vulnerable wireless / firmware targets ship in the Benchmarks catalog — IoT-Goat (OWASP), DVRF (Damn Vulnerable Router Firmware) (Praetorian) and BLE CTF (hackgnar) — one click to clone and run a full 12-engine scan against them.
Built for connected-device teams: SF365 is the first AppSec platform with first-class detection for the Bluetooth, Wi-Fi and IoT firmware codebases your hardware team actually ships. No SDR hardware required — this is static / configuration analysis on the source you already have in git.