AI-Guided DAST · Context-Aware SAST

GGSec Cortex

Find real vulnerabilities. Prove them. Fix them.

A hybrid application-security scanner that reads your source with AI, then confirms every finding against your running application with hard evidence — so your team spends time on real risks, not on triaging false positives.

Vulnerability Classes

25+

Findings Confirmed With Live Proof

DAST

Report-Ready In

Minutes
Why GGSec Cortex is different

Severity you can trust — not "everything is 9.8 Critical"

Most scanners flood you with pattern matches. Cortex reads the code like an analyst, proves what is exploitable against the live app, and scores it honestly.

🧠

AI that understands your code

It follows data from input to sink and recognises framework protections — global output-encoding, token-based CSRF, whitelist validation — so it flags what is genuinely exploitable, not every string that looks dangerous.

🔬

Proof, not guesswork

Every dynamic finding is confirmed with tangible evidence: out-of-band callbacks, response reflections with byte offsets, timing signals, command output. If it can't be proven, it is clearly labelled as such.

⚖️

Certainty- & context-adjusted CVSS

An admin-only, unconfirmed issue is not reported at the same level as a proven, internet-facing one. Confirmed desync ranks above a likely parser anomaly — evidence drives the score.

📄

Report-ready in minutes

Executive summary, attack graph, 5×5 risk matrix, per-finding proof-of-concept, remediation plan with SLAs and compliance mapping — output your clients and auditors can read without a security degree.

Advanced capabilities

Where Cortex goes beyond a checklist scanner

High-end techniques normally reserved for manual penetration testing — automated, evidence-graded, and safe to run.

ggsec-cortex — HTTP Request Smuggling engine (evidence-tiered output)
[smuggle] Negative controls: 5/5 clean (CL-only, TE-only, Connection:close, no-marker — did not desync) [CONFIRMED] REQUEST_SMUGGLING CL.TE CVSS 8.9 CWE-444 Certainty: Confirmed · timing-differential desync · baseline 7ms → attack 6002ms (Δ 5995ms) [CONFIRMED] REQUEST_SMUGGLING TE.CL CVSS 8.9 CWE-444 Certainty: Confirmed · timing-differential desync · Δ 5183ms [LIKELY] REQUEST_SMUGGLING 0.CL (3 accepted variants) CVSS 4.6 CWE-444 Certainty: Likely · marker-leak / parser-differential — manual verification advised [LIKELY] REQUEST_SMUGGLING TE.TE (3 accepted variants) CVSS 4.6 CWE-444 → 2 confirmed desyncs, 4 likely signals — honest tiers, not 6× "Critical".

Real output. Genuine front-end/back-end desyncs are proven with a multi-second timing hang and reported as Critical; weaker parser anomalies drop to a "Likely / verify" tier at a lower score. A per-scan negative-control set proves the engine isn't crying wolf.

🧬

Native HTTP request-smuggling / desync engine

A low-level raw-socket module that emits the ambiguous framing normal HTTP clients can't — CL.TE, TE.CL, TE.TE, CL.CL, CL.0/0.CL and Transfer-Encoding obfuscation — and confirms desync by timing-differential and response-queue signals. High-end infrastructure testing, built in.

⏱️

Single-packet race / TOCTOU

Last-byte-synchronised single-packet delivery lands concurrent requests inside a ~1 ms window to surface sub-millisecond race conditions that burst-based tools miss.

📡

Out-of-band (OOB) confirmation

A built-in collaborator proves blind vulnerabilities — SSRF, XXE and object-injection — by capturing the callback the target makes back to us: hard proof with zero guesswork.

🕸️

Second-order & chained exploitation

Stored/second-order XSS and SSTI (store → render), plus an attack graph that chains individual findings into realistic end-to-end paths an attacker would actually walk.

🛡️

Prompt-injection-hardened AI

The source-reading AI is defended against instructions hidden inside the code it analyses — so a malicious comment can't steer the scanner. Security tooling that is itself secure.

🔭

Live CVE intelligence + EPSS

Real-time CVE feeds and exploit-prediction scoring push what attackers are most likely to weaponise to the top of the queue — beyond a static vulnerability database.

Full coverage

25+ vulnerability classes, one scan

From classic injection to modern desync and supply-chain risk — SAST reads the code, DAST proves it on the running application.

💉

Injection

  • SQL & NoSQL injection
  • GraphQL injection & abuse
  • Cross-Site Scripting (reflected & stored)
  • OS / command & code injection
  • Server-Side Template Injection
  • XML External Entities (XXE)
  • LDAP · CRLF / response-splitting
  • Prototype pollution
🔑

Auth, session & access

  • JWT attacks (alg-confusion, key issues)
  • IDOR — incl. behind authentication
  • Authentication bypass
  • CSRF & session fixation
  • Race conditions (TOCTOU)
  • Broken function-level authorization
🌐

Client, transport & cache

  • Open redirect · JSONP leakage
  • CORS misconfiguration
  • Host-header injection
  • Web-cache deception · cacheable secrets
  • TLS/SSL hygiene (weak ciphers, HSTS, certs)
  • WebSocket security (CSWSH, XSS-over-WS)
📦

Data, secrets & components

  • Hard-coded secrets & API keys (masked)
  • Personal-data (PII) exposure
  • Known-CVE detection
  • Third-party dependency scanning (SCA)
  • SBOM export (CycloneDX / SPDX)
  • OWASP API Security Top 10
From scan to sign-off

Client-ready reporting, compliance & CI/CD

📊

Enterprise reporting

Professional HTML & PDF: executive summary, assessment scope, visual attack graph, 5×5 risk matrix, prioritised remediation plan (P0–P3 with SLAs), and per finding a reproducible proof-of-concept, evidence excerpt, plain-language description and MITRE ATT&CK mapping. Advisory before/after fix diffs — your files are never modified.

Built-in compliance mapping

Every finding maps to OWASP Top 10, PCI-DSS v4.0, ISO/IEC 27001:2022 and GDPR — ready for audit and client deliverables straight out of the scan.

⚙️

DevSecOps & CI/CD ready

SARIF 2.1.0 (GitHub Security tab), JUnit XML (Jenkins/GitLab), native DefectDojo import. Pipeline gate fails a build on chosen severity; baseline mode fails only on new issues; scan-to-scan diff tracks regressions. A zero-cost source gate — including secret scanning — runs in CI with no live target and no AI key.

Flexible, efficient, safe to run

🔐

Authenticated testing

Session cookies, form login (separate admin/customer contexts), HTTP Basic — plus automatic CSRF-token & nonce handling for token-protected apps.

🎯

Scoped & polite

Rate-limiting, host scoping and exclusions keep testing in-scope and gentle on production. Intrusive modules are opt-in and never run in a default preset.

🧩

Spec-driven & repeatable

Import an OpenAPI spec to drive testing; replay a previous plan for fast, free iteration. Efficient AI usage keeps large-codebase scans cost-controlled.

🚀

Fits your stack

Native application — scans source directories or single files, and probes live web apps over HTTP/S. For internal AppSec teams, penetration testers and MSSPs producing client-ready reports.

SAST+DASTHybrid, one tool
4Compliance frameworks
$0Source gate in CI
v0.9Beta · actively validated

See it on your own application

Request a demo or a pilot scan and get a client-ready report — proof, severity you can trust, and a prioritised fix plan.

For authorised security testing only. Always scan systems you own or have explicit permission to assess. · GG Advanced IT Security — ggsec.de