If your question is not here, the contact form will reach a human within one business day.
Q.01Is SecHive safe to run against production?SecHive runs only against authorized scope. Scope guard hard-blocks any out-of-scope action before it reaches the target. Active validation is benign-PoC by default and policy-gated; destructive techniques require explicit operator authorization on a per-action basis.
Q.02What does SecHive actually do that a scanner does not?SecHive routes recon signals into specialist skills, builds a hypothesis graph, validates candidates against the live target, and bundles a proof pack with hashed artifacts and a deterministic replay script. A scanner gives you a list. SecHive gives you a chain.
Q.03Does SecHive replace a human operator?No. SecHive accelerates the human review path by producing artifacts the reviewer can defend. Novel research, edge-case judgement and final disposition stay with the operator.
Q.04Can SecHive run offline / locally?Yes. SecHive is local-first by design. Models can be self-hosted; reports and proof packs never leave the operator's machine unless the operator chooses to share them.
Q.05Does SecHive produce compliance certification?No. SecHive produces technical evidence aligned to framework articles. Certification is an organizational outcome that depends on a qualified auditor or assessor. Read the boundary in the compliance hub.
Q.06How are findings priced into a report?Each promoted finding ships with severity (CVSS:4.0), business impact, runtime evidence, source references when available, remediation guidance and a retest record. Reports are mode-specific (pentest, bug bounty, internal source review).
Q.07Does SecHive retain my data?By default, SecHive retains nothing about your engagement. Local-first means proof packs live on your machine. Telemetry is opt-in and aggregated; we never collect target identifiers, payloads or evidence material.
Q.08Will SecHive submit to my bug bounty platform automatically?No. Submission is a human action. SecHive produces a HackerOne-shaped report, redaction manifest and replay script — the operator decides what is submitted, when, and to which program.
Q.09How do you handle false positives?Source candidates and runtime findings are different objects in the proof pack. A source candidate that fails runtime validation is recorded as refuted and stays in the negative-evidence set — never promoted to the report.
Q.10Can my consultancy white-label the report?Yes. The consultancy tier includes a branded report renderer, per-operator licensing, and a CI/API integration path.
Q.11How is SecHive different from XBOW, Shannon, PentAGI or Strix?All four are interesting projects. SecHive's distinguishing point is the per-finding chain of evidence, the policy-gated benign-PoC validation, the proof pack format, and the operator UI. We do not claim to be uniquely capable; we claim to make the work survivable in review.
Q.12What targets is SecHive designed for?Web applications, APIs, mobile (Android / APK), cloud configuration, source repositories, and binary targets at the triage level. Active Directory and on-prem network are scoped via the GOAD benchmark framework, with public scorecards in 2026.Q3.
