SecHive.ai Book a demo
§ Platform

The runtime writes its own audit trail as it works.

SecHive is a local-first operator control plane: scope policy, recon, skill routing, hypothesis planning, runtime validation, proof packaging and signed reporting — composed as one accountable pipeline.

Book a demo Compare run modes
§ 02 — The Loop

Seven stages. Every artifact hashed.

Each stage emits artifacts. Artifacts are hashed. Hashes are bound to the proof pack. Nothing in the report is reachable without an artifact behind it.

I — Scope
Authorization
Targets, surfaces, exclusions, approval gates, redaction policy.
II — Recon
Signals
Routes, APIs, source, APKs, browser state, credentials, config.
III — Routing
Skills
Specialist skills selected per signal class.
IV — Hypothesize
Plan
HypothesisGraph: scored, branched, refutable.
V — Validate
Runtime PoC
Benign exploit attempted. Negative results retained.
VI — Promote
Proof Pack
Hashed artifacts, replay metadata, reviewer disposition.
VII — Sign
Report
Mode-specific render with cosigned attestation.
PILLAR.A

Scope enforcement

Authorization document loaded before any active probe. scope_guard hard-blocks out-of-scope action at the skill level — not just at the UI.

PILLAR.B

Negative evidence

Refutations are first-class artifacts. When a hypothesis fails, the failure is signed and retained in the proof pack — not discarded. This is what makes the report defensible when challenged.

PILLAR.C

Deterministic replay

Every promoted finding ships with a replay.sh bound to the same artifact hashes. A reviewer can reproduce the finding on any lab that matches the target configuration.

§ 03 — Skills

Specialist skills, not one prompt.

SecHive routes signals into focused agents. A nonce in a signed payload should not be reasoned about by the same skill that handles JavaScript route inventory.

  1. SK.01recon_routerInventory of routes, APIs, JavaScript bundles, sitemaps and link graphs.core
  2. SK.02bizlogic_hunterBusiness logic invariants, replay, race, sequence and value-state mismatches.core
  3. SK.03api_securityAuthentication, authorization, IDOR, mass-assignment, OpenAPI deviation.core
  4. SK.04validation_bypassDenylist gaps, finality downgrade, controller revocation, policy boundary skew.core
  5. SK.05cross_domain_logicAsset rebind, forwarding mismatch, cross-domain auth confusion.core
  6. SK.06poc_validatorBenign-PoC execution under scope guard. Emits replay artifacts.core
  7. SK.07apk_inspectorExported components, broadcast paths, binder surfaces, signature trust.core
  8. SK.08re_triageBinary triage, anti-tamper, protocol field reasoning, negative-evidence keeping.core
  9. SK.09scope_guardPre-flight scope and policy enforcement. Hard-blocks out-of-scope action.enforcement
  10. SK.10report_rendererMode-specific report generation with redaction manifest and provenance.core
§ 04 — Output

Two parallel outputs, always.

The human-readable report for the reviewer and the machine-readable proof pack for downstream systems. One is not a derivative of the other — they are emitted by the same pipeline stage.

OUTPUT.AHuman-readable

Report

Mode-specific Markdown + HTML render. Executive summary, findings table, severity histogram, evidence excerpts, remediation guidance, redaction status.

FormatMarkdown + HTML
Signaturecosign
Modes6 templates
Redaction manifestincluded
OUTPUT.BMachine-readable

Proof Pack

JSON manifest with provenance, sha256 artifact index, replay scripts, reviewer disposition, model-cost accounting and a cosign attestation.

findings.provenance.jsonsigned
report.attestation.jsoncosign
artifacts/ (raw evidence)sha256
replay.shdeterministic
redaction-manifest.yamlscoped
negative-evidence/retained
model-cost.jsonaccounted
§ 05 — Operator UI

Mission control, on your machine.

SecHive is local-first. The operator UI shows running campaigns, hypothesis graphs, evidence drawers, replay buttons, runtime health and approval queues — all served from the same machine that holds your scope.

SecHive — Mission Control — localhost:7731
Workspace
Active runs
Hypothesis graph
Proof packs
Replay queue
Config
Scope policy
New campaign
Hypothesis graph · api-auth-audit
14
Total
5
Active
7
Validated
9
Negative
HYP-001 · Authorization replay via /v1/exec
SK.02 bizlogic_hunter · nonce never consumed in durable state · replay.sh ready
HIGH
promoted
finding
HYP-002 · IDOR on user_id numeric enum
SK.03 api_security · ownership check absent · validating benign PoC
MED
validating
running
HYP-003 · Unicode normalization bypass on /submit
SK.04 validation_bypass · denylist gap candidate · awaiting runtime confirmation
MED
queued
queued
HYP-004 · JWT alg:none downgrade
SK.03 api_security · invariant holds — server rejects alg:none · refutation signed
LOW
refuted
negative
Proof pack · HYP-001
finding · HIGH · CVSS 8.1
Authorization replay — one signed token authorizes unlimited executions
signed-authorization.b64sha256 ✓
out/01.json · out/02.jsonsha256 ✓
replay.shdeterministic
report.attestation.jsoncosign ✓

Bring your scope. We'll build the chain.

Book a demo Compare run modes