Skip to main content
LaunchSafe runs a single, autonomous deep penetration test powered by a team of specialized AI agents. Instead of making you pick and tune individual scanners, LaunchSafe adapts its testing to whatever you connect — your source code, your running application, or both — and goes as deep as a manual pentester would. What you connect determines how much of your attack surface LaunchSafe can reach:
What you connectHow LaunchSafe tests it
Source code (GitHub repo or ZIP)Code-aware analysis — reads your code to find and trace vulnerabilities
Live URLBlack-box testing — attacks your running application like a real hacker
BothFull coverage — correlates code-level flaws with live exploitation

Code-aware testing (white-box)

When you connect a repository or upload a ZIP, LaunchSafe analyzes your source code to find vulnerabilities and understand exactly where they live. It traces how untrusted input flows through your application — from request handlers to dangerous sinks like SQL queries, shell commands, and file operations. This surfaces issues such as:
  • Injection flaws (SQL, command, path traversal)
  • Cross-site scripting through template rendering
  • Server-side request forgery
  • Insecure deserialization of user-controlled data
  • Vulnerable dependencies — direct and transitive packages checked against public advisory databases including the National Vulnerability Database (NVD), GitHub Advisory Database, and OSV, with the safe upgrade version identified
  • Hardcoded secrets — API keys, database credentials, tokens, and private keys, including high-entropy strings
Because LaunchSafe has the code, findings include the exact file and line number — and for supported issues it can open an auto-fix pull request.

Black-box testing

When you provide a URL, LaunchSafe tests your running application from the outside — with no knowledge of your source code, exactly like a real attacker. It maps your attack surface, then probes it:
  1. Crawling — navigates your app, follows links, submits forms, and discovers API endpoints, using a real headless browser to handle JavaScript-heavy single-page applications.
  2. Input discovery — identifies query parameters, body fields, headers, cookies, and URL path segments.
  3. Exploitation — submits adversarial payloads to test for cross-site scripting (XSS), SQL injection, SSRF, XXE, authentication and session flaws, and security misconfiguration (CORS, CSP, HSTS).
  4. Verification — analyzes responses, timing, and behavioral changes to confirm vulnerabilities and minimize false positives.
If you provide application credentials, LaunchSafe logs in and tests authenticated routes — surfacing broken access control, insecure direct object references (IDOR), and privilege escalation that unauthenticated scanners miss. For REST and GraphQL APIs, it fuzzes inputs with boundary values, type confusion, and authentication-bypass attempts.
Black-box testing against a URL requires DNS verification to prove you control the domain. This is a legal and ethical requirement — LaunchSafe will not scan domains you don’t control.

Full coverage (hybrid)

Connect both your code and a live URL for the deepest assessment. LaunchSafe correlates what it finds in your source with what it can exploit at runtime — the closest automated equivalent to a manual penetration test. Cross-layer correlation makes findings stronger and faster to fix:
In your codeAt runtimeCombined insight
Unsanitized input reaches a SQL query in auth.tsSQL injection confirmed on /api/loginConfirmed, exploitable SQL injection with the exact code location
Hardcoded cloud credential in config.jsSSRF on /api/proxyCritical chain: SSRF reaching credentials found in code
Missing CSRF validationSession cookie without SameSitePractical CSRF due to missing cookie protections

How LaunchSafe works under the hood

Every scan follows the methodology of a professional penetration tester — reconnaissance, vulnerability discovery, exploitation and verification, attack chaining, and reporting. Specialized agents collaborate across each phase, and exploitation runs inside an isolated Kali Linux sandbox so testing is both realistic and safely contained.