What is LaunchSafe and how is it different from other security scanners?
What is LaunchSafe and how is it different from other security scanners?
LaunchSafe is an AI-powered penetration testing platform — not a simple vulnerability scanner. The key differences:Verification, not just detection. Most scanners flag potential issues and leave you to figure out if they’re real. LaunchSafe’s AI engine attempts to exploit discovered vulnerabilities before reporting them, dramatically reducing false positives. When we report a SQL injection, it’s because we successfully extracted data — not because a parameter looks suspicious.Multi-layer correlation. LaunchSafe combines static analysis (SAST), dynamic testing (DAST), dependency scanning (SCA), and secret detection in a single platform. Hybrid scans correlate findings across layers — a code-level flaw confirmed by a runtime exploit gets higher confidence and includes both the exact code location and the proof-of-concept payload.Automated remediation. Beyond reporting, LaunchSafe opens pull requests with fixes for supported vulnerability types. Dependency upgrades, secret removal, input sanitization — applied to your codebase and ready for review.Continuous, not point-in-time. Traditional pentests happen once a year. LaunchSafe runs on every PR, every merge, every deployment — catching vulnerabilities as they’re introduced rather than months later.
Is LaunchSafe a replacement for manual penetration testing?
Is LaunchSafe a replacement for manual penetration testing?
LaunchSafe complements manual pentesting — it doesn’t replace it entirely.What LaunchSafe handles well:
- OWASP Top 10 vulnerabilities (injection, XSS, SSRF, etc.)
- Known CVEs in dependencies
- Hardcoded secrets and credentials
- Security misconfigurations
- Common authentication and authorization flaws
- Repetitive, pattern-based testing that’s tedious for humans
- Business logic flaws (e.g., “users can apply a discount code twice”)
- Complex multi-step attack chains that require creative thinking
- Physical security and social engineering
- Highly custom or novel application architectures
- Compliance-specific controls that require human judgment
How long does a scan take?
How long does a scan take?
Scan duration depends on the scan type and the size of your application:
Large monorepos or applications with thousands of API endpoints may take longer. Sandbox provisioning adds 1–3 minutes to every scan.
| Scan type | Typical duration | Factors affecting speed |
|---|---|---|
| White-box only | 5–15 minutes | Lines of code, number of dependencies, language complexity |
| Black-box only | 15–45 minutes | Number of endpoints, application response time, authentication complexity |
| Full (Hybrid) | 20–60 minutes | Combination of both factors above |
Is my source code safe?
Is my source code safe?
Yes. These protections are part of the data-handling terms in your Rules of Engagement:
- Isolation — your source code, scan artifacts, and environment variables are processed in isolated, ephemeral containers that are destroyed after each scan.
- Encryption — all data is encrypted at rest with AES-256 and in transit with TLS 1.3.
- Automated access only — access to your data is restricted to automated systems; no LaunchSafe employee accesses your source code or scan results without your explicit written consent.
- Limited retention — scan results and reports are retained for 90 days after the scan, then permanently deleted. You can request immediate deletion of all data anytime by emailing privacy@launchsafe.com.
What languages and frameworks are supported?
What languages and frameworks are supported?
LaunchSafe’s white-box scanner supports 20+ languages and their major frameworks:
Black-box (DAST) scanning is language-agnostic — it tests the running application regardless of what language or framework it’s built with.
| Language | Frameworks | Package manifest |
|---|---|---|
| JavaScript | React, Next.js, Express, Fastify, NestJS, Nuxt | package.json |
| TypeScript | Same as JavaScript | package.json, tsconfig.json |
| Python | Django, Flask, FastAPI, Tornado | requirements.txt, pyproject.toml, Pipfile |
| Go | Gin, Echo, Fiber, Chi | go.mod |
| Java | Spring Boot, Jakarta EE, Quarkus, Micronaut | pom.xml, build.gradle |
| Kotlin | Spring, Ktor | build.gradle.kts |
| Ruby | Rails, Sinatra, Hanami | Gemfile |
| PHP | Laravel, Symfony, WordPress | composer.json |
| C# | ASP.NET Core, .NET 6/7/8, Blazor | .csproj |
| Rust | Actix Web, Axum, Rocket, Warp | Cargo.toml |
| Swift | Vapor | Package.swift |
| Scala | Play, Akka HTTP | build.sbt |
Can I scan staging or internal environments?
Can I scan staging or internal environments?
Staging environments: Yes — this is the recommended approach for black-box scanning. Provide your staging URL and complete DNS verification. Scanning staging instead of production avoids any risk of impact to your users.Internal environments (behind VPN/firewall): Not directly — LaunchSafe’s scan sandbox needs to reach your application over the public internet. For internal applications, use white-box scanning via GitHub or ZIP upload, which analyzes source code without needing network access to the running application.If you need to scan internal environments with DAST, contact us about our enterprise plan which supports VPN tunneling and dedicated infrastructure deployment.
Do I need to sign an ROE for every scan?
Do I need to sign an ROE for every scan?
No. You sign the Rules of Engagement once during onboarding. The ROE covers all scans within the targets you’ve specified in your workspace.You may need to re-sign if:
- The ROE agreement version is updated (e.g., new terms or scope changes)
- You add targets that are materially different from your original scope
- Your subscription lapses and you re-subscribe
What happens when a critical vulnerability is found?
What happens when a critical vulnerability is found?
When LaunchSafe confirms a critical-severity vulnerability:
- Immediate notification — you’re alerted via email and Slack (if configured) within seconds of the finding being confirmed, even while the scan is still running
- Finding appears in dashboard — the finding is immediately visible in the Findings table on the scan detail page, with a red severity indicator
- Detailed evidence — the finding includes full proof-of-concept evidence (exploit payload, response data, code location)
- Remediation guidance — step-by-step fix instructions with code examples specific to your language and framework
- Auto-fix PR (if applicable) — a pull request with the fix is opened on your GitHub repository within minutes
Can I cancel a running scan?
Can I cancel a running scan?
Yes. Click the Cancel button on the scan detail page. Cancellation is immediate — the sandbox is destroyed and the scan is marked as cancelled.Important notes:
- Findings discovered before cancellation are retained and visible in the dashboard
- The scan counts toward your monthly scan quota even if cancelled
- Reports can still be generated for partial results
- You can immediately launch a new scan after cancellation
How accurate is LaunchSafe? What about false positives?
How accurate is LaunchSafe? What about false positives?
LaunchSafe is designed for high precision (low false positive rate) over high recall. We’d rather miss a low-risk edge case than waste your team’s time investigating a false alarm.Our approach to accuracy:
- Verification — vulnerabilities are confirmed through attempted exploitation, not just pattern matching
- Confidence scoring — findings include a confidence level based on the strength of evidence
- Cross-layer correlation — findings confirmed in both your code and at runtime have the highest confidence
- Continuous improvement — our AI models are refined on false-positive reports to improve accuracy over time
Does LaunchSafe help with SOC 2 / PCI DSS / ISO 27001?
Does LaunchSafe help with SOC 2 / PCI DSS / ISO 27001?
LaunchSafe is built to support your compliance program:Penetration testing evidence — scan reports include the severity, evidence, and remediation detail teams use as supporting evidence for controls such as PCI DSS Requirement 11.3 (penetration testing), ISO 27001 technical vulnerability management (Annex A), and SOC 2 security testing.Continuous coverage — running on every change rather than once a year helps demonstrate ongoing vulnerability management.Payments — all payment processing is handled by Stripe; LaunchSafe does not store your card details.For LaunchSafe’s own compliance posture, any available reports (such as SOC 2 or ISO 27001), and a Data Processing Agreement (DPA), contact sales@launchsafe.com.
How do I delete my account?
How do I delete my account?
To delete your LaunchSafe account:
- Cancel any active subscription in Billing → Manage Subscription
- Go to Settings → Danger Zone → Delete Account
- Type
DELETEto confirm - Click Delete Account
- Your account is immediately deactivated
- All workspace data (scans, findings, reports) is permanently deleted within 30 days
- You can no longer sign in
- Email notifications stop immediately
- This action cannot be undone