Code is being written faster than ever with LLMs.
But more code also means a larger attack surface, and more opportunities for vulnerabilities to slip into production. The earlier those issues are caught, the cheaper they are to fix. That is why security has to start as early as possible in the software development lifecycle.
Today, we’re introducing Hacktron Review, an AI security reviewer for your pull requests. It indexes every codebase in your organisation and builds call graphs to understand what your code actually does, so it can find real, exploitable vulnerabilities before they are merged, learn from your team’s feedback, and automatically resolve findings once they’re fixed.
Teams are tired of false positives. While traditional scanners still rely on known syntactic patterns and some AI reviewers only look at the change in front of them, Hacktron reduces false positive rates through context-aware analysis and finds security issues that Claude and Codex miss. This approach has already led to the discovery of critical 0-days in Next.js, oauth2-proxy, Metabase, OpenAM, BeyondTrust Remote Support, and more. Our full list of disclosures can be found here.
More importantly, Hacktron Review is powered by a world-class offensive security team. Our researchers continuously feed it fresh threat intelligence and emerging attack patterns from real-world engagements, so every PR gets reviewed against the threats that actually matter today, not last year’s checklist.
One reviewer for all of AppSec
AI has accelerated exploitability of previously overlooked attack surfaces, which is why Hacktron is designed to detect all kinds of application security issues in any application type: web, mobile, backend, APIs, CLIs, and native apps.
- Business logic flaws: race conditions, payment flaws, invalid states
- Injection flaws: SQLi, command injection, XSS, SSRF, XXE, and LLM prompt injection
- Memory safety bugs: buffer overflows, use-after-free, and out-of-bounds access in native code
- Authentication and authorization bugs: broken access control, privilege escalation, and session flaws
- Infrastructure-as-code exposures: misconfigured IAM, open buckets, and risky defaults
- Supply-chain risks: backdoors, malicious dependencies, and insecure GitHub Actions in CI/CD workflows
- Secrets and credential leaks in code and configs
Gets smarter with every review
Most scanners today are built on a flawed assumption: that risk is universal. But a finding that is urgent for a fintech app may be irrelevant for an internal admin tool.
Every triage comment your team leaves on a finding becomes training signal. Over time, Hacktron Review builds a deep understanding of your specific attack surface and threat model, so reviews get sharper, with fewer false positives and more of the bugs that actually matter to your app.
Auto-resolves findings once they’re fixed
Security backlogs get noisy when fixed issues stay open long after the code has changed.
When your next commit patches a vulnerability Hacktron Review flagged, it detects the fix and closes the finding automatically.
Customize with project context
Generic scanners often miss the details that make your codebase different, so Hacktron lets you capture the context your team already knows.
Drop a .hacktron/rules.md file in your repo to give Hacktron Review project-specific context, internal auth patterns, trusted data sources, code paths to ignore, or conventions unique to your team. Reviews adapt to your codebase, not the other way around.
Slack And Linear integrations
Don’t just let security findings sit in a dashboard nobody checks.
Pipe findings straight into the tools your team already uses: Slack for real-time alerts and observability, Linear for tracking remediation work.
Success Story: Zellify
Zellify is a Swedish startup building Web2App infrastructure for mobile app companies, helping consumer subscription apps monetize outside traditional app stores. For a team moving quickly across payments, onboarding, growth, and experimentation, security needs to keep pace with every change.
After Zellify adopted Hacktron, the team was able to fix critical vulnerabilities that had been missed by their previous mix of manual code review and established automated tools.
As Nils Nygren Liljenstrand, Co-founder of Zellify, put it:
At Zellify, security is a core priority. Before Hacktron, we relied on a combination of manual code reviews and automated security tools from established providers to audit both pull requests and our existing codebase. While this setup gave us a baseline level of confidence, it still required significant manual effort and, as we later discovered, left critical gaps.
When we transitioned to Hacktron and ran a full audit of our codebase, the results were immediate and eye-opening. Hacktron uncovered multiple critical vulnerabilities that had gone completely undetected by other widely used tools on the market. These were not minor issues. They were serious weaknesses that could have been exploited with severe consequences if discovered by malicious actors.
What stood out was not just the depth of the findings, but how quickly Hacktron delivered value. Within a single audit, we identified and resolved risks that had previously gone unnoticed despite using what are often considered best-in-class solutions.
Today, Hacktron is a core part of our security workflow. We rely on it to continuously safeguard our software and infrastructure while significantly reducing manual overhead.
For teams currently relying on traditional automated security tools, trying Hacktron is an easy decision. In our experience, it surfaces issues that other providers simply miss and does so with a level of speed and precision that is hard to match.
Hacktron Review is now available with a free 14-day trial. Your next 0-day could already be in an open PR. Find it first with Hacktron.