Frequently asked questions

Hacktron is an AI-powered security code-review platform. Its AI agents review your repositories for exploitable vulnerabilities and surface them as pull-request comments and dashboard findings. It works in two modes: per-PR reviews that run on each pull or merge request, and whitebox scans (also called pentests) that analyze a repository's full source.

Under the hood, Hacktron indexes your codebase, builds call graphs, and constructs a threat model, similar to how an expert human security engineer builds a mental model of your system.

Hacktron behaves like a security engineer, getting sharper with every review. Triage feedback on findings, such as marking false positives or confirming real issues, plus project rules like a .hacktron/rules.md file, teach it your attack surface, so each review becomes more specific to your codebase than the last.

Traditional SAST matches known rule patterns. Hacktron's agents reason about exploitability, including authorization and access-control flaws that don't map to a single rule, and present each finding with a data-flow (taint) trace so you can see why it's exploitable.

A PR review runs automatically on each pull or merge request and focuses on the change. A whitebox scan (also called a pentest) runs across a repository's entire source and is started from the dashboard.

On each PR, Hacktron posts a "Hacktron Security Check" and a single review with inline, line-level comments on the affected code. Every finding includes a "Fix with AI" option (open the fix in Cursor, Claude, or Codex) plus a copyable remediation prompt. You can re-run a review by commenting @hacktron review, and triage findings right in the thread.

Hacktron gives you one-click fix prompts and deep links rather than committing changes for you. It tracks whether findings get fixed across PRs and automatically closes issues once they're fixed, keeping stale findings out of your backlog.

Yes. Hacktron generates executive reports for stakeholders and technical reports for engineers, and you can export findings as CSV or SARIF to feed them into your own tools and pipelines.

Hacktron focuses on exploitable code vulnerabilities such as injection (for example SQL injection), cross-site scripting, and authorization or access-control flaws, and shows each finding with a data-flow trace. It has already uncovered critical 0-days in Next.js, oauth2-proxy, and Metabase.

Yes. Hacktron reviews the risks that come with AI features and AI-generated code, including prompt injection, unsafe handling of LLM inputs and outputs, and insecure AI agent or tool-use integrations.

Hacktron's AI reviewer reads code in any language, so it is not limited to a fixed list. For the languages teams rely on most, it adds deeper, language-aware analysis. If you don't see your stack below, book a call and we will confirm coverage for your specific needs.

Hacktron reviews pull and merge requests on GitHub (including GitHub Enterprise) and GitLab (including self-hosted). Bitbucket repositories can be connected for scanning and for routing findings into issues.

Yes. Connect GitHub Enterprise or a self-hosted GitLab instance using a personal access token.

Hacktron sends real-time alerts to Slack and creates Jira and Linear tickets, so remediation fits into the workflow your team already uses. In Slack, you can also triage findings directly in the thread.

Yes. Hacktron has a public REST API with organization-scoped API keys for triggering scans, retrieving and exporting findings, and managing repositories.

Yes. Add a .hacktron/rules.md file to your repository, or upload markdown context documents and link them to repos, to tell Hacktron about your stack, conventions, and what matters most in review.

Yes. Hacktron offers an on-premises edition that runs entirely within your own infrastructure, with local accounts.

For cloud scans, Hacktron clones your repository into an isolated scan environment to analyze it and stores the resulting findings (including the relevant code snippets) in your Hacktron account. If you need code to stay inside your own environment, use the on-premises edition.

Sign in with Google, GitHub, or email and password. The on-premises edition uses local accounts.

Yes. Hacktron is multi-tenant with organizations, member invitations, and role-based access control across owners, admins, and members.

Yes. Hacktron has achieved SOC 2 Type 1. Read the announcement.

Yes. Hacktron includes a 14-day free trial.

Hacktron is priced per developer seat, with pentests drawn from a separate pentest-credit balance. Start a free trial or book a demo for current pricing.

Yes. Through the Hacktron Open Source Program, maintainers of qualifying public repositories can get free PR security reviews. Apply on our Open Source page.