MCP-native · Auto-detects packs · Hermes AI triage

Enterprise AppSec testing, delivered as a platform.

Run authorized scans across web, API, IaC, and cloud configuration — wired into GitLab merge requests and directly into your Lovable editor via MCP. Ask Hermes AI for findings from a prompt and get prompt-ready remediation blocks back.

Signed authorization required
Executive + technical reports
Hermes AI triage
rass › breach attempt → mcp handshake → scan → hermes findings → secure✓ auto-plays on scroll · loops
Platform

Everything a security consultant runs, in one console.

Automated scan execution

Launch manual or scheduled scans against staging and production targets with saved auth profiles. The scanner auto-detects the right framework packs and suggests new ones as your stack changes.

Framework packs

OWASP Top 10, Supabase RLS, API Top 10, Stripe webhooks, React, CIS Terraform / K8s / Docker — enabled per project and recommended automatically based on your tech stack.

IaC configuration scanning

Static analysis for Terraform, CloudFormation, Kubernetes YAML, Helm charts, and Dockerfiles with OPA / Sentinel-style custom rules.

Cloud validation

Read-only AWS, Azure, and GCP account checks that flag risky posture without touching workloads.

GitLab integration

Push, merge-request, and pipeline-triggered scans with advisory comments or hard status-check gating.

MCP for Lovable

Expose scans, findings, and Hermes remediation as MCP tools your Lovable prompts can call directly — OAuth 2.1 + PKCE, project-scoped tokens.

Coverage requests

Customers ask for new language, framework, or IaC packs directly in the portal and track delivery status.

Vulnerability tracking

Evidence, request/response snippets, CWE mapping, and remediation state per finding.

Reporting

Branded executive and technical PDF / CSV exports drafted with Hermes AI.

Hermes AI

Deduplicates, correlates, prioritizes, and drafts summaries — labeled AI-generated, grounded in evidence. Hermes also checks for new compliance standards every 7 days.

Authorization first

Every scan requires an authorization confirmation. Full audit log of who launched what and when.

Enterprise controls

RBAC, MFA, encrypted secrets, signed webhooks with replay protection, and rate-limited scan endpoints.

Built for Lovable developers

Security scanning, right inside your Lovable prompt.

RASS plugs into your Lovable project as a custom MCP server. Trigger scans, pull findings, and get Hermes-drafted remediation blocks without ever leaving the editor. No context switching, no copy-pasting stack traces into a separate tool.

  • Prompt-driven scans
    "Scan the checkout API and give me the top findings" — that's the whole workflow.
  • Hermes replies in the chat
    Structured findings with severity, evidence, and copy-ready fix snippets streamed back into your prompt.
  • Auto-detects framework packs
    Scans identify the right OWASP, API, and cloud packs for your target and suggest new ones as your stack evolves.
  • OAuth 2.1 + PKCE
    Short-lived, project-scoped tokens. Every tool call is audit-logged. Secrets never touch localStorage.
  • Same platform, one truth
    Findings raised via MCP show up in the console, in reports, and in your GitLab MR comments.
Framework packs

Test against the frameworks your auditors care about.

Framework pack
OWASP Top 10

Web application security top 10 (2021)

Framework pack
OWASP API Top 10

API-specific vulnerabilities and abuse (OWASP API Top 10)

Framework pack
Supabase & RLS

Row-level security, policy audit, key isolation

Framework pack
Stripe & Webhooks

Signature verification, replay safety, idempotency

Framework pack
React Client-Side

XSS, storage, DOM safety in the browser

Framework pack
CIS Terraform Benchmarks

AWS / Azure / GCP misconfigurations in Terraform HCL

Framework pack
Terraform Sentinel / OPA

Policy-as-code checks for secrets and org standards

Framework pack
CIS CloudFormation

AWS CloudFormation IAM, network, and storage checks

Framework pack
CIS Kubernetes

Pod security, workload hardening, and RBAC checks

Framework pack
CIS Helm

Rendered Helm chart values against Kubernetes baselines

Framework pack
CIS Docker

Dockerfile hardening — root user, tags, remote sources

Framework pack
CIS AWS Foundations

AWS account, IAM, and service configuration

Framework pack
CIS Azure Foundations

Azure subscription, IAM, and service configuration

Framework pack
CIS GCP Foundations

GCP project, IAM, and service configuration

Ready to run your first authorized scan?

Bring a target URL, a signed authorization, and an auth profile. RASS handles the rest.

Launch a scan