Every surface — MCP, scans, findings, reports, Hermes — is designed for consultants and Lovable developers who need real security work without the ceremony.

Ask Hermes for a scan from inside your Lovable editor and receive prioritized findings with remediation snippets you can drop straight into the next prompt. No detours to another dashboard, no losing the thread of what you were building.
Get the MCP endpointPlug RASS into your Lovable project as a custom MCP server and scan from a prompt. Hermes streams structured findings and copy-ready remediation blocks back into the chat — no context switch, no manual triage. OAuth 2.1 with PKCE, short-lived project-scoped tokens, and every tool call audit-logged.
Manual or scheduled runs against staging or production. Saved auth profiles, scope rules, and per-run authorization confirmation. Real-time timeline, logs, and normalized findings.
First-class packs for OWASP Top 10, Supabase RLS, OWASP API Top 10, Stripe webhooks, React, CIS Terraform / CloudFormation / Kubernetes / Helm / Docker, and Sentinel/OPA. The scanner auto-detects the right packs for your target and suggests new ones as your stack changes.
Static analysis across Terraform, CloudFormation, Kubernetes YAML, Helm charts, and Dockerfiles. Ships deterministic fix snippets and supports custom OPA / Sentinel-style rules with per-project overrides.
Read-only validation for AWS, Azure, and GCP accounts. Credentials are stored encrypted and scoped to describe-only permissions — no workload access, no mutations.
Connect repos to scan on push, merge request, and pipeline events. Advisory MR comments or hard status-check gating. Auto-PR for low-severity deterministic fixes. Webhook signatures verified with replay protection.
Customers see current language, framework, and IaC pack coverage per project, request new packs directly in the portal, and track delivery status. Admins triage the queue with a demand leaderboard.
Every finding carries evidence, request/response snippets, screenshots, CWE / OWASP mapping, and remediation state. Assign owners, set due dates, and verify fixes.
Executive and technical reports rendered inline and exported to PDF or CSV. Branded per organization. Hermes drafts the executive language.
A separate analysis layer that only summarizes real scanner output. Deduplicates, correlates, prioritizes, and drafts fix guidance — clearly labeled AI-generated. Hermes checks for new compliance standards every 7 days.
RBAC (owner, admin, analyst, viewer), MFA, multi-tenant isolation, encrypted secrets, audit logging on scans / comments / syncs / remediation, and rate-limited scan and sync endpoints.