<!DOCTYPE html><html lang="en" data-beasties-container><head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <link rel="preload" as="font" type="font/woff2" href="/assets/sora-latin-400-normal-CRt88UEn.woff2" crossorigin>
    <link rel="preload" as="font" type="font/woff2" href="/assets/sora-latin-700-normal-9waGdLWo.woff2" crossorigin>
    <link rel="preload" as="font" type="font/woff2" href="/assets/big-shoulders-display-latin-700-normal-KM2fueoL.woff2" crossorigin>
    <link rel="preload" as="font" type="font/woff2" href="/assets/big-shoulders-stencil-display-latin-900-normal-C2a_AZvg.woff2" crossorigin>
    <!-- First-paint background. Applied inline in <head> so the page
         renders paper-on-ink the moment the parser hits <body >, before
         any external CSS or the bundle loads. Keeps `Cmd+R` on any
         route from flashing the browser-default white background while
         the bundle boots. The hex literals duplicate `--ind-paper` /
         `--ind-ink` from packages/ui/src/tokens.css; if those tokens
         change, update here too. -->
    <style>html,body{background:#f5f3ee;color:#0c0c0c;margin:0}@font-face{font-family:Sora;font-style:normal;font-display:swap;font-weight:400;src:url(/assets/sora-latin-400-normal-CRt88UEn.woff2) format("woff2"),url(/assets/sora-latin-400-normal-OW7qkl5a.woff) format("woff")}@font-face{font-family:Sora;font-style:normal;font-display:swap;font-weight:500;src:url(/assets/sora-latin-500-normal-01eiPEn0.woff2) format("woff2"),url(/assets/sora-latin-500-normal-w58xtEt9.woff) format("woff")}@font-face{font-family:Sora;font-style:normal;font-display:swap;font-weight:600;src:url(/assets/sora-latin-600-normal-Cdg4DaK0.woff2) format("woff2"),url(/assets/sora-latin-600-normal-1_7fyUAY.woff) format("woff")}@font-face{font-family:Sora;font-style:normal;font-display:swap;font-weight:700;src:url(/assets/sora-latin-700-normal-9waGdLWo.woff2) format("woff2"),url(/assets/sora-latin-700-normal-BKPfQAnC.woff) format("woff")}@font-face{font-family:Sora;font-style:normal;font-display:swap;font-weight:800;src:url(/assets/sora-latin-800-normal-2tKLL3qT.woff2) format("woff2"),url(/assets/sora-latin-800-normal-c3Huklug.woff) format("woff")}@font-face{font-family:Big Shoulders Display;font-style:normal;font-display:swap;font-weight:700;src:url(/assets/big-shoulders-display-latin-700-normal-KM2fueoL.woff2) format("woff2"),url(/assets/big-shoulders-display-latin-700-normal-CMi6UoP4.woff) format("woff")}@font-face{font-family:Big Shoulders Display;font-style:normal;font-display:swap;font-weight:800;src:url(/assets/big-shoulders-display-latin-800-normal-DDUD9Xuh.woff2) format("woff2"),url(/assets/big-shoulders-display-latin-800-normal-CI0lhnTM.woff) format("woff")}@font-face{font-family:Big Shoulders Display;font-style:normal;font-display:swap;font-weight:900;src:url(/assets/big-shoulders-display-latin-900-normal-CW8trzgu.woff2) format("woff2"),url(/assets/big-shoulders-display-latin-900-normal-DMT-1gsg.woff) format("woff")}@font-face{font-family:Big Shoulders Stencil Display;font-style:normal;font-display:swap;font-weight:900;src:url(/assets/big-shoulders-stencil-display-latin-900-normal-C2a_AZvg.woff2) format("woff2"),url(/assets/big-shoulders-stencil-display-latin-900-normal-DNqnuUup.woff) format("woff")}@font-face{font-family:Space Mono;font-style:normal;font-display:swap;font-weight:400;src:url(/assets/space-mono-latin-400-normal-Rg4St2Dn.woff2) format("woff2"),url(/assets/space-mono-latin-400-normal-_3DlpgIW.woff) format("woff")}@font-face{font-family:Space Mono;font-style:normal;font-display:swap;font-weight:700;src:url(/assets/space-mono-latin-700-normal-mWgeinG7.woff2) format("woff2"),url(/assets/space-mono-latin-700-normal-D7A851RN.woff) format("woff")}@font-face{font-family:Goga;src:url(/fonts/Goga-Regular.woff2) format("woff2");font-weight:400;font-style:normal;font-display:swap}@font-face{font-family:Goga;src:url(/fonts/Goga-Medium.woff2) format("woff2");font-weight:500;font-style:normal;font-display:swap}@font-face{font-family:Goga;src:url(/fonts/Goga-SemiBold.woff2) format("woff2");font-weight:600;font-style:normal;font-display:swap}@font-face{font-family:Goga;src:url(/fonts/Goga-Bold.woff2) format("woff2");font-weight:700;font-style:normal;font-display:swap}@font-face{font-family:Goga;src:url(/fonts/Goga-ExtraBold.woff2) format("woff2");font-weight:800;font-style:normal;font-display:swap}@font-face{font-family:Goga;src:url(/fonts/Goga-Black.woff2) format("woff2");font-weight:900;font-style:normal;font-display:swap}html{scroll-behavior:smooth}body{margin:0;background:var(--ind-paper);font-family:var(--font-primary, "Goga", system-ui, sans-serif);-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale}.marketing-layout{min-height:100dvh;background:var(--ind-paper);color:var(--ind-ink);font-family:var(--ind-font-body);display:flex;flex-direction:column}.marketing-layout>main{flex:1 0 auto;display:flex;flex-direction:column}.marketing-layout>main>.ind-footer{margin-top:auto}.section-header{display:flex;flex-direction:column;gap:16px;max-width:980px}.section-header__headline{font-family:var(--ind-font-display);font-weight:700;font-size:clamp(40px,5vw,80px);line-height:.95;letter-spacing:-.015em;text-transform:uppercase;color:var(--ind-ink);margin:0}.section-header__headline em{color:var(--ind-orange);font-style:normal}.section-header__body{font-family:var(--ind-font-body);font-size:17px;line-height:1.55;color:var(--ind-ink);margin:0;max-width:60ch}.audit-section{background:var(--ind-paper);color:var(--ind-ink);padding:var(--ind-section-pad-y) var(--ind-section-pad-x)}.audit-section__head{margin-bottom:var(--ind-section-head-gap)}.audit-section__panel{display:grid;grid-template-columns:1fr 280px;gap:48px;align-items:start}.audit-section__head-meta{font-family:var(--ind-font-mono)}.audit-section__foot-ok{color:var(--ind-ink);font-weight:700}.audit-section__legend{display:flex;flex-direction:column;gap:18px;font-family:var(--ind-font-body);border-top:1px solid var(--ind-rule-soft);padding-top:16px}.audit-section__legend-row{display:flex;align-items:center;gap:14px;font-size:13px;line-height:1.4;color:var(--ind-ink)}.audit-section__legend-row>.ind-pill{flex-shrink:0;min-width:64px;text-align:center}@media(max-width:960px){.audit-section{padding:var(--ind-section-pad-y-mobile) var(--ind-section-pad-x-mobile)}.audit-section__panel{grid-template-columns:minmax(0,1fr);gap:24px}.audit-section__legend{flex-direction:column}}.ind-hero-band{background:var(--ind-paper);color:var(--ind-ink)}.ind-hero-band__body{display:grid;grid-template-columns:var(--ind-hero-band-cols, 1fr 1fr);border-bottom:2px solid var(--ind-ink)}.ind-hero-band__left{padding:56px var(--ind-section-pad-x);border-right:1px solid var(--ind-rule-soft);display:flex;flex-direction:column;gap:28px}.ind-hero-band__right{padding:56px var(--ind-section-pad-x);display:flex;flex-direction:column;justify-content:flex-end;gap:16px}@media(max-width:960px){.ind-hero-band__body{grid-template-columns:minmax(0,1fr)!important}.ind-hero-band__left{border-right:0;border-bottom:1px solid var(--ind-rule-soft);padding:36px var(--ind-section-pad-x-mobile)}.ind-hero-band__right{padding:36px var(--ind-section-pad-x-mobile);justify-content:flex-start}}.hero{background:var(--ind-paper);color:var(--ind-ink);position:relative;overflow:hidden}.hero-cta{display:flex;flex-direction:column;align-items:flex-start;gap:20px}.hero-demo{min-height:480px;height:100%}.hero-demo__caption{margin:0;font-family:var(--ind-font-mono);font-size:12px;letter-spacing:.05em;text-transform:uppercase;color:var(--ind-ink-soft)}.hero-demo__live{color:var(--ind-orange);font-weight:700}.fpl{background:var(--ind-paper);color:var(--ind-ink);padding-block:var(--ind-section-pad-y);padding-inline:var(--ind-section-pad-x)}.fpl__head{margin-bottom:var(--ind-section-head-gap)}.fpl__grid{display:grid;grid-template-columns:1fr 1fr;border-top:1px solid var(--ind-rule-soft);border-bottom:1px solid var(--ind-rule-soft)}.fpl__row{display:contents}.fpl__col-head{font-family:var(--ind-font-body);font-size:13px;font-weight:700;letter-spacing:.16em;text-transform:uppercase;color:var(--ind-ink);padding:18px 24px;border-bottom:2px solid var(--ind-ink)}.fpl__col-head--free{color:var(--ind-orange);border-right:1px solid var(--ind-rule-soft)}.fpl__cell{font-family:var(--ind-font-body);font-size:16px;line-height:1.45;color:var(--ind-ink);padding:20px 24px;border-bottom:1px solid var(--ind-rule-soft)}.fpl__row:last-child .fpl__cell{border-bottom:0}.fpl__cell--free{border-right:1px solid var(--ind-rule-soft);color:var(--ind-ink);background:var(--ind-paper-raised)}.fpl__boundary{margin:40px 0 0;max-width:760px;font-family:var(--ind-font-body);font-size:18px;line-height:1.6;color:var(--ind-ink)}.fpl__boundary em{font-style:normal;color:var(--ind-orange);font-weight:700}@media(max-width:640px){.fpl{padding-block:var(--ind-section-pad-y-mobile);padding-inline:var(--ind-section-pad-x-mobile)}.fpl__col-head{font-size:11px;padding:14px 16px}.fpl__cell{font-size:14.5px;padding:16px}.fpl__boundary{font-size:16px}}.stats-strip{background:var(--ind-paper);color:var(--ind-ink);padding:var(--ind-section-pad-y-strip) var(--ind-section-pad-x)}.stats-strip__row{display:grid;grid-template-columns:repeat(4,1fr);align-items:center}.stats-strip__row>.ind-stat{border-right:1px solid var(--ind-rule-soft);padding:0 24px}.stats-strip__row>.ind-stat:last-child{border-right:0}@media(max-width:960px){.stats-strip{padding:var(--ind-section-pad-y-strip-mobile) var(--ind-section-pad-x-mobile)}.stats-strip__row{grid-template-columns:minmax(0,1fr) minmax(0,1fr);gap:32px 0}.stats-strip__row>.ind-stat:nth-child(2){border-right:0}.stats-strip__row>.ind-stat:nth-child(odd):not(:last-child){border-right:1px solid var(--ind-rule-soft)}}.ind-pillar-band{background:var(--ind-paper);color:var(--ind-ink);padding-block:var(--ind-section-pad-y)}.ind-pillar-band__head{padding:0 var(--ind-section-pad-x);margin-bottom:var(--ind-section-head-gap)}.ind-pillar-band__grid{display:grid;border-top:1px solid var(--ind-rule-soft);border-bottom:1px solid var(--ind-rule-soft)}.ind-pillar-band--cols-3 .ind-pillar-band__grid{grid-template-columns:repeat(3,1fr)}.ind-pillar-band--cols-4 .ind-pillar-band__grid{grid-template-columns:repeat(4,1fr)}.ind-pillar-band__cell{padding:48px 32px;border-right:1px solid var(--ind-rule-soft);display:flex;flex-direction:column;gap:14px}.ind-pillar-band__cell:last-child{border-right:0}.ind-pillar-band__n{font-family:var(--ind-font-stencil);font-weight:900;font-size:96px;line-height:.85;color:var(--ind-orange)}.ind-pillar-band__name{font-family:var(--ind-font-display);font-weight:700;font-size:32px;line-height:1.05;letter-spacing:-.01em;text-transform:uppercase;color:var(--ind-ink);margin:0}.ind-pillar-band__meta{font-family:var(--ind-font-mono);font-size:12px;letter-spacing:.06em;text-transform:uppercase;color:var(--ind-ink-soft);margin:0}.ind-pillar-band__body{font-family:var(--ind-font-body);font-size:15px;line-height:1.55;color:var(--ind-ink);margin:0}@media(max-width:960px){.ind-pillar-band{padding-top:var(--ind-section-pad-y-mobile)}.ind-pillar-band__head{padding:0 var(--ind-section-pad-x-mobile)}.ind-pillar-band--cols-3 .ind-pillar-band__grid,.ind-pillar-band--cols-4 .ind-pillar-band__grid{grid-template-columns:minmax(0,1fr)}.ind-pillar-band__cell{border-right:0;border-bottom:1px solid var(--ind-rule-soft);padding:32px var(--ind-section-pad-x-mobile)}.ind-pillar-band__cell:last-child{border-bottom:0}.ind-pillar-band__n{font-size:72px}.ind-pillar-band__name{font-size:26px}}.process-flow{background:var(--ind-paper);color:var(--ind-ink);padding-block:var(--ind-section-pad-y)}.process-flow__head{padding:0 var(--ind-section-pad-x);margin-bottom:var(--ind-section-head-gap)}.process-flow__phases{display:grid;grid-template-columns:repeat(4,1fr);border-top:1px solid var(--ind-rule-soft);border-bottom:1px solid var(--ind-rule-soft)}.process-phase{padding:48px 32px;border-right:1px solid var(--ind-rule-soft);display:flex;flex-direction:column;gap:16px}.process-phase:last-child{border-right:0}.process-phase__n{font-family:var(--ind-font-stencil);font-weight:900;font-size:96px;line-height:.85;color:var(--ind-orange)}.process-phase__name{font-family:var(--ind-font-display);font-weight:700;font-size:36px;line-height:1;letter-spacing:-.01em;text-transform:uppercase;color:var(--ind-ink);margin:0}.process-phase__body{font-family:var(--ind-font-body);font-size:15px;line-height:1.55;color:var(--ind-ink);margin:0}@media(max-width:960px){.process-flow{padding-top:var(--ind-section-pad-y-mobile)}.process-flow__head{padding:0 var(--ind-section-pad-x-mobile)}.process-flow__phases{grid-template-columns:minmax(0,1fr)}.process-phase{border-right:0;border-bottom:1px solid var(--ind-rule-soft);padding:32px var(--ind-section-pad-x-mobile)}.process-phase:last-child{border-bottom:0}.process-phase__n{font-size:72px}.process-phase__name{font-size:28px}}.faq-section{background:var(--ind-paper);color:var(--ind-ink);padding-block:var(--ind-section-pad-y)}.faq-section__head{padding:0 var(--ind-section-pad-x);margin-bottom:var(--ind-section-head-gap)}.faq-section__list{margin:0;padding:0;border-top:1px solid var(--ind-rule-soft);border-bottom:1px solid var(--ind-rule-soft)}.faq-row{display:grid;grid-template-columns:minmax(280px,1fr) 2fr;gap:48px;padding:32px var(--ind-section-pad-x);border-bottom:1px solid var(--ind-rule-soft);align-items:center}.faq-row:last-child{border-bottom:0}.faq-row__q{display:grid;grid-template-columns:56px 1fr;gap:16px;align-items:center;margin:0}.faq-row__num{font-family:var(--ind-font-stencil);font-weight:900;font-size:48px;line-height:.9;color:var(--ind-orange)}.faq-row__qtext{font-family:var(--ind-font-display);font-weight:700;font-size:22px;line-height:1.15;letter-spacing:-.005em;color:var(--ind-ink)}.faq-row__a{margin:0;font-family:var(--ind-font-body);font-size:16px;line-height:1.6;color:var(--ind-ink)}.faq-row__a p{margin:0 0 14px}.faq-row__a p:last-child{margin-bottom:0}@media(max-width:960px){.faq-section{padding-block:var(--ind-section-pad-y-mobile)}.faq-section__head{padding:0 var(--ind-section-pad-x-mobile)}.faq-row{grid-template-columns:minmax(0,1fr);gap:16px;padding:24px var(--ind-section-pad-x-mobile)}.faq-row__num{font-size:36px}.faq-row__qtext{font-size:19px}.faq-row__a{font-size:15px}}.closing-section{background:var(--ind-paper);color:var(--ind-ink);padding-block:var(--ind-section-pad-y)}.closing-section .ind-megatype{padding:0 var(--ind-section-pad-x)}.closing-section__form{padding:var(--ind-section-head-gap) var(--ind-section-pad-x) 0}.closing-section__form .ind-form{max-width:720px}.closing-section__form .ind-form__input{font-size:18px;padding:22px}.closing-section__form .ind-form__submit{padding:0 32px;font-size:14px}@media(max-width:960px){.closing-section{padding-block:var(--ind-section-pad-y-mobile)}.closing-section .ind-megatype{padding:0 var(--ind-section-pad-x-mobile)}.closing-section__form{padding:32px var(--ind-section-pad-x-mobile) 0}}.ind-footer{background:var(--ind-ink);color:var(--ind-paper);padding:var(--ind-section-pad-y-strip) var(--ind-section-pad-x) 32px;display:grid;grid-template-columns:1fr 2fr;gap:48px 64px;font-family:var(--ind-font-body)}.ind-footer__brand-mark{font-family:var(--ind-font-stencil);font-weight:900;font-size:64px;line-height:.9;letter-spacing:.02em;color:var(--ind-orange)}.ind-footer__brand-tag{margin-top:12px;font-size:14px;line-height:1.5;color:#f5f3eeb3;max-width:32ch}.ind-footer__cols{display:grid;grid-template-columns:repeat(3,1fr);gap:32px}.ind-footer__col-head{font-family:var(--ind-font-mono);font-size:12px;letter-spacing:.18em;text-transform:uppercase;color:var(--ind-orange);margin-bottom:16px;font-weight:700}.ind-footer__col ul{list-style:none;padding:0;margin:0;display:flex;flex-direction:column;gap:8px}.ind-footer__col a,.ind-footer__col-button{color:var(--ind-paper);text-decoration:none;font-size:15px;font-weight:400;transition:color var(--ind-motion-fast)}.ind-footer__col a:hover,.ind-footer__col-button:hover{color:var(--ind-orange)}.ind-footer__col-button{background:transparent;border:0;padding:0;font-family:inherit;cursor:pointer;text-align:left}.ind-footer__rule{grid-column:1 / -1;border-top:1px solid rgba(245,243,238,.18);margin-top:16px}.ind-footer__meta{grid-column:1 / -1;display:flex;justify-content:space-between;font-family:var(--ind-font-mono);font-size:11px;letter-spacing:.14em;text-transform:uppercase;color:#f5f3ee99;flex-wrap:wrap;gap:12px}@media(max-width:960px){.ind-footer{grid-template-columns:minmax(0,1fr);padding:var(--ind-section-pad-y-strip-mobile) var(--ind-section-pad-x-mobile) 24px;gap:32px}.ind-footer__cols{grid-template-columns:minmax(0,1fr) minmax(0,1fr);gap:24px}.ind-footer__brand-mark{font-size:48px}.ind-footer__meta{flex-direction:column;gap:6px;font-size:10px}}@page{@top-left{content:string(target);font:700 9pt var(--ind-font-body);letter-spacing:.16em;text-transform:uppercase;color:var(--ind-ink-soft);vertical-align:bottom;padding-bottom:16pt}@top-right{content:"Confidential";font:700 9pt var(--ind-font-body);letter-spacing:.16em;text-transform:uppercase;color:var(--ind-ink-soft);vertical-align:bottom;padding-bottom:16pt}@bottom-right{content:"Page " counter(page) " of " counter(pages);font:400 9pt var(--ind-font-body);letter-spacing:.06em;color:var(--ind-ink-soft);vertical-align:top;padding-top:16pt}}@page :first{@top-left{content:none}@top-right{content:none}@bottom-right{content:none}}*,*:before,*:after{box-sizing:border-box}:root{--ind-paper:#f5f3ee;--ind-paper-raised:#fbf9f4;--ind-ink:#0c0c0c;--ind-ink-soft:rgba(12, 12, 12, .55);--ind-rule-soft:rgba(12, 12, 12, .15);--ind-orange:#ff4f00;--ind-green:#4ade80;--ind-red:#b00020;--ind-sev-critical:var(--ind-ink);--ind-sev-high:var(--ind-orange);--ind-sev-medium:#c97900;--ind-sev-low:#4d6b8a;--ind-sev-info:rgba(12, 12, 12, .55);--ind-status-running:var(--ind-orange);--ind-status-complete:var(--ind-green);--ind-status-warn:#c97900;--ind-status-muted:rgba(12, 12, 12, .55);--ind-font-stencil:"Big Shoulders Stencil Display", "Arial Black", sans-serif;--ind-font-display:"Big Shoulders Display", "Arial Black", sans-serif;--ind-font-body:"Sora", system-ui, -apple-system, sans-serif;--ind-font-mono:"Space Mono", ui-monospace, monospace;--ind-motion-fast:.12s ease;--ind-motion-reveal:.36s cubic-bezier(.16, 1, .3, 1);--ind-motion-stagger:1.4s;--ind-section-pad-y:96px;--ind-section-pad-y-strip:64px;--ind-section-pad-x:48px;--ind-section-head-gap:56px;--ind-section-pad-y-mobile:56px;--ind-section-pad-y-strip-mobile:40px;--ind-section-pad-x-mobile:24px;--ind-density-row-pad-y:12px;--ind-density-row-pad-x:18px;--ind-density-cell-pad-y:10px;--ind-density-cell-pad-x:14px;--ind-density-card-pad:18px;--ind-overlay:rgba(12, 12, 12, .55);--ind-z-tooltip:60;--ind-z-menu:70;--ind-z-drawer:80;--ind-z-dialog:90}.ind-topbar{border-bottom:4px solid var(--ind-ink);padding:18px 48px;display:flex;justify-content:space-between;align-items:center;font-family:var(--ind-font-body);font-weight:600;font-size:13px;letter-spacing:.18em;text-transform:uppercase;color:var(--ind-ink);background:var(--ind-paper)}.ind-topbar__id{display:flex;gap:24px;align-items:center;flex-wrap:wrap}.ind-topbar__brand-link{display:inline-flex;align-items:center;text-decoration:none;color:inherit}.ind-topbar__brand{font-family:var(--ind-font-stencil);color:var(--ind-orange);font-weight:900;font-size:28px;line-height:.9;letter-spacing:.02em}.ind-topbar__right{display:flex;align-items:center;gap:18px}.ind-topbar__sep{opacity:.35;font-weight:400}.ind-topbar__nav{display:flex;align-items:center;gap:14px;flex-wrap:wrap}.ind-topbar__nav-link{color:inherit;text-decoration:none;transition:color var(--ind-motion-fast);padding:4px 0;border-top:2px solid transparent;border-bottom:2px solid transparent}.ind-topbar__nav-link:hover{color:var(--ind-orange)}.ind-topbar__auth,.ind-topbar__cta{text-decoration:none;padding:6px 14px;letter-spacing:.16em;font-weight:700;text-transform:uppercase;font-size:12px;display:inline-block}.ind-topbar__auth{color:var(--ind-ink);border:2px solid var(--ind-ink);transition:background var(--ind-motion-fast),color var(--ind-motion-fast)}.ind-topbar__auth:hover{background:var(--ind-ink);color:var(--ind-paper)}.ind-topbar__cta{color:var(--ind-paper);background:var(--ind-orange);border:2px solid var(--ind-orange);transition:background var(--ind-motion-fast),border-color var(--ind-motion-fast)}.ind-topbar__cta:hover{background:var(--ind-ink);border-color:var(--ind-ink)}.ind-topbar__burger{display:none;background:transparent;border:2px solid var(--ind-ink);color:var(--ind-ink);padding:8px 10px;cursor:pointer;transition:background var(--ind-motion-fast),color var(--ind-motion-fast)}.ind-topbar__burger:hover{background:var(--ind-ink);color:var(--ind-paper)}.ind-topbar__burger:focus-visible{outline:2px solid var(--ind-orange);outline-offset:2px}.ind-megatype{padding:60px 48px 24px;background:var(--ind-paper)}.ind-megatype--seam-heavy{border-bottom:2px solid var(--ind-ink)}.ind-megatype__num{font-family:var(--ind-font-stencil);font-weight:900;font-size:clamp(96px,16vw,240px);line-height:.78;letter-spacing:-.04em;color:var(--ind-ink);margin:0;padding-bottom:.2em}.ind-megatype__num em{font-style:normal;color:var(--ind-orange)}.ind-megatype__cap{display:flex;justify-content:space-between;align-items:flex-start;margin-top:16px;font-family:var(--ind-font-body);font-weight:600;font-size:14px;letter-spacing:.2em;text-transform:uppercase;color:var(--ind-ink)}.ind-megatype__cap-right{text-align:right;color:var(--ind-orange)}.ind-heading{font-family:var(--ind-font-display);font-weight:700;font-size:clamp(56px,6.4vw,104px);line-height:.88;letter-spacing:-.01em;margin:0;text-transform:uppercase;color:var(--ind-ink)}.ind-heading>span,.ind-heading>em{display:block}.ind-heading em{font-style:normal;color:var(--ind-orange)}.ind-lead{font-family:var(--ind-font-body);font-size:17px;line-height:1.55;font-weight:400;margin:0;max-width:50ch;color:var(--ind-ink)}.ind-eyebrow{font-family:var(--ind-font-mono);font-size:13px;letter-spacing:.22em;text-transform:uppercase;color:var(--ind-orange);font-weight:700;margin:0}.ind-button{display:inline-flex;align-items:center;gap:12px;font-family:var(--ind-font-body);font-weight:700;letter-spacing:.16em;text-transform:uppercase;border:2px solid var(--ind-ink);cursor:pointer;text-decoration:none;transition:background var(--ind-motion-fast),color var(--ind-motion-fast);white-space:nowrap;line-height:1}.ind-button:disabled{opacity:.45;cursor:not-allowed}.ind-button--md{padding:14px 22px;font-size:13px}.ind-button__arrow{font-weight:900;font-size:16px;letter-spacing:0}.ind-button--solid{background:var(--ind-ink);color:var(--ind-paper)}.ind-button--solid:hover{background:var(--ind-orange);border-color:var(--ind-orange)}.ind-form{display:flex;align-items:stretch;border:2px solid var(--ind-ink);background:#fff;width:100%}.ind-form__input{flex:1;border:none;outline:none;background:transparent;font-family:var(--ind-font-mono);font-size:15px;letter-spacing:.04em;padding:16px 18px;color:var(--ind-ink);min-width:0}.ind-form__input::placeholder{color:#0c0c0c66}.ind-form__input:focus{background:#ff4f000f}.ind-form__submit{background:var(--ind-orange);color:var(--ind-paper);border:none;border-left:2px solid var(--ind-ink);padding:0 22px;font-family:var(--ind-font-body);font-weight:700;letter-spacing:.16em;text-transform:uppercase;font-size:13px;cursor:pointer;display:inline-flex;align-items:center;gap:12px;transition:background var(--ind-motion-fast),color var(--ind-motion-fast);white-space:nowrap}.ind-form__submit-arrow{font-weight:900;font-size:16px;letter-spacing:0}.ind-form__submit:hover{background:var(--ind-ink);color:var(--ind-paper)}.ind-install{max-width:560px;width:100%;min-width:0}.ind-install__row{display:flex;align-items:stretch;min-width:0;border:2px solid var(--ind-ink);background:var(--ind-paper)}.ind-install__cmd{flex:1;min-width:0;display:flex;align-items:center;gap:12px;font-family:var(--ind-font-mono);font-size:15px;letter-spacing:.01em;padding:16px 18px;color:var(--ind-ink);overflow-x:auto;white-space:nowrap}.ind-install__prompt{color:var(--ind-orange);font-weight:700;flex:none}.ind-install__copy{flex:none;background:var(--ind-orange);color:var(--ind-paper);border:none;border-left:2px solid var(--ind-ink);padding:0 20px;font-family:var(--ind-font-body);font-weight:700;letter-spacing:.16em;text-transform:uppercase;font-size:12px;cursor:pointer;display:inline-flex;align-items:center;gap:8px;transition:background var(--ind-motion-fast),color var(--ind-motion-fast);white-space:nowrap}.ind-install__copy-icon{font-size:14px;letter-spacing:0}.ind-install__copy:hover{background:var(--ind-ink);color:var(--ind-paper)}.ind-install__caption{margin:14px 0 0;font-family:var(--ind-font-mono);font-size:12px;letter-spacing:.05em;line-height:1.6;color:var(--ind-ink-soft)}@media(max-width:640px){.ind-install__cmd{font-size:13px;padding:14px}.ind-install__copy{padding:0 14px}}.ind-card{background:var(--ind-paper);border:2px solid var(--ind-ink);font-family:var(--ind-font-mono);display:flex;flex-direction:column}.ind-card__head{background:var(--ind-ink);color:var(--ind-paper);padding:12px 18px;display:flex;justify-content:space-between;font-size:12px;letter-spacing:.16em;text-transform:uppercase}.ind-card__body{flex:1;padding:8px 0;font-size:12px;overflow:hidden}.ind-card__foot{border-top:1px solid var(--ind-rule-soft);padding:10px 18px;display:flex;justify-content:space-between;font-size:11px;letter-spacing:.14em;text-transform:uppercase}.ind-auditrow{display:grid;grid-template-columns:44px 70px 110px minmax(0,1fr) auto;gap:14px;padding:8px 18px;border-bottom:1px dashed var(--ind-rule-soft);align-items:baseline;font-family:var(--ind-font-mono);font-size:12px;opacity:0;transform:translate(-6px);animation:ind-auditrow-in var(--ind-motion-reveal) forwards}.ind-auditrow__act{overflow-wrap:anywhere}@keyframes ind-auditrow-in{to{opacity:1;transform:translate(0)}}.ind-auditrow__idx{font-weight:700;color:#0c0c0c66}.ind-auditrow__ts{color:#0c0c0c8c}.ind-auditrow__who{color:var(--ind-orange);font-weight:700;text-transform:uppercase;letter-spacing:.04em}.ind-auditrow__act{color:var(--ind-ink)}.ind-pill{display:inline-block;text-transform:uppercase;font-weight:700;font-size:11px;letter-spacing:.1em;padding:2px 8px;border:1px solid var(--ind-rule-soft);font-family:var(--ind-font-mono)}.ind-pill--critical{background:var(--ind-sev-critical);color:var(--ind-paper);border-color:var(--ind-sev-critical)}.ind-pill--high{background:var(--ind-sev-high);color:var(--ind-paper);border-color:var(--ind-sev-high)}.ind-pill--info{background:var(--ind-paper);color:var(--ind-ink-soft);border:1px solid var(--ind-rule-soft)}.ind-stat{text-align:center}.ind-stat__num{font-family:var(--ind-font-stencil);font-weight:900;font-size:clamp(72px,8vw,128px);line-height:.88;color:var(--ind-ink)}.ind-stat__num em{font-style:normal;font-size:.5em;color:var(--ind-orange);margin-left:2px}.ind-stat__label{font-family:var(--ind-font-body);font-weight:700;font-size:12px;letter-spacing:.18em;text-transform:uppercase;color:var(--ind-ink);margin-top:8px}.ind-stat__subtitle{font-family:var(--ind-font-mono);font-size:11px;color:var(--ind-ink-soft);letter-spacing:.04em;margin-top:4px}.ind-footrun{background:var(--ind-ink);color:var(--ind-paper);padding:16px 48px;display:flex;justify-content:space-between;font-family:var(--ind-font-mono);font-size:12px;letter-spacing:.1em;text-transform:uppercase}.ind-dot{display:inline-block;width:8px;height:8px;border-radius:50%;vertical-align:middle;margin-right:6px}.ind-dot--live{background:var(--ind-orange);animation:ind-dot-pulse 1.4s ease-in-out infinite}@keyframes ind-dot-pulse{0%,to{opacity:1;transform:scale(1)}50%{opacity:.4;transform:scale(.8)}}@media(max-width:960px){.ind-topbar{padding:14px 24px;flex-wrap:wrap;gap:8px}.ind-topbar__id{gap:14px;flex:1 1 auto}.ind-topbar__nav,.ind-topbar__right{display:none}.ind-topbar__burger{display:inline-flex;align-items:center;justify-content:center}.ind-megatype{padding:36px 24px 16px}.ind-megatype__cap{flex-direction:column;gap:4px}.ind-megatype__cap-right{text-align:left}.ind-form{max-width:100%}.ind-form__input{font-size:16px;padding:14px}.ind-form__submit{padding:0 14px;font-size:12px}.ind-auditrow{grid-template-columns:36px 60px 90px minmax(0,1fr) auto;gap:8px;padding:6px 12px}.ind-footrun{padding:14px 24px;flex-direction:column;gap:6px;font-size:11px}}@media(max-width:640px){.ind-form{flex-direction:column}.ind-form__submit{border-left:0;border-top:2px solid var(--ind-ink);padding:14px 18px;justify-content:center}.ind-stat__num{font-size:clamp(40px,12vw,72px)}.ind-auditrow{grid-template-columns:auto 1fr auto;grid-template-areas:"ts who status" "act act act";gap:6px 10px;padding:8px 12px;font-size:11.5px}.ind-auditrow__idx{display:none}.ind-auditrow__ts{grid-area:ts}.ind-auditrow__who{grid-area:who}.ind-auditrow__act{grid-area:act;padding-top:2px}.ind-auditrow .ind-pill{grid-area:status;justify-self:end}}</style>
    <link rel="icon" type="image/png" href="/swarm-logo.png">
    <link rel="icon" type="image/svg+xml" href="/favicon.svg">
    <!-- SPA-fallback flash mitigation. Sync, same-origin, allowed by
         the strict CSP via `script-src 'self'` (no per-content hash to
         maintain). Source + commentary live in
         apps/web/public/spa-fallback-guard.js. -->
    <script src="/spa-fallback-guard.js"></script>
    <!-- Google Analytics 4 (gtag.js). The init script (/gtag-init.js)
         appends the cross-origin gtag.js loader on requestIdleCallback,
         so the loader's parse + forced-reflow cost lands AFTER LCP
         instead of competing with first paint. The dataLayer + gtag()
         stub are defined synchronously inside gtag-init.js so the
         GtagPageviews component can fire page_view from React without
         caring whether the loader has resolved yet. -->
    <link rel="preconnect" href="https://www.googletagmanager.com" crossorigin>
    <link rel="preconnect" href="https://www.google-analytics.com" crossorigin>
    <script defer src="/gtag-init.js"></script>
    <meta name="robots" content="index,follow,max-image-preview:large,max-snippet:-1,max-video-preview:-1">
    <meta property="og:image" content="https://swarmsec.ai/og-image.png?v=3">
    <meta property="og:image:type" content="image/png">
    <meta property="og:image:width" content="1200">
    <meta property="og:image:height" content="630">
    <meta property="og:image:alt" content="Swarm: agentic penetration testing">
    <meta name="twitter:card" content="summary_large_image">
    <meta name="twitter:site" content="@swarmsec">
    <meta name="twitter:creator" content="@swarmsec">
    <meta name="twitter:image" content="https://swarmsec.ai/og-image.png?v=3">
    <link rel="preconnect" href="https://api.swarmsec.ai">
    <link rel="preconnect" href="https://clerk.com">
    <link rel="dns-prefetch" href="https://challenges.cloudflare.com">
    <script type="application/ld+json">{"@context":"https://schema.org","@type":"Organization","@id":"https://swarmsec.ai/#organization","name":"SwarmSec","legalName":"SwarmSec, Inc.","url":"https://swarmsec.ai","logo":"https://swarmsec.ai/swarm-logo.png","sameAs":["https://github.com/swarminc","https://x.com/swarmsec","https://www.linkedin.com/company/swarmsec"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","email":"support@swarmsec.ai"}}</script>
    <script type="application/ld+json">{"@context":"https://schema.org","@type":"WebSite","@id":"https://swarmsec.ai/#website","url":"https://swarmsec.ai","name":"Swarm","publisher":{"@id":"https://swarmsec.ai/#organization"},"potentialAction":{"@type":"SearchAction","target":"https://swarmsec.ai/?q={search_term_string}","query-input":"required name=search_term_string"}}</script>
    <script type="application/ld+json">{"@context":"https://schema.org","@type":"SoftwareApplication","@id":"https://swarmsec.ai/#software","name":"Swarm","applicationCategory":"SecurityApplication","operatingSystem":"Web","provider":{"@id":"https://swarmsec.ai/#organization"}}</script>
    <script type="application/ld+json">{"@context":"https://schema.org","@type":"ItemList","@id":"https://swarmsec.ai/#sitenav","name":"Swarm marketing site navigation","itemListElement":[{"@type":"SiteNavigationElement","position":1,"name":"Why Swarm","url":"https://swarmsec.ai/why-swarm","description":"Swarm vs the human-firm annual pen test. Same job, AI-native delivery, audit-trail receipts."},{"@type":"SiteNavigationElement","position":2,"name":"Pricing","url":"https://swarmsec.ai/pricing","description":"Per-engagement pricing for agentic pen testing. No per-target, per-finding, or per-seat fees."},{"@type":"SiteNavigationElement","position":3,"name":"Features","url":"https://swarmsec.ai/features","description":"Swarm platform features. Anthropic Dreaming, MCP for engagements, plus the swarm, coverage, evidence, reporting, and isolation surfaces."},{"@type":"SiteNavigationElement","position":4,"name":"Sample report","url":"https://swarmsec.ai/sample-report","description":"Sanitized engagement report and full audit trail. Open the deliverable before you buy."},{"@type":"SiteNavigationElement","position":5,"name":"OWASP coverage","url":"https://swarmsec.ai/owasp-coverage","description":"Per-category coverage across OWASP Top 10 (Web, API, LLM, Agentic) — full audit-grade matrix."},{"@type":"SiteNavigationElement","position":6,"name":"Compliance","url":"https://swarmsec.ai/compliance","description":"Control mapping for SOC 2 Type 2, ISO 27001, PCI DSS 11.4, and HIPAA — row-by-row evidence."},{"@type":"SiteNavigationElement","position":7,"name":"Mythos","url":"https://swarmsec.ai/mythos","description":"Frontier-model commitment: every paying customer gets a free retest with each new frontier model onboarded."},{"@type":"SiteNavigationElement","position":8,"name":"Security","url":"https://swarmsec.ai/security","description":"How Swarm runs pen tests safely. Tenancy isolation, scope enforcement, durable audit trail."},{"@type":"SiteNavigationElement","position":9,"name":"When to run Swarm","url":"https://swarmsec.ai/when-to-run-swarm","description":"The six trigger moments for an engagement: pre-launch, pre-fundraise, SOC 2 prep, deal unblock, post-incident, new-feature review."},{"@type":"SiteNavigationElement","position":10,"name":"Blog","url":"https://swarmsec.ai/blog","description":"Practitioner writing on AI penetration testing, compliance pen-test requirements, and application security."},{"@type":"SiteNavigationElement","position":11,"name":"CLI","url":"https://swarmsec.ai/cli","description":"Run Swarm free in your terminal. Install into Claude Code, Codex, or Cursor; specialist agents read your source and map your live footprint. No account, no key."}]}</script>
    <!-- Sora is self-hosted via @fontsource/sora (imported in src/main.tsx).
         The font woff2 files are hashed into /assets and served from the
         same origin with long-lived Cache-Control, removing the
         fonts.googleapis.com -> fonts.gstatic.com chain that PageSpeed
         flagged as ~1,200ms render-blocking on cold mobile. -->
    <script type="module" crossorigin src="/assets/app-9CO0sr-c.js"></script>
    <link rel="preload" crossorigin href="/assets/style-DYkxJmcM.css" as="style">
      <link rel="canonical" data-ssg="1" href="https://swarmsec.ai">
  <link rel="preload" as="font" crossorigin="anonymous" href="/assets/sora-latin-400-normal-CRt88UEn.woff2"><link rel="preload" as="font" crossorigin="anonymous" href="/assets/sora-latin-500-normal-01eiPEn0.woff2"><link rel="preload" as="font" crossorigin="anonymous" href="/assets/sora-latin-600-normal-Cdg4DaK0.woff2"><link rel="preload" as="font" crossorigin="anonymous" href="/assets/sora-latin-700-normal-9waGdLWo.woff2"><link rel="preload" as="font" crossorigin="anonymous" href="/assets/sora-latin-800-normal-2tKLL3qT.woff2"><link rel="preload" as="font" crossorigin="anonymous" href="/assets/big-shoulders-display-latin-700-normal-KM2fueoL.woff2"><link rel="preload" as="font" crossorigin="anonymous" href="/assets/big-shoulders-display-latin-800-normal-DDUD9Xuh.woff2"><link rel="preload" as="font" crossorigin="anonymous" href="/assets/big-shoulders-display-latin-900-normal-CW8trzgu.woff2"><link rel="preload" as="font" crossorigin="anonymous" href="/assets/big-shoulders-stencil-display-latin-900-normal-C2a_AZvg.woff2"><link rel="preload" as="font" crossorigin="anonymous" href="/assets/space-mono-latin-400-normal-Rg4St2Dn.woff2"><link rel="preload" as="font" crossorigin="anonymous" href="/assets/space-mono-latin-700-normal-mWgeinG7.woff2"><link rel="preload" as="font" crossorigin="anonymous" href="/fonts/Goga-Regular.woff2"><link rel="preload" as="font" crossorigin="anonymous" href="/fonts/Goga-Medium.woff2"><link rel="preload" as="font" crossorigin="anonymous" href="/fonts/Goga-SemiBold.woff2"><link rel="preload" as="font" crossorigin="anonymous" href="/fonts/Goga-Bold.woff2"><link rel="preload" as="font" crossorigin="anonymous" href="/fonts/Goga-ExtraBold.woff2"><link rel="preload" as="font" crossorigin="anonymous" href="/fonts/Goga-Black.woff2"></head>
  <body>
    <div id="root" data-server-rendered="true"><title>Swarm: agentic pen testing you can run free in your terminal</title><meta name="description" content="Point Swarm at your code and your live domain, free, in Claude Code, Codex, or Cursor: claude mcp add swarm npx @swarmsec/swarm-cli. Specialist agents read your source and map your public footprint in minutes, no account, no key. When you need a finding proven, the full engagement runs 50+ specialists against your deployed app with a validated PoC on every finding and an audit trail your auditor accepts."><link rel="canonical" href="https://swarmsec.ai/"><meta property="og:title" content="Swarm: agentic pen testing you can run free in your terminal"><meta property="og:description" content="Point Swarm at your code and your live domain, free, in Claude Code, Codex, or Cursor: claude mcp add swarm npx @swarmsec/swarm-cli. Specialist agents read your source and map your public footprint in minutes, no account, no key. When you need a finding proven, the full engagement runs 50+ specialists against your deployed app with a validated PoC on every finding and an audit trail your auditor accepts."><meta property="og:type" content="website"><meta property="og:image" content="https://swarmsec.ai/og-image.png?v=2"><meta property="og:image:type" content="image/png"><meta property="og:image:width" content="6174"><meta property="og:image:height" content="1728"><meta property="og:image:alt" content="Swarm: agentic penetration testing"><meta name="twitter:image" content="https://swarmsec.ai/og-image.png?v=2"><meta name="twitter:card" content="summary_large_image"><div class="marketing-layout"><script type="application/ld+json">{"@context":"https://schema.org","@type":"WebPage","@id":"https://swarmsec.ai/#webpage","url":"https://swarmsec.ai/","publisher":{"@id":"https://swarmsec.ai/#organization"},"dateModified":"2026-07-17","mainEntity":{"@id":"https://swarmsec.ai/#service"}}</script><script type="application/ld+json">{"@context":"https://schema.org","@type":"Service","@id":"https://swarmsec.ai/#service","name":"Swarm Agentic Penetration Testing","description":"A coordinated swarm of 50+ AI specialist agents that runs an audit-grade penetration test against your authorized targets, with verified exploits and a full audit trail.","serviceType":"Penetration testing","areaServed":"Worldwide","provider":{"@id":"https://swarmsec.ai/#organization"}}</script><script type="application/ld+json">{"@context":"https://schema.org","@type":"SoftwareApplication","@id":"https://swarmsec.ai/#swarm-cli","name":"Swarm CLI","applicationCategory":["SecurityApplication","DeveloperApplication"],"operatingSystem":"Cross-platform","softwareRequirements":"Claude Code, Codex, or Cursor (MCP host)","description":"The free Swarm CLI: an MCP server for Claude Code, Codex, and Cursor that reads your source and maps your live footprint, surfacing candidate security findings your own AI agent can start fixing. Uses your host agent's model, no separate API key.","offers":{"@type":"Offer","price":"0","priceCurrency":"USD"},"provider":{"@id":"https://swarmsec.ai/#organization"}}</script><script type="application/ld+json">{"@context":"https://schema.org","@type":"FAQPage","mainEntity":[{"@type":"Question","name":"Is the Swarm CLI free?","acceptedAnswer":{"@type":"Answer","text":"Yes. Install it into Claude Code, Codex, or Cursor with `claude mcp add swarm npx @swarmsec/swarm-cli`, then ask your agent to run a Swarm scan. It reads your source and maps your live footprint for free, in minutes, with no account and no card. It runs a handful of Swarm's 50+ specialists on your own code and domain. The full engagement, run by an independent third party against your deployed app, is the paid step; pricing lives at https://swarmsec.ai/pricing."}},{"@type":"Question","name":"Does the Swarm CLI need an API key?","acceptedAnswer":{"@type":"Answer","text":"No. The CLI ships as an MCP server that uses your host agent's model, so Claude Code, Codex, and Cursor drive it with the subscription or key you already have. There is no new key to set. For headless and CI use, `claude -p \"run a swarm scan\" --output-format json` runs the same scan against a provider key that is already a pipeline secret."}},{"@type":"Question","name":"What does the free scan find that a one-shot code review does not?","acceptedAnswer":{"@type":"Answer","text":"A one-shot code review reads your source in a single pass and stops there. Swarm is agentic and multi-specialist, and it looks at both your source AND your live attack surface. Specialist agents read the code the way a senior pen tester would (hardcoded secrets, missing authorization, known-vulnerable dependencies, stack-specific bugs across Node, Python, Go, Ruby, .NET, and PHP) and passive recon maps what the internet can already see about your domain: exposed services and admin panels, spoofable SPF and DMARC, dangling subdomains, public leaks. Candidate findings come back machine-actionable so your own AI session can start fixing them."}},{"@type":"Question","name":"Can the free scan prove a vulnerability is exploitable?","acceptedAnswer":{"@type":"Answer","text":"No, and that boundary is the point. A scan you run on yourself flags what looks wrong; it cannot prove the bug is exploitable, and an auditor will not accept a test you ran on your own code. Proving exploitability needs a deployed app plus authorization, which is the full engagement run by an independent third party. That engagement actively exploits and validates each finding, ships a working proof-of-concept with every one, chains low-severity findings into critical attack paths, and hands you an audit trail your prospect's security team can replay. That is third-party validation (SOC 2 CC4 / CC7), which is what your auditor requires."}},{"@type":"Question","name":"Is Swarm an alternative to a human penetration testing firm?","acceptedAnswer":{"@type":"Answer","text":"For most SaaS engagements driven by SOC 2 Type 2 readiness, yes. That is the core use case. As a human pen test alternative and ethical hacking service, Swarm replaces the standard annual engagement for the majority of SaaS security programs. A human pen test firm typically charges $15,000 to $50,000 per engagement, takes two to four weeks, and delivers a PDF whose methodology lives in the consultant's head. Swarm runs in roughly two hours per engagement and ships a structured report plus the full audit trail of every specialist action: receipted, filterable, traceable from any finding back to the request that surfaced it.\n\nSwarm is priced per engagement, not as a subscription or retainer, so you test as often as you ship. Customers run for SOC 2 Type 2 or ISO 27001 audit prep, and re-run as they ship for post-incident validation, new-feature security review, or security-questionnaire responses. Re-testing a fix is just another run, the close-the-loop validation that human firms charge separately for. Pricing detail lives at https://swarmsec.ai/pricing. \n\nWhat Swarm replaces well: standard SaaS pen test engagements, especially the recurring annual or semi-annual ones, and especially when an external auditor is the deal-closing reviewer. The combination of an evidence-driven orchestrator dispatching 50+ specialists, the live activity feed, and the full forensic audit trail typically gives auditors more methodology transparency than a human-firm PDF. \n\nWhat Swarm does not replace: bespoke red team assessment engagements with sophisticated social engineering, on-premise hardware testing, or multi-month engagements scoped to a specific advanced-persistent-threat hypothesis. For those, hire a senior firm. For the SOC 2 pen test you run every year, run Swarm and put the savings into remediation."}},{"@type":"Question","name":"Is Swarm an automated scanner?","acceptedAnswer":{"@type":"Answer","text":"No. Automated scanners match known signatures against a checklist. Swarm specialists reason. They build a model of how your application works, form hypotheses, and test them adaptively. The result is findings scanners cannot produce: logic flaws, chained exploits, and authentication bypasses that do not appear in any CVE database. The CVE library augments this; specialists consult it for known issues. But the core engine is reasoning, not signature matching."}},{"@type":"Question","name":"Does the platform get sharper over time?","acceptedAnswer":{"@type":"Answer","text":"Yes. After every engagement, the swarm reviews what just happened and rewrites six knowledge bases that feed dispatch decisions. The mechanism is Anthropic Dreaming (beta), a research capability that lets agents reflect on completed work and update their own context. Swarm runs it against six surfaces: environment signals (stack detection patterns the orchestrator uses to choose specialists), per-specialist lessons learned, orchestrator dispatch heuristics, the CVE curation that decides which disclosures matter for offensive work, the compromise-pattern catalogue refined against new incident reports, and a false-positive refinement loop that updates the environment model whenever a finding gets rejected on review.\n\nThe practical effect lands at the platform level: across all engagements, the orchestrator routes specialists faster, the reviewer rejects fewer false positives, and the chain analyst recognizes exploit-chain shapes it has seen before. None of this requires a release on our side; the knowledge bases compound passively between runs.\n\nDreaming runs only on completed engagements. Abstracted lessons (CVE relevance, exploit-chain shapes, dispatch heuristics) inform the platform; per-customer signals stay scoped to your organization at the same data-model layer that enforces engagement ownership, so cross-tenant leakage is structurally impossible."}},{"@type":"Question","name":"Does Swarm produce a SOC 2-ready deliverable?","acceptedAnswer":{"@type":"Answer","text":"Yes. The deliverable is designed for SOC 2 Type 2 review and accepted as a compliance pen test deliverable by SOC 2 auditors. The SOC 2 Type 2 pen test report includes executive summary, individual findings with CVSS scores, exploit chain analysis, and validated proof-of-concept for every finding. The OWASP audit coverage maps every finding to its OWASP category (OWASP Top 10 testing plus OWASP API, LLM, and Agentic Applications Top 10) so your security questionnaire answers write themselves. The full audit trail (every specialist action receipted, filterable by specialist, traceable from any finding back to the request that surfaced it) gives your external auditor forensic-level transparency into methodology. A dedicated read-only Auditor role lets your compliance professional access the dashboard, report, and full audit trail directly."}},{"@type":"Question","name":"Is Swarm safe for production environments?","acceptedAnswer":{"@type":"Answer","text":"Yes. Specialists operate within a customer-approved scope before testing begins. No destructive operations are taken without explicit per-action approval. Rate limits are enforced. Every request is logged and exported in the audit trail. Out-of-scope hosts are rejected at the tool layer before any HTTP call leaves the orchestrator."}},{"@type":"Question","name":"What is the audit trail and what does my auditor see?","acceptedAnswer":{"@type":"Answer","text":"A traditional pen test delivers a PDF and a verbal debrief; the methodology lives in the consultant's head. Swarm logs every move every specialist makes (every HTTP request, every source grep, every file read, every finding submission, every exploit chain composition) and streams it to your dashboard as the engagement runs. Hand the full record to your SOC 2 auditor afterward. They filter by specialist, pivot the dataset, and trace any finding in the report back to the exact tool call that surfaced it. Methodology that proves itself, not a summary that asks to be trusted."}},{"@type":"Question","name":"What stacks does Swarm cover?","acceptedAnswer":{"@type":"Answer","text":"Swarm specialists work against any modern web stack: Node, Python, Go, Ruby, Elixir, JVM, .NET, PHP. Coverage extends across every major identity provider too: Clerk, Auth0, Okta, Stytch, Cognito, Firebase, Supabase, and custom IDPs. The orchestrator fingerprints your stack during recon and dispatches the appropriate specialists automatically. AI / LLM and MCP server testing kicks in when those surfaces are detected, so you do not configure specialist-by-specialist; the swarm reads the application and routes work accordingly."}},{"@type":"Question","name":"Can I integrate Swarm findings into Claude Code, Cursor, or another MCP client?","acceptedAnswer":{"@type":"Answer","text":"Yes. Mint a per-engagement Model Context Protocol token from the dashboard, plug it into Claude Code, Cursor, or any MCP-compatible client, and your team's editor surfaces Swarm findings, the source files the specialists already pulled, and a finding-status update tool in one place. Seven curated tools cover read access to findings and repositories plus the single write path of marking a finding remediated. Tokens are scoped to a single engagement and revoked with one click; nothing in the token can touch another engagement.\n\nThe intended workflow: an engagement closes, your engineers open the report inside Claude Code, fetch each finding's full evidence inline, write the fix against the source the specialists already read, and mark the finding remediated from the editor. The 30-day re-test window then validates the fix without a separate scoping call.\n\nThe service token is stamped with a developer role: reads plus finding-status updates only. It cannot run engagements, edit scope, change billing, or reach another organization's data."}},{"@type":"Question","name":"How much does a penetration test cost?","acceptedAnswer":{"@type":"Answer","text":"Swarm is priced per engagement, with no subscription or retainer, so you test as often as you ship. Human pen test firms typically charge $15,000 to $50,000 per engagement and take two to four weeks. Every Swarm run includes the full deliverable: structured report, audit trail of every specialist action, and a validated proof-of-concept for every finding. Re-testing a fix is just another run. See current pricing at https://swarmsec.ai/pricing."}}]}</script><script type="application/ld+json">{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://swarmsec.ai"}]}</script><main><section class="hero"><header class="ind-topbar"><div class="ind-topbar__id"><a class="ind-topbar__brand-link" href="/"><span class="ind-topbar__brand">SWARM</span></a><nav class="ind-topbar__nav" aria-label="Marketing"><a class="ind-topbar__nav-link" href="/cli">CLI</a><span class="ind-topbar__sep" aria-hidden="true">|</span><a class="ind-topbar__nav-link" href="/why-swarm">Why Swarm</a><span class="ind-topbar__sep" aria-hidden="true">|</span><a class="ind-topbar__nav-link" href="/features">Features</a><span class="ind-topbar__sep" aria-hidden="true">|</span><a class="ind-topbar__nav-link" href="/pricing">Pricing</a><span class="ind-topbar__sep" aria-hidden="true">|</span><a class="ind-topbar__nav-link" href="/sample-report">Sample Report</a><span class="ind-topbar__sep" aria-hidden="true">|</span><a class="ind-topbar__nav-link" href="/blog">Blog</a></nav></div><div class="ind-topbar__right"><a class="ind-topbar__auth" href="/sign-in">Sign in</a><a class="ind-topbar__cta" href="/sign-up">Sign up</a></div><button type="button" class="ind-topbar__burger" aria-label="Open menu" aria-expanded="false" aria-controls="ind-topbar-drawer"><svg width="20" height="14" viewBox="0 0 20 14" aria-hidden="true"><line x1="0" y1="2" x2="20" y2="2" stroke="currentColor" stroke-width="2.4" stroke-linecap="square"/><line x1="0" y1="7" x2="20" y2="7" stroke="currentColor" stroke-width="2.4" stroke-linecap="square"/><line x1="0" y1="12" x2="20" y2="12" stroke="currentColor" stroke-width="2.4" stroke-linecap="square"/></svg></button></header><div class="ind-hero-band"><section class="ind-megatype ind-megatype--seam-heavy"><div class="ind-megatype__num">50<em>+</em></div><div class="ind-megatype__cap"><span>SPECIALISTS · ONE ENGAGEMENT</span><span class="ind-megatype__cap-right">YOU RUN A HANDFUL FREE</span></div></section><div class="ind-hero-band__body"><div class="ind-hero-band__left"><p class="ind-eyebrow">Free · runs in your terminal</p><h1 class="ind-heading"><span>Point Swarm</span><em>at your code.</em><em>Free.</em></h1><p class="ind-lead">A one-shot code review reads your source in a single pass and stops. Swarm dispatches specialist agents that read your source the way a senior pen tester would AND map what the internet can already see about your live domain: exposed services, spoofable DNS, public leaks. Candidate findings your own AI agent can start fixing, in minutes. No account, no key.</p><div class="hero-cta"><div class="ind-install"><div class="ind-install__row"><code class="ind-install__cmd"><span class="ind-install__prompt" aria-hidden="true">$</span>claude mcp add swarm npx @swarmsec/swarm-cli</code><button class="ind-install__copy" type="button" aria-label="Copy install command">Copy<span class="ind-install__copy-icon" aria-hidden="true">⧉</span></button></div><p class="ind-install__caption">Claude Code · Codex · Cursor. Uses your agent's model. Then ask it to run a Swarm scan.</p></div><a class="ind-button ind-button--solid ind-button--md" href="/get-started">Run a full engagement<span class="ind-button__arrow" aria-hidden="true">→</span></a></div></div><div class="ind-hero-band__right"><div class="ind-card hero-demo"><div class="ind-card__head"><span>Engagement 0a9b3 · live</span><span><span class="ind-dot ind-dot--live"></span>recording</span></div><div class="ind-card__body"><div class="ind-auditrow" style="animation-delay:0ms"><span class="ind-auditrow__idx">001</span><span class="ind-auditrow__ts">14:02:11</span><span class="ind-auditrow__who">[<!-- -->recon<!-- -->]</span><span class="ind-auditrow__act">http_request GET /api/users</span><span class="ind-pill ind-pill--info">200 OK</span></div><div class="ind-auditrow" style="animation-delay:1400ms"><span class="ind-auditrow__idx">002</span><span class="ind-auditrow__ts">14:02:14</span><span class="ind-auditrow__who">[<!-- -->auth<!-- -->]</span><span class="ind-auditrow__act">submit_finding IDOR on /api/users/:id</span><span class="ind-pill ind-pill--high">high</span></div><div class="ind-auditrow" style="animation-delay:2800ms"><span class="ind-auditrow__idx">003</span><span class="ind-auditrow__ts">14:02:32</span><span class="ind-auditrow__who">[<!-- -->recon<!-- -->]</span><span class="ind-auditrow__act">http_request GET /admin</span><span class="ind-pill ind-pill--info">403</span></div><div class="ind-auditrow" style="animation-delay:4200ms"><span class="ind-auditrow__idx">004</span><span class="ind-auditrow__ts">14:02:48</span><span class="ind-auditrow__who">[<!-- -->broken-access<!-- -->]</span><span class="ind-auditrow__act">source_grep requireAuth.*users</span><span class="ind-pill ind-pill--info">11 hits</span></div><div class="ind-auditrow" style="animation-delay:5600ms"><span class="ind-auditrow__idx">005</span><span class="ind-auditrow__ts">14:03:02</span><span class="ind-auditrow__who">[<!-- -->broken-access<!-- -->]</span><span class="ind-auditrow__act">submit_finding bypass via X-Forwarded-User</span><span class="ind-pill ind-pill--high">high</span></div><div class="ind-auditrow" style="animation-delay:7000ms"><span class="ind-auditrow__idx">006</span><span class="ind-auditrow__ts">14:03:48</span><span class="ind-auditrow__who">[<!-- -->chain<!-- -->]</span><span class="ind-auditrow__act">submit_finding CHAIN-3 priv-esc via IDOR</span><span class="ind-pill ind-pill--critical">critical</span></div><div class="ind-auditrow" style="animation-delay:8400ms"><span class="ind-auditrow__idx">007</span><span class="ind-auditrow__ts">14:04:21</span><span class="ind-auditrow__who">[<!-- -->auth<!-- -->]</span><span class="ind-auditrow__act">http_request POST /login (rate-limit probe)</span><span class="ind-pill ind-pill--info">200</span></div><div class="ind-auditrow" style="animation-delay:9800ms"><span class="ind-auditrow__idx">008</span><span class="ind-auditrow__ts">14:05:30</span><span class="ind-auditrow__who">[<!-- -->reviewer<!-- -->]</span><span class="ind-auditrow__act">verify F-12 reproducible</span><span class="ind-pill ind-pill--info">sealed</span></div><div class="ind-auditrow" style="animation-delay:11200ms"><span class="ind-auditrow__idx">009</span><span class="ind-auditrow__ts">14:06:14</span><span class="ind-auditrow__who">[<!-- -->report<!-- -->]</span><span class="ind-auditrow__act">compose_report attaching audit trail</span><span class="ind-pill ind-pill--info">done</span></div></div><div class="ind-card__foot"><span>audit trail · streaming</span><span class="hero-demo__live">specialists 30/30</span></div></div><p class="hero-demo__caption">A full engagement. Validated, audit-trailed, replayable.</p></div></div><footer class="ind-footrun"><span>SWARMSEC.AI · THE MODERN AGENTIC PEN TESTING PLATFORM</span><span>FREE IN YOUR TERMINAL · THEN THE ENGAGEMENT</span></footer></div></section><section class="fpl" aria-labelledby="fpl-heading"><div class="fpl__head"><header class="section-header"><p class="ind-eyebrow">Free observes. The engagement proves.</p><h2 class="section-header__headline">Run it yourself free. <em>Get it proven when it counts.</em></h2></header></div><div class="fpl__grid" role="table" aria-label="Free CLI versus the full engagement"><div class="fpl__col-head fpl__col-head--free" role="columnheader">Free, in your terminal</div><div class="fpl__col-head" role="columnheader">The engagement</div><div class="fpl__row" role="row"><div class="fpl__cell fpl__cell--free" role="cell">You run it on your own code and domain</div><div class="fpl__cell" role="cell">An independent third party runs it against your deployed app</div></div><div class="fpl__row" role="row"><div class="fpl__cell fpl__cell--free" role="cell">Reads your source, maps your live footprint</div><div class="fpl__cell" role="cell">Actively exploits and proves each finding</div></div><div class="fpl__row" role="row"><div class="fpl__cell fpl__cell--free" role="cell">Flags candidates your agent can start fixing</div><div class="fpl__cell" role="cell">A validated proof-of-concept on every finding</div></div><div class="fpl__row" role="row"><div class="fpl__cell fpl__cell--free" role="cell">Single pass, observe only</div><div class="fpl__cell" role="cell">The full 50+ swarm, findings chained into attack paths</div></div><div class="fpl__row" role="row"><div class="fpl__cell fpl__cell--free" role="cell">Your word</div><div class="fpl__cell" role="cell">An audit trail your prospect's security team replays</div></div></div><p class="fpl__boundary">A scan you run on yourself flags what looks wrong. It cannot prove the bug is exploitable, and an auditor will not accept a test you ran on your own code. <em>That is the engagement.</em></p></section><section class="stats-strip" aria-label="The four pillars of a Swarm engagement"><div class="stats-strip__row"><div class="ind-stat"><div class="ind-stat__num">50<em>+</em></div><div class="ind-stat__label">Specialists</div><div class="ind-stat__subtitle">Framework-aware dispatch</div></div><div class="ind-stat"><div class="ind-stat__num">3</div><div class="ind-stat__label">Editors via MCP</div><div class="ind-stat__subtitle">Claude Code · Cursor · Codex</div></div><div class="ind-stat"><div class="ind-stat__num">100<em>%</em></div><div class="ind-stat__label">Actions receipted</div><div class="ind-stat__subtitle">Every tool call, every request</div></div><div class="ind-stat"><div class="ind-stat__num">4</div><div class="ind-stat__label">OWASP standards</div><div class="ind-stat__subtitle">Web · API · LLM · Agentic</div></div></div></section><section class="ind-pillar-band ind-pillar-band--cols-4"><div class="ind-pillar-band__head"><header class="section-header"><p class="ind-eyebrow">Pillar 4 · Coverage of the modern threat surface</p><h2 class="section-header__headline">Most pen tests are still <em>2015.</em></h2><p class="section-header__body">Web app, network, maybe an API. The shape of what gets built has changed: AI features, LLM endpoints, MCP servers, autonomous workflows. Swarm covers all four OWASP standards that govern the modern surface, not last decade's.</p></header></div><div class="ind-pillar-band__grid"><article class="ind-pillar-band__cell"><div class="ind-pillar-band__n">01</div><h3 class="ind-pillar-band__name">Web</h3><p class="ind-pillar-band__meta">OWASP Top 10 · 2021</p><p class="ind-pillar-band__body">Injection, broken access control, authentication failures, server-side request forgery. The canonical web attack surface.</p></article><article class="ind-pillar-band__cell"><div class="ind-pillar-band__n">02</div><h3 class="ind-pillar-band__name">API</h3><p class="ind-pillar-band__meta">OWASP Top 10 · 2023</p><p class="ind-pillar-band__body">BOLA, broken authentication, mass assignment, unrestricted resource consumption. Multi-tenant boundaries probed on every parameter.</p></article><article class="ind-pillar-band__cell"><div class="ind-pillar-band__n">03</div><h3 class="ind-pillar-band__name">LLM</h3><p class="ind-pillar-band__meta">OWASP Top 10 · 2025</p><p class="ind-pillar-band__body">Prompt injection, training data poisoning, sensitive information disclosure, model denial-of-service. For teams shipping AI features.</p></article><article class="ind-pillar-band__cell"><div class="ind-pillar-band__n">04</div><h3 class="ind-pillar-band__name">Agentic</h3><p class="ind-pillar-band__meta">OWASP Top 10 · 2026</p><p class="ind-pillar-band__body">MCP server abuse, tool misuse, memory poisoning, autonomous-action escalation. For teams shipping agent workflows.</p></article></div></section><section class="process-flow"><div class="process-flow__head"><header class="section-header"><p class="ind-eyebrow">The engagement</p><h2 class="section-header__headline">One swarm. <em>Four phases.</em></h2></header></div><div class="process-flow__phases"><article class="process-phase"><div class="process-phase__n">01</div><h3 class="process-phase__name">Recon</h3><p class="process-phase__body">Map every endpoint, every framework, every footgun. Manual scanners run a fixed signature set. The swarm runs against your actual surface.</p></article><article class="process-phase"><div class="process-phase__n">02</div><h3 class="process-phase__name">Triage</h3><p class="process-phase__body">Specialists own classes of attack. Auth flaws. Access control. Injection. Logic. Each agent probes its vector and cites the request that proved it.</p></article><article class="process-phase"><div class="process-phase__n">03</div><h3 class="process-phase__name">Exploit</h3><p class="process-phase__body">Verified PoC for every finding. Multi-step chains are first-class. The chain analyst composes findings into one exploit path.</p></article><article class="process-phase"><div class="process-phase__n">04</div><h3 class="process-phase__name">Report</h3><p class="process-phase__body">Markdown narrative. Full audit trail. JSON for tooling. Your auditor reads the action that matches the verdict.</p></article></div></section><section class="ind-pillar-band ind-pillar-band--cols-3"><div class="ind-pillar-band__head"><header class="section-header"><p class="ind-eyebrow">Pillar 2 · AI-native, end-to-end</p><h2 class="section-header__headline">Findings flow into <em>the work,</em> not into a folder.</h2><p class="section-header__body">A human-firm pen test ends with a PDF, a spreadsheet, and a Zoom call. Engineers translate findings into tickets manually, lose the request that produced each one, and the report rots in a folder. Swarm closes that loop: findings open in the editor your engineers already use, every finding ships with a validated PoC, and the exact request that produced it is one click away.</p></header></div><div class="ind-pillar-band__grid"><article class="ind-pillar-band__cell"><div class="ind-pillar-band__n">01</div><h3 class="ind-pillar-band__name">Findings in your IDE</h3><p class="ind-pillar-band__body">Mint a per-engagement MCP token. Open findings, chains, and the exact request that produced each finding directly in Claude Code, Cursor, or Codex. The engineers fixing the bug work from the proof, not from a PDF.</p></article><article class="ind-pillar-band__cell"><div class="ind-pillar-band__n">02</div><h3 class="ind-pillar-band__name">Platform-side memory</h3><p class="ind-pillar-band__body">Six knowledge bases via Anthropic Dreaming sit behind the orchestrator: stack-detection signals, persona lessons, dispatch heuristics, CVE curation, compromise patterns, false-positive refinement. Abstracted lessons from every Swarm engagement improve dispatch decisions across the platform with structural cross-tenant isolation.</p></article><article class="ind-pillar-band__cell"><div class="ind-pillar-band__n">03</div><h3 class="ind-pillar-band__name">Validated PoC, every finding</h3><p class="ind-pillar-band__body">Every finding ships with a reproducible exploit and the exact request that produced it. Severity demonstrated, not asserted. Not just critical and high: every finding.</p></article></div></section><section class="audit-section"><div class="audit-section__head"><header class="section-header"><p class="ind-eyebrow">Pillar 3 · Receipts</p><h2 class="section-header__headline">Receipts on <em>every finding.</em></h2><p class="section-header__body">Every tool call. Every request. Every grep. Every submit. Every verify. Streams to the dashboard live and ships with the report. Two readers care: your auditor (signs off once a year) and your prospect's security team (scrutinizes the report every RFP). Both replay the audit trail end-to-end and verify the methodology without taking anyone's word for it.</p></header></div><div class="audit-section__panel"><div class="ind-card"><div class="ind-card__head"><span>audit trail · engagement 0a9b3 · actions 142–150</span><span class="audit-section__head-meta">1,847 actions · 312KB</span></div><div class="ind-card__body"><div class="ind-auditrow" style="animation-delay:0ms"><span class="ind-auditrow__idx">0142</span><span class="ind-auditrow__ts">14:11:08</span><span class="ind-auditrow__who">[<!-- -->prompt-inject<!-- -->]</span><span class="ind-auditrow__act">submit_finding indirect injection in /docs/onboarding</span><span class="ind-pill ind-pill--high">high</span></div><div class="ind-auditrow" style="animation-delay:0ms"><span class="ind-auditrow__idx">0143</span><span class="ind-auditrow__ts">14:11:09</span><span class="ind-auditrow__who">[<!-- -->recon<!-- -->]</span><span class="ind-auditrow__act">http_request GET /api/internal/users?role=admin</span><span class="ind-pill ind-pill--info">200</span></div><div class="ind-auditrow" style="animation-delay:0ms"><span class="ind-auditrow__idx">0144</span><span class="ind-auditrow__ts">14:11:10</span><span class="ind-auditrow__who">[<!-- -->auth<!-- -->]</span><span class="ind-auditrow__act">submit_finding token-leak in /api/internal/users</span><span class="ind-pill ind-pill--high">high</span></div><div class="ind-auditrow" style="animation-delay:0ms"><span class="ind-auditrow__idx">0145</span><span class="ind-auditrow__ts">14:11:32</span><span class="ind-auditrow__who">[<!-- -->mcp-authz<!-- -->]</span><span class="ind-auditrow__act">submit_finding tool boundary bypass via session</span><span class="ind-pill ind-pill--high">high</span></div><div class="ind-auditrow" style="animation-delay:0ms"><span class="ind-auditrow__idx">0146</span><span class="ind-auditrow__ts">14:11:48</span><span class="ind-auditrow__who">[<!-- -->broken-access<!-- -->]</span><span class="ind-auditrow__act">http_request POST /api/role/upgrade</span><span class="ind-pill ind-pill--info">403</span></div><div class="ind-auditrow" style="animation-delay:0ms"><span class="ind-auditrow__idx">0147</span><span class="ind-auditrow__ts">14:12:14</span><span class="ind-auditrow__who">[<!-- -->broken-access<!-- -->]</span><span class="ind-auditrow__act">http_request POST /api/role/upgrade -H X-Forwarded-User: admin</span><span class="ind-pill ind-pill--info">200</span></div><div class="ind-auditrow" style="animation-delay:0ms"><span class="ind-auditrow__idx">0148</span><span class="ind-auditrow__ts">14:12:15</span><span class="ind-auditrow__who">[<!-- -->broken-access<!-- -->]</span><span class="ind-auditrow__act">submit_finding privilege bypass via X-Forwarded-User</span><span class="ind-pill ind-pill--critical">critical</span></div><div class="ind-auditrow" style="animation-delay:0ms"><span class="ind-auditrow__idx">0149</span><span class="ind-auditrow__ts">14:12:32</span><span class="ind-auditrow__who">[<!-- -->chain<!-- -->]</span><span class="ind-auditrow__act">submit_finding CHAIN-2 IDOR + role bypass = full takeover</span><span class="ind-pill ind-pill--critical">critical</span></div><div class="ind-auditrow" style="animation-delay:0ms"><span class="ind-auditrow__idx">0150</span><span class="ind-auditrow__ts">14:13:08</span><span class="ind-auditrow__who">[<!-- -->reviewer<!-- -->]</span><span class="ind-auditrow__act">verify CHAIN-2 reproducible against live target</span><span class="ind-pill ind-pill--info">sealed</span></div></div><div class="ind-card__foot"><span>Continued through engagement completion</span><span class="audit-section__foot-ok">Sealed and signed</span></div></div><div class="audit-section__legend"><div class="audit-section__legend-row"><span class="ind-pill ind-pill--info">200</span><span>Successful response or benign result</span></div><div class="audit-section__legend-row"><span class="ind-pill ind-pill--high">high</span><span>Verified high-severity finding</span></div><div class="audit-section__legend-row"><span class="ind-pill ind-pill--critical">critical</span><span>Verified critical finding or chain</span></div></div></div></section><section class="faq-section" aria-labelledby="faq-heading"><div class="faq-section__head"><header class="section-header"><p class="ind-eyebrow">Questions</p><h2 class="section-header__headline">What buyers ask. <em>Receipts attached.</em></h2><p class="section-header__body">The questions every engineering and security lead asks before they fund an engagement. Read the answers here, before the kickoff call.</p></header></div><dl class="faq-section__list"><div class="faq-row"><dt class="faq-row__q"><span class="faq-row__num">01</span><span class="faq-row__qtext">Is the Swarm CLI free?</span></dt><dd class="faq-row__a"><p>Yes. Install it into Claude Code, Codex, or Cursor with `claude mcp add swarm npx @swarmsec/swarm-cli`, then ask your agent to run a Swarm scan. It reads your source and maps your live footprint for free, in minutes, with no account and no card. It runs a handful of Swarm's 50+ specialists on your own code and domain. The full engagement, run by an independent third party against your deployed app, is the paid step; pricing lives at https://swarmsec.ai/pricing.</p></dd></div><div class="faq-row"><dt class="faq-row__q"><span class="faq-row__num">02</span><span class="faq-row__qtext">Does the Swarm CLI need an API key?</span></dt><dd class="faq-row__a"><p>No. The CLI ships as an MCP server that uses your host agent's model, so Claude Code, Codex, and Cursor drive it with the subscription or key you already have. There is no new key to set. For headless and CI use, `claude -p "run a swarm scan" --output-format json` runs the same scan against a provider key that is already a pipeline secret.</p></dd></div><div class="faq-row"><dt class="faq-row__q"><span class="faq-row__num">03</span><span class="faq-row__qtext">What does the free scan find that a one-shot code review does not?</span></dt><dd class="faq-row__a"><p>A one-shot code review reads your source in a single pass and stops there. Swarm is agentic and multi-specialist, and it looks at both your source AND your live attack surface. Specialist agents read the code the way a senior pen tester would (hardcoded secrets, missing authorization, known-vulnerable dependencies, stack-specific bugs across Node, Python, Go, Ruby, .NET, and PHP) and passive recon maps what the internet can already see about your domain: exposed services and admin panels, spoofable SPF and DMARC, dangling subdomains, public leaks. Candidate findings come back machine-actionable so your own AI session can start fixing them.</p></dd></div><div class="faq-row"><dt class="faq-row__q"><span class="faq-row__num">04</span><span class="faq-row__qtext">Can the free scan prove a vulnerability is exploitable?</span></dt><dd class="faq-row__a"><p>No, and that boundary is the point. A scan you run on yourself flags what looks wrong; it cannot prove the bug is exploitable, and an auditor will not accept a test you ran on your own code. Proving exploitability needs a deployed app plus authorization, which is the full engagement run by an independent third party. That engagement actively exploits and validates each finding, ships a working proof-of-concept with every one, chains low-severity findings into critical attack paths, and hands you an audit trail your prospect's security team can replay. That is third-party validation (SOC 2 CC4 / CC7), which is what your auditor requires.</p></dd></div><div class="faq-row"><dt class="faq-row__q"><span class="faq-row__num">05</span><span class="faq-row__qtext">Is Swarm an alternative to a human penetration testing firm?</span></dt><dd class="faq-row__a"><p>For most SaaS engagements driven by SOC 2 Type 2 readiness, yes. That is the core use case. As a human pen test alternative and ethical hacking service, Swarm replaces the standard annual engagement for the majority of SaaS security programs. A human pen test firm typically charges $15,000 to $50,000 per engagement, takes two to four weeks, and delivers a PDF whose methodology lives in the consultant's head. Swarm runs in roughly two hours per engagement and ships a structured report plus the full audit trail of every specialist action: receipted, filterable, traceable from any finding back to the request that surfaced it.</p><p>Swarm is priced per engagement, not as a subscription or retainer, so you test as often as you ship. Customers run for SOC 2 Type 2 or ISO 27001 audit prep, and re-run as they ship for post-incident validation, new-feature security review, or security-questionnaire responses. Re-testing a fix is just another run, the close-the-loop validation that human firms charge separately for. Pricing detail lives at https://swarmsec.ai/pricing. </p><p>What Swarm replaces well: standard SaaS pen test engagements, especially the recurring annual or semi-annual ones, and especially when an external auditor is the deal-closing reviewer. The combination of an evidence-driven orchestrator dispatching 50+ specialists, the live activity feed, and the full forensic audit trail typically gives auditors more methodology transparency than a human-firm PDF. </p><p>What Swarm does not replace: bespoke red team assessment engagements with sophisticated social engineering, on-premise hardware testing, or multi-month engagements scoped to a specific advanced-persistent-threat hypothesis. For those, hire a senior firm. For the SOC 2 pen test you run every year, run Swarm and put the savings into remediation.</p></dd></div><div class="faq-row"><dt class="faq-row__q"><span class="faq-row__num">06</span><span class="faq-row__qtext">Is Swarm an automated scanner?</span></dt><dd class="faq-row__a"><p>No. Automated scanners match known signatures against a checklist. Swarm specialists reason. They build a model of how your application works, form hypotheses, and test them adaptively. The result is findings scanners cannot produce: logic flaws, chained exploits, and authentication bypasses that do not appear in any CVE database. The CVE library augments this; specialists consult it for known issues. But the core engine is reasoning, not signature matching.</p></dd></div><div class="faq-row"><dt class="faq-row__q"><span class="faq-row__num">07</span><span class="faq-row__qtext">Does the platform get sharper over time?</span></dt><dd class="faq-row__a"><p>Yes. After every engagement, the swarm reviews what just happened and rewrites six knowledge bases that feed dispatch decisions. The mechanism is Anthropic Dreaming (beta), a research capability that lets agents reflect on completed work and update their own context. Swarm runs it against six surfaces: environment signals (stack detection patterns the orchestrator uses to choose specialists), per-specialist lessons learned, orchestrator dispatch heuristics, the CVE curation that decides which disclosures matter for offensive work, the compromise-pattern catalogue refined against new incident reports, and a false-positive refinement loop that updates the environment model whenever a finding gets rejected on review.</p><p>The practical effect lands at the platform level: across all engagements, the orchestrator routes specialists faster, the reviewer rejects fewer false positives, and the chain analyst recognizes exploit-chain shapes it has seen before. None of this requires a release on our side; the knowledge bases compound passively between runs.</p><p>Dreaming runs only on completed engagements. Abstracted lessons (CVE relevance, exploit-chain shapes, dispatch heuristics) inform the platform; per-customer signals stay scoped to your organization at the same data-model layer that enforces engagement ownership, so cross-tenant leakage is structurally impossible.</p></dd></div><div class="faq-row"><dt class="faq-row__q"><span class="faq-row__num">08</span><span class="faq-row__qtext">Does Swarm produce a SOC 2-ready deliverable?</span></dt><dd class="faq-row__a"><p>Yes. The deliverable is designed for SOC 2 Type 2 review and accepted as a compliance pen test deliverable by SOC 2 auditors. The SOC 2 Type 2 pen test report includes executive summary, individual findings with CVSS scores, exploit chain analysis, and validated proof-of-concept for every finding. The OWASP audit coverage maps every finding to its OWASP category (OWASP Top 10 testing plus OWASP API, LLM, and Agentic Applications Top 10) so your security questionnaire answers write themselves. The full audit trail (every specialist action receipted, filterable by specialist, traceable from any finding back to the request that surfaced it) gives your external auditor forensic-level transparency into methodology. A dedicated read-only Auditor role lets your compliance professional access the dashboard, report, and full audit trail directly.</p></dd></div><div class="faq-row"><dt class="faq-row__q"><span class="faq-row__num">09</span><span class="faq-row__qtext">Is Swarm safe for production environments?</span></dt><dd class="faq-row__a"><p>Yes. Specialists operate within a customer-approved scope before testing begins. No destructive operations are taken without explicit per-action approval. Rate limits are enforced. Every request is logged and exported in the audit trail. Out-of-scope hosts are rejected at the tool layer before any HTTP call leaves the orchestrator.</p></dd></div><div class="faq-row"><dt class="faq-row__q"><span class="faq-row__num">10</span><span class="faq-row__qtext">What is the audit trail and what does my auditor see?</span></dt><dd class="faq-row__a"><p>A traditional pen test delivers a PDF and a verbal debrief; the methodology lives in the consultant's head. Swarm logs every move every specialist makes (every HTTP request, every source grep, every file read, every finding submission, every exploit chain composition) and streams it to your dashboard as the engagement runs. Hand the full record to your SOC 2 auditor afterward. They filter by specialist, pivot the dataset, and trace any finding in the report back to the exact tool call that surfaced it. Methodology that proves itself, not a summary that asks to be trusted.</p></dd></div><div class="faq-row"><dt class="faq-row__q"><span class="faq-row__num">11</span><span class="faq-row__qtext">What stacks does Swarm cover?</span></dt><dd class="faq-row__a"><p>Swarm specialists work against any modern web stack: Node, Python, Go, Ruby, Elixir, JVM, .NET, PHP. Coverage extends across every major identity provider too: Clerk, Auth0, Okta, Stytch, Cognito, Firebase, Supabase, and custom IDPs. The orchestrator fingerprints your stack during recon and dispatches the appropriate specialists automatically. AI / LLM and MCP server testing kicks in when those surfaces are detected, so you do not configure specialist-by-specialist; the swarm reads the application and routes work accordingly.</p></dd></div><div class="faq-row"><dt class="faq-row__q"><span class="faq-row__num">12</span><span class="faq-row__qtext">Can I integrate Swarm findings into Claude Code, Cursor, or another MCP client?</span></dt><dd class="faq-row__a"><p>Yes. Mint a per-engagement Model Context Protocol token from the dashboard, plug it into Claude Code, Cursor, or any MCP-compatible client, and your team's editor surfaces Swarm findings, the source files the specialists already pulled, and a finding-status update tool in one place. Seven curated tools cover read access to findings and repositories plus the single write path of marking a finding remediated. Tokens are scoped to a single engagement and revoked with one click; nothing in the token can touch another engagement.</p><p>The intended workflow: an engagement closes, your engineers open the report inside Claude Code, fetch each finding's full evidence inline, write the fix against the source the specialists already read, and mark the finding remediated from the editor. The 30-day re-test window then validates the fix without a separate scoping call.</p><p>The service token is stamped with a developer role: reads plus finding-status updates only. It cannot run engagements, edit scope, change billing, or reach another organization's data.</p></dd></div><div class="faq-row"><dt class="faq-row__q"><span class="faq-row__num">13</span><span class="faq-row__qtext">How much does a penetration test cost?</span></dt><dd class="faq-row__a"><p>Swarm is priced per engagement, with no subscription or retainer, so you test as often as you ship. Human pen test firms typically charge $15,000 to $50,000 per engagement and take two to four weeks. Every Swarm run includes the full deliverable: structured report, audit trail of every specialist action, and a validated proof-of-concept for every finding. Re-testing a fix is just another run. See current pricing at https://swarmsec.ai/pricing.</p></dd></div></dl></section><section class="closing-section"><section class="ind-megatype"><div class="ind-megatype__num">Get <em>started.</em></div><div class="ind-megatype__cap"><span>ENTER YOUR DOMAIN. SWARM MAPS YOUR ATTACK SURFACE IN JUST A FEW MINUTES.</span><span class="ind-megatype__cap-right">No card. Free preview.</span></div></section><div class="closing-section__form"><form class="ind-form" role="search" aria-label="Start a Swarm engagement"><input class="ind-form__input" type="text" inputmode="url" autocomplete="url" spellcheck="false" placeholder="www.example.com" aria-label="Target domain" value><button class="ind-form__submit" type="submit">Start engagement<span class="ind-form__submit-arrow" aria-hidden="true">→</span></button></form></div></section><footer class="ind-footer"><div class="ind-footer__brand"><div class="ind-footer__brand-mark">SWARM</div><div class="ind-footer__brand-tag">Don't trust the verdict. Read the work.</div></div><div class="ind-footer__cols"><div class="ind-footer__col"><div class="ind-footer__col-head">Product</div><ul><li><a href="/cli">CLI</a></li><li><a href="/features">Features</a></li><li><a href="/sample-report">Sample report</a></li><li><a href="/owasp-coverage">OWASP coverage</a></li><li><a href="/pricing">Pricing</a></li><li><a href="/when-to-run-swarm">When to run Swarm</a></li><li><a href="/mythos">Mythos</a></li></ul></div><div class="ind-footer__col"><div class="ind-footer__col-head">Trust</div><ul><li><a href="/security">Security</a></li><li><a href="/compliance">Compliance</a></li><li><a href="/press">Press</a></li><li><a href="/privacy">Privacy</a></li><li><a href="/terms-of-use">Terms of Use</a></li><li><a href="/terms-and-conditions">Terms &amp; Conditions</a></li><li><button type="button" class="ind-footer__col-button">Cookie preferences</button></li></ul></div><div class="ind-footer__col"><div class="ind-footer__col-head">Company</div><ul><li><a href="/why-swarm">Why Swarm</a></li><li><a href="/blog">Blog</a></li></ul></div></div><div class="ind-footer__rule"></div><div class="ind-footer__meta"><span>SWARMSEC.AI · AI-NATIVE PEN TESTING</span><span>SOC 2 · ISO 27001 · OWASP</span><span>© <!-- -->2026<!-- --> SWARM</span></div></footer></main></div><script>window.__staticRouterHydrationData = JSON.parse("{\"loaderData\":{},\"actionData\":null,\"errors\":null}");</script></div>
  

<link rel="stylesheet" crossorigin crossorigin href="/assets/style-DYkxJmcM.css"></body></html>