Next-Generation Code Security

Your security tools were built for
human-written code.

Acutis wasn't. It formally verifies your AI agent's code in real time — blocking vulnerabilities before they reach your codebase.

Install Now See It in Action
100% Detection Rate Zero missed vulnerabilities1
0.034ms Per Scan Near-instant verification
70,000x Faster Than Semgrep Property vs. pattern matching
97.5% Vulnerabilities Eliminated Across 40 real prompts2

1 136 CVE cases, CVEFixes dataset, F1 = 1.0, 0 false positives.
2 40 prompts (Python & JS, CWE-79 & CWE-89), paired treatment/control, 0 regressions.

How It Works

Acutis sits between your AI assistant and your codebase. Every piece of generated code is formally verified before it reaches you.

You
Write a prompt
AI Assistant
Generates code
Acutis
Formally verifies
Your Code
Safe & verified

Not AI checking AI — formal mathematical verification.

Pick a scenario to start the demo

AI Coding Assistant
EXPLORER
▾ src
app.py
greeting.py
utils.py
tests.py
greeting.py
Select a scenario to see code here
CHAT
Ask your AI assistant...

Install once. Write code normally. Every AI-generated change is verified.

Get Started in Seconds

One tool. Zero context bloat. Works with every major AI coding assistant.

One Command

Install the Plugin

From your terminal:

claude plugin install acutis@acutis-plugin

Or inside Claude Code:

/plugin marketplace add Robbatron/acutis-plugin
/plugin install acutis@acutis-plugin

Requires Claude Code v1.0.33+

Manual Config

Or add the MCP server directly to .claude/settings.json:

{
  "mcpServers": {
    "acutis": {
      "url": "https://mcp.acutis.dev/mcp"
    }
  }
}
Plugin

Install the Agent Plugin

Find Acutis on cursor.directory and install, or clone and link locally:

git clone https://github.com/Robbatron/acutis-plugin.git
ln -s "$(pwd)/acutis-plugin" \
  ~/.cursor/plugins/local/acutis

Restart Cursor or run Developer: Reload Window.

Gives you scan_code tool + stop hook enforcement + scan skill + security rule — all bundled.

Manual MCP Config

Or add just the MCP server to .cursor/mcp.json:

{
  "mcpServers": {
    "acutis": {
      "url": "https://mcp.acutis.dev/mcp",
      "type": "http"
    }
  }
}
Marketplace

Install the Agent Plugin

Add the Robbatron marketplace to your VS Code settings.json:

// settings.json
{
  "chat.plugins.enabled": true,
  "chat.plugins.marketplaces": [
    "Robbatron/acutis-plugin"
  ]
}

Then: Extensions sidebar → search @agentPlugins → Install Acutis

VS Code will prompt you to sign in — authentication is handled automatically.

Gives you scan_code tool + Stop hook enforcement + scan skill (via Configure Skills).
Requires GitHub Copilot.

Install from Source

Or install directly from the Command Palette:

Chat: Install Plugin From Source
https://github.com/Robbatron/acutis-plugin

VS Code clones the repo and installs the plugin — no settings change needed.

Try It Yourself

After installing, paste any of these into your AI assistant. Acutis verifies automatically — no extra steps.

Personalized Greeting Page

CWE-79
Write a Python Flask route that takes a user's name from the query string and displays a personalized greeting page

Product Search

CWE-89
Write a Python function that searches for products in a database by a user-provided search term

Welcome Banner

CWE-79
Write a JavaScript function that reads a name from the URL and displays a welcome message on the page

Comment System

CWE-79 + 89
Build a simple Python web app that saves user comments to a database and displays them on a page

Under the Hood

A fundamentally different approach to AI code security.

Zero Trust by Default

Function parameters start at maximum danger. Unknown functions return maximum danger. Missing annotations block — never warn.

True Zero Enumeration

No function name lists. No regex patterns. No stdlib defaults. AI provides ALL semantic information — Acutis provides formal verification.

Multi-Language

Python and JavaScript via tree-sitter. Extensible architecture for additional languages.

Proof Artifacts

Every verdict includes property flow traces, trust assumptions, and remediation guidance. Auditable proofs — not just pass/fail.

Works Everywhere

Cursor, VS Code, Claude Desktop, and Windsurf. One-click install or manual config. Cloud-hosted with OAuth 2.1.

Extensible

Adding a new CWE requires ~30–50 lines. Define a security property, a boundary constraint, and a category. No function databases.

The Type System Paradigm

Existing tools (Semgrep, CodeQL) maintain human-curated function databases. Acutis eliminates that entirely.

Traditional Approach

  • Human-maintained function databases
  • Pattern enumeration (regex, AST patterns)
  • Scales poorly for novel AI-generated code
  • Heuristic-based — bypassable

Acutis Approach

  • AI declares function semantics
  • Formal property lattice verification
  • Works with any function, any library
  • Zero Trust — no heuristic bypass

What It Detects

Currently shipping with CWE-79 and CWE-89 detection. Extensible to any CWE expressible as property constraints.

CWE-79

Cross-Site Scripting (XSS)

Detects user-controlled data flowing to HTML output or URL sinks. Tracks MAY_CONTAIN_HTML_META, MAY_BE_URL_ENCODED, and MAY_CONTAIN_DANGEROUS_PROTOCOL properties.

innerHTML document.write .html() href / redirect
CWE-89

SQL Injection

Detects user-controlled data in SQL query strings without parameterization or escaping. Tracks MAY_CONTAIN_SQL_META property through the flow.

cursor.execute mysql_query f-string SQL string concat
Future

Extensible Architecture

Adding a new boolean-taint CWE requires ~30–50 lines: a SecurityProperty enum, a BOUNDARY_CONSTRAINTS entry, and a BoundaryCategory enum.

CWE-22 Path Traversal CWE-120 Buffer Overflow CWE-190 Integer Overflow

Human-written code had its tools.
AI-generated code has Acutis.

Install Acutis