Next-Generation Code Security

Your security tools were built for
human-written code.

Acutis wasn't. It formally verifies your AI agent's code in real time — blocking vulnerabilities before they reach your codebase.

100% Detection Rate Zero missed vulnerabilities1
0.034ms Per Scan Near-instant verification
70,000x Faster Than Semgrep Property vs. pattern matching
62.5% Vulnerabilities Eliminated Across 40 real prompts2

1 136 CVE cases, CVEFixes dataset, F1 = 1.0, 0 false positives.
2 40 prompts (Python & JS, CWE-79 & CWE-89), paired treatment/control, 0 regressions.

How It Works

Acutis sits between your AI assistant and your codebase. Every piece of generated code is formally verified before it reaches you.

You
Write a prompt
AI Assistant
Generates code
Acutis
Formally verifies
Your Code
Safe & verified

Not AI checking AI — formal mathematical verification.

Pick a scenario to start the demo

AI Coding Assistant
EXPLORER
▾ src
app.py
greeting.py
utils.py
tests.py
greeting.py
Select a scenario to see code here
CHAT
Ask your AI assistant...

Install once. Write code normally. Every AI-generated change is verified.

Under the Hood

A fundamentally different approach to AI code security.

Zero Trust by Default

Function parameters start at maximum danger. Unknown functions return maximum danger. Missing annotations block — never warn.

True Zero Enumeration

No function name lists. No regex patterns. No stdlib defaults. AI provides ALL semantic information — Acutis provides formal verification.

Multi-Language

Python and JavaScript via tree-sitter. Extensible architecture for additional languages.

Proof Artifacts

Every verdict includes property flow traces, trust assumptions, and remediation guidance. Auditable proofs — not just pass/fail.

Works Everywhere

Cursor, VS Code, Claude Desktop, and Windsurf. One-click install or manual config. Cloud-hosted with OAuth 2.1.

Extensible

Adding a new CWE requires ~30–50 lines. Define a security property, a boundary constraint, and a category. No function databases.

The Type System Paradigm

Existing tools (Semgrep, CodeQL) maintain human-curated function databases. Acutis eliminates that entirely.

Traditional Approach

  • Human-maintained function databases
  • Pattern enumeration (regex, AST patterns)
  • Scales poorly for novel AI-generated code
  • Heuristic-based — bypassable

Acutis Approach

  • AI declares function semantics
  • Formal property lattice verification
  • Works with any function, any library
  • Zero Trust — no heuristic bypass

What It Detects

Twenty-two injection-class CWEs across Python, JavaScript, TypeScript, and Java, from XSS and SQL injection to SSRF, deserialization, and template injection. Extensible to any CWE expressible as property constraints. The two classics, in detail:

CWE-79

Cross-Site Scripting (XSS)

Detects user-controlled data flowing to HTML output or URL sinks. Tracks MAY_CONTAIN_HTML_META, MAY_BE_URL_ENCODED, and MAY_CONTAIN_DANGEROUS_PROTOCOL properties.

innerHTML document.write .html() href / redirect
CWE-89

SQL Injection

Detects user-controlled data in SQL query strings without parameterization or escaping. Tracks MAY_CONTAIN_SQL_META property through the flow.

cursor.execute mysql_query f-string SQL string concat
Future

Extensible Architecture

Adding a new boolean-taint CWE requires ~30–50 lines: a SecurityProperty enum, a BOUNDARY_CONSTRAINTS entry, and a BoundaryCategory enum.

CWE-22 Path Traversal CWE-120 Buffer Overflow CWE-190 Integer Overflow

Measured, With the Edges Showing

We publish benchmark results with the columns most write-ups crop out, and the instrument to check them.

1,572 OWASP Benchmark Cases 100% coverage, deterministic
819/819 Vulnerable Cases Blocked TPR 1.00 in all six categories
4 False-Positive Classes Every over-block attributed
0.85ms Median Verdict Full corpus in seconds

OWASP Benchmark v1.2 (Java), engine arm with a published oracle-contract generator. Every vulnerable case blocked; the false-positive rate is high on this benchmark and decomposes into four disclosed structural classes, a floor the strongest free static analyzer in the benchmark's own scorecards also hits. The write-up shows the whole scorecard, the comparison arithmetic, and where a skeptic should push.

Request Early Access

Acutis works with Claude Code, Cursor, VS Code, and any MCP-capable assistant. Join the waitlist to be among the first teams to deploy it.

No credit card required. We will reach out with onboarding details.

Human-written code had its tools.
AI-generated code has Acutis.