Acutis wasn't. It formally verifies your AI agent's code in real time — blocking vulnerabilities before they reach your codebase.
1 136 CVE cases, CVEFixes dataset, F1 = 1.0, 0 false positives.
2 40 prompts (Python & JS, CWE-79 & CWE-89), paired treatment/control, 0 regressions.
Acutis sits between your AI assistant and your codebase. Every piece of generated code is formally verified before it reaches you.
Not AI checking AI — formal mathematical verification.
Pick a scenario to start the demo
Install once. Write code normally. Every AI-generated change is verified.
A fundamentally different approach to AI code security.
Function parameters start at maximum danger. Unknown functions return maximum danger. Missing annotations block — never warn.
No function name lists. No regex patterns. No stdlib defaults. AI provides ALL semantic information — Acutis provides formal verification.
Python and JavaScript via tree-sitter. Extensible architecture for additional languages.
Every verdict includes property flow traces, trust assumptions, and remediation guidance. Auditable proofs — not just pass/fail.
Cursor, VS Code, Claude Desktop, and Windsurf. One-click install or manual config. Cloud-hosted with OAuth 2.1.
Adding a new CWE requires ~30–50 lines. Define a security property, a boundary constraint, and a category. No function databases.
Existing tools (Semgrep, CodeQL) maintain human-curated function databases. Acutis eliminates that entirely.
Twenty-two injection-class CWEs across Python, JavaScript, TypeScript, and Java, from XSS and SQL injection to SSRF, deserialization, and template injection. Extensible to any CWE expressible as property constraints. The two classics, in detail:
Detects user-controlled data flowing to HTML output or URL sinks. Tracks MAY_CONTAIN_HTML_META, MAY_BE_URL_ENCODED, and MAY_CONTAIN_DANGEROUS_PROTOCOL properties.
Detects user-controlled data in SQL query strings without parameterization or escaping. Tracks MAY_CONTAIN_SQL_META property through the flow.
Adding a new boolean-taint CWE requires ~30–50 lines: a SecurityProperty enum, a BOUNDARY_CONSTRAINTS entry, and a BoundaryCategory enum.
We publish benchmark results with the columns most write-ups crop out, and the instrument to check them.
OWASP Benchmark v1.2 (Java), engine arm with a published oracle-contract generator. Every vulnerable case blocked; the false-positive rate is high on this benchmark and decomposes into four disclosed structural classes, a floor the strongest free static analyzer in the benchmark's own scorecards also hits. The write-up shows the whole scorecard, the comparison arithmetic, and where a skeptic should push.
Acutis works with Claude Code, Cursor, VS Code, and any MCP-capable assistant. Join the waitlist to be among the first teams to deploy it.