winfunc
Backed byY

Autonomous AI-native
security audits.

Winfunc combines SAST, DAST, IaC, and SCA into one AI-native security auditing platform that finds real vulnerabilities, proves impact, and helps teams ship fixes.

View findings

Found real vulnerabilities in

Anthropic
Better Auth
Brave
Bun
Cal.com
Google
Gumroad
Hoppscotch
Kastle
Microsoft
The New York Times
NVIDIA
Sentry
Supabase

How it works

From signal to fix.

Find

See where the real risk sits.

Winfunc reads the codebase as a system. That keeps attention on reachable issues and cuts out a lot of scanner junk.

Prove

Show how the bug actually breaks.

Each finding comes with the exploit path, the setup, and the reason it matters. Engineering doesn't have to guess what makes it real.

Fix

Hand off fixes people can merge.

Patch guidance stays close to the code path that caused the issue, so teams spend less time translating generic advice into safe changes.

-
+

Evidence

Show the proof.

Proof that ends the argument fast.

Exploit verification

Proof that ends the argument fast.

The report shows the exploit path, the blast radius, and the next move. That gives engineering, security, and leadership the same picture.

Follow the bug through the system.

Data-flow analysis

Follow the bug through the system.

You can trace input from entry point to sink, with the surrounding business logic still intact. That's where the expensive bugs usually hide.

Fixes that respect the code around them.

Patch delivery

Fixes that respect the code around them.

The point is simple: move from bug found to patch reviewed and shipped faster.

Selected findings

Public proof.

NGINX
NGINXMedium

SCGI unbuffered mode sent truncated CONTENT_LENGTH causing backend desync

React
ReactHigh

RSC reply decoder DoS via $K FormData amplification (CVE-2026-23864)

Node.js
Node.jsMedium

Permission model bypass via unchecked Unix Domain Socket connections (CVE-2026-21636)

Anthropic
AnthropicCritical

Authentication bypass on FastMCP custom routes

Supabase
SupabaseCritical

SQL Injection via queueName in getDatabaseQueuesMetrics

What customers said

Dennis, Co-Founder & CEO, Surge (YC F24)
Company logo
Our engineering team has a background in writing secure code, including building auth platforms and payments platforms for multi-billion dollar companies. We tend to be very mindful of security best practices. Yet Winfunc's initial run surfaced several exploitable vulnerabilities for us to patch in order to keep our platform and our customers' data secure.
Dennis
Co-Founder & CEO, Surge (YC F24)

Research

From the lab.

The Recent CVEs in React and Node.js Were Found by an AI
Disclosures·8 min read

The Recent CVEs in React and Node.js Were Found by an AI

Two upstream CVEs, one in Node.js and one in React, came out of the same automated research loop. The real story is less magical and more useful: what the system actually did, where it guessed, and why verified AI bug hunting now matters.

How Asterisk Works
Engineering·9 min read

How Asterisk Works

This is a repost of the initial architecture of winfunc (previously called Asterisk), as of . Since then we’ve seen several attempts to mimic this architecture in the wild, mostly…

FAQ

Common questions.

Winfunc uses tree-sitter queries, language servers, and LLM-powered analysis. We support all major programming languages.

We've found vulnerabilities in codebases written in Arc, a Lisp dialect with no parsers in the wild.

Next

Start with the work.

Book a call, request an audit, or read the public findings first.

View findings