Backed byY

Autonomous AI-native security audits.

Winfunc combines SAST, DAST, IaC, and SCA into one AI-native security auditing platform that finds real vulnerabilities, proves impact, and helps teams ship fixes.

View findings

Found real vulnerabilities in

How it works

From signal to fix.

Find

See where the real risk sits.

Winfunc reads the codebase as a system. That keeps attention on reachable issues and cuts out a lot of scanner junk.

Prove

Show how the bug actually breaks.

Each finding comes with the exploit path, the setup, and the reason it matters. Engineering doesn't have to guess what makes it real.

Fix

Hand off fixes people can merge.

Patch guidance stays close to the code path that caused the issue, so teams spend less time translating generic advice into safe changes.

Evidence

Show the proof.

Exploit verification

Proof that ends the argument fast.

The report shows the exploit path, the blast radius, and the next move. That gives engineering, security, and leadership the same picture.

Data-flow analysis

Follow the bug through the system.

You can trace input from entry point to sink, with the surrounding business logic still intact. That's where the expensive bugs usually hide.

Patch delivery

Fixes that respect the code around them.

The point is simple: move from bug found to patch reviewed and shipped faster.

Selected findings

Public proof.

All findings

NGINXMedium

SCGI unbuffered mode sent truncated CONTENT_LENGTH causing backend desync

ReactHigh

RSC reply decoder DoS via $K FormData amplification (CVE-2026-23864)

Node.jsMedium

Permission model bypass via unchecked Unix Domain Socket connections (CVE-2026-21636)

AnthropicCritical

Authentication bypass on FastMCP custom routes

SupabaseCritical

SQL Injection via queueName in getDatabaseQueuesMetrics

What customers said

“Winfunc surfaced exploitable issues our own engineering team still wanted to patch immediately.”

We have built security-sensitive systems before, and the initial run still delivered findings with real operational value. The difference is that the output is evidence-led, not noisy.

Dennis · Co-Founder & CEO, Surge

“The agent found complex bypasses other tools missed, then made verification straightforward.”

The strongest part of the experience is the proof. The report, reproduction path, and remediation guidance are aligned enough that engineering can move fast with confidence.

Noah · Co-Founder & CEO, Scout

“The onboarding was fast, the scan was deep, and the team understood the return on engineering time.”

For security work to be adopted it has to be both easy to start and worth the effort. Winfunc delivered both for our team on the first pass.

Ram · Co-Founder, Sei

“Winfunc offers a great user experience for discovering and researching potential security issues.”

For a company like us where security is the top priority, having a platform like Winfunc to catch these issues early before they impact the broader ecosystem is a huge plus. A very well-thought-out product.

Bereket Engida · Founder, Better Auth

Research

From the lab.

All research

Disclosures·8 min read

The Recent CVEs in React and Node.js Were Found by an AI

Two upstream CVEs, one in Node.js and one in React, came out of the same automated research loop. The real story is less magical and more useful: what the system actually did, where it guessed, and why verified AI bug hunting now matters.

Engineering·9 min read

How Asterisk Works

[!Imitation is the sincerest form of flattery] This is a repost of the initial architecture of winfunc (previously called Asterisk), as of . Since then we’ve seen several attempts…

FAQ

Common questions.

Winfunc uses tree-sitter queries, language servers, and LLM-powered analysis. We support all major programming languages.

We've found vulnerabilities in codebases written in Arc, a Lisp dialect with no parsers in the wild.

Start with the work.

Book a call, request an audit, or read the public findings first.

View findings