Heimdall

Modern devs ship fast — Heimdall keeps it safe. Autonomous browser agents that probe live apps plus an AI auditor that scans your codebase for logic flaws and insecure patterns.

Comment

Inspiration

As software moves faster than ever, with no-code tools, indie developers, and small teams deploying live in hours, security has not kept up. Most startups cannot afford a full security team or penetration test. We built Heimdall to close that gap: a self-running red team that protects fast-moving developers from logic-level and client-side vulnerabilities before attackers can find them.

What it does

Heimdall deploys autonomous browser agents that simulate real users navigating your app, submitting forms, clicking links, and inspecting live responses to uncover issues like XSS, CORS misconfigurations, and exposed endpoints. Meanwhile, an AI auditor reviews your codebase for insecure logic patterns, weak authentication, and unsafe data handling. Together, they provide a full-stack security audit without manual setup or expensive consultants.

How we built it

We combined Playwright-driven browser automation with LLM-based code analysis. Each agent runs in a sandboxed environment, instrumenting network traffic and DOM events, while a backend orchestrator aggregates findings into structured vulnerability reports. For the AI auditor, we integrated an open-source model-assisted static analysis (Hound) that uses context-aware embeddings over the codebase, enabling logic-level reasoning that traditional scanners miss.

Challenges we ran into

  • Keeping browser agents stable across dynamic SPAs and client-side routing
  • Balancing performance and safety while running red-team simulations without affecting live deployments
  • Designing a pipeline that interprets noisy DOM and network data into meaningful security insights
  • Tuning the LLM auditor to minimize false positives and maintain developer trust

Accomplishments that we're proud of

  • Built a working multi-agent system that autonomously explores and tests real web apps!
  • Designed a minimal developer interface where you only need to connect your repo or staging URL
  • Demonstrated real detections such as reflected XSS, CORS leakage, and unauthenticated endpoint exposure.

What we learned

None of us had any experience in cybersecurity. We learned that security automation is not just scanning, but now with agents it can be intelligent simulation. Real-world vulnerabilities emerge from how apps behave in context, and LLMs can reason about these patterns when guided by structured agent output. We also learned that small developer teams want security that feels invisible, not another dashboard full of noise.

What’s next for Heimdall

We are extending Heimdall into a continuous security companion that integrates with CI/CD, auto-triages vulnerabilities, and suggests code fixes inline. Next steps include:

  • Deploying lightweight agents for mobile and API testing
  • Expanding the AI auditor’s reasoning to detect business logic flaws
  • Building an open community benchmark for agent-based security testing

Built With

  • brama-scanner
  • fastapi
  • hound
  • hound-engine
  • playwright
  • python
  • react-18
  • tailwind-css
  • typescript
  • vite
  • xai
Share this project:

Updates