OpenKaito
OpenKaito is an AI-powered security analysis platform designed to proactively detect and verify vulnerabilities in open source software.
It goes beyond traditional static analysis by combining fast vulnerability detection with agent-based investigation, producing high-confidence findings with full reasoning and evidence.
Problem
Open source software powers modern applications, but its security is fundamentally reactive.
- Most repositories are never audited
- Vulnerabilities are discovered only after exploitation
- Developers rely on tools that generate high false positives
- Supply chain attacks (e.g. XZ Utils) show how fragile the ecosystem is
There is no scalable, reliable way to proactively test open source code for real vulnerabilities.
Solution
OpenKaito introduces a hypothesis-driven AI pipeline that mimics how real security engineers work:
- Generate possible vulnerabilities
- Investigate them deeply
- Confirm or reject based on evidence
The result is a system that doesn't just detect issues — it proves them.
How It Works
1. Generate (High Recall)
A fast AI model scans each file independently and produces vulnerability hypotheses.
- Focus: coverage over accuracy
- Output: many possible issues (including false positives)
2. Verify (Agent-Based Investigation)
A stronger AI acts as an autonomous security agent with tools:
- Reads files
- Searches code patterns
- Traces data flow from input → sink
- Checks sanitization and authentication
Each hypothesis is investigated step-by-step and classified as:
- ✅ VALID
- ❌ INVALID
- ⚠️ UNCERTAIN
3. Report (High Precision)
Only verified findings are included in the final report.
Each finding includes:
- Severity & confidence
- File & line references
- Entry point → sink flow
- Exploitability explanation
- Full reasoning trace
Key Features
- Agentic code investigation (not just pattern matching)
- Fast scanning with async concurrency
- Real vulnerability verification (not guesses)
- Structured, developer-friendly reports
- Cost-efficient (optimized multi-model pipeline)
- Real-time UI showing AI reasoning live
Built With
- fastapi
- javascript
- nextjs
- python
Log in or sign up for Devpost to join the conversation.