Signal

Landing page of our website
Findings report for vulnerabilities and exploits
SOC-2 Compliancy report for enterprise
Memory Map for Semantic Memory and record of vulnerabilities and Scans
Dashboard & Projects panel for management
VSC Extension for Signal, allowing scan snippets and scan workspaces, and generate reports

Team Signal / Gitpull&Pray - 2026

Inspiration

Software is being built faster than ever, largely because modern LLMs such as Cursor, Claude, Codex, Gemini and many others can draft large chunks of code in minutes. features, fixes, and refactors that used to take days now show up in a single afternoon. That speed is a real advantage, not just for experienced teams, but for a new generation of builders who can now create and ship products without years of traditional coding experience. The downside is subtle; when code is generated from end to end, it creates an illusion of a completed product. It runs, looks correct, so it's very easy to skim and move on. But the real risk lives beneath the surface, where critical logic like authentication flows and authorisation boundaries, as well as data rarely reveals itself just based on the UI.

These aren’t new problems, but AI assisted development changes the conditions around them. Code is produced faster than ever, which means more commits, and more surface area. As the pace increases, review cycles are compressed, and the use of “line by line validation” becomes much quicker. And when those oversights are repeated across generated code, they don’t stay small, but they compound into real incidents that can cost companies millions.

We started Signal because we saw a gap no one was addressing. Teams are shipping faster than ever with AI, but security has not caught up. You’re forced to choose between speed and confidence. We don’t think that tradeoff should exist at all. We answer this and provide a solution through Signal, a system that keeps up with AI driven deployment, watching for weak points and also remembering what’s already been fixed or accepted, and giving enterprise and development teams context they need to make confident decisions in real time.

General Summary

Signal is a stateful security platform built for the era of AI assisted development. As code is generated at an overwhelming pace, traditional security workflows struggle to keep up, often relying on manual reviews that miss context and repeat past mistakes.

At the same time, a new wave of builders has emerged, people who can now create and ship products with little to no formal coding experience.

Signal assures security to “vibe coders” and junior developers, by continuously analysing your codebase, tracking vulnerabilities over time and remembering what has already been fixed, accepted and ignored. It allows combining structured data with semantic memory, and not only detects issues but understands patterns, helping teams prevent recurring vulnerabilities before they push to production.

For enterprise teams, signal extends beyond just detection into consultancy and assurance, where it generates a structured audit ready SOC 2 related security report, and provides clear visibility into risk over time. It makes it easier for enterprises to meet standards, and demonstrate their due diligence, allowing them to confidently ship and secure software at a fast moving pace.

How we built it & Tech Stack & Core Features

Frontend

We use Next.js and React to power the dashboard and user experience. This includes everything from viewing findings and compliance reports to navigating documentation style workflows. The frontend communicates with the backend through secure, authenticated API requests.

Backend

Our backend is built on Node.js and Express, handling core functionality through REST APIs. This includes managing projects, running scans, tracking findings, triggering resolution jobs, generating compliance reports and supporting extension endpoints for tools like our VS Code integration.

Primary Database

We use MySQL as the core source of truth. It stores structured security data over time, projects, scans, findings, fingerprints, baselines, regressions, accepted risks, and fixed histories. This forms the foundation of Signal’s stateful security model, allowing us to track how issues evolve rather than treating each scan in isolation.

Semantic Memory

To go beyond static analysis, we use Qdrant as a vector database combined with OpenAI’s text-embedding-3-large model. We embed findings, code patterns, and even fix diffs, enabling similarity search across past vulnerabilities, dismissed issues, and recurring patterns. This allows Signal to “remember” and learn from previous decisions, not just detect issues.

Why signal is a breakthrough (in depth)

Signal isn't just another AI security tool, it represents a shift in how security works in AI driven development. Tools scan your code and forget, signal introduces a stateful memory layer, meaning it remembers past vulnerabilities, fixes, and decisions.

This transforms security from a one time check or scan, into a continuous learning system—preventing the same mistakes from happening again.

But we go further. While most security tools stop at detection, Signal brings that intelligence into compliance and accountability. By embedding semantic memory into compliance reports, we can highlight recurring vulnerabilities, track how issues evolve, and provide clear, structured proof of how risks have been handled over time.

This bridges a critical gap between developers and enterprises, where security isn’t just fixed, but proven and documented over time.

Integrations

We integrate directly with GitHub to fetch repositories and support resolution workflows that can lead into pull requests. We also support Discord webhooks for real time alerts and events if the user wants, and provide a VS Code extension that enables local scans, snippet analysis, and automatic updates to a skills.md file bringing persistent memory that can be imported to whatever LLM the developer is using.

Customer Validation

We validated Signal by speaking directly with a software engineer across multiple work environments. These extensive conversations gave us insight into how security is currently handled in real teams, as well as the limitations of existing tools.

Their feedback validated our direction, and they responded positively to Signal’s approach, especially its focus on stateful security, long-term tracking, and compliance-ready reporting.

At the same time, we are also active builders ourselves, especially in fast paced environments like hackathons, where speed is prioritised and code is often generated quickly with AI. We’ve experienced firsthand how easy it is to overlook security in the rush to ship.

Their feedback, combined with our own experience as users, validated both the problem and our approach.

What it does

Semantic memory layer

Signal remembers past vulnerabilities, fixes, and decisions using a vector database. This allows it to detect recurring patterns and prevent repeated mistakes, and also allows developers to use LLM with better outputs by grounding them in real, project/codebase specific security knowledge.

SOC-2 Compliance Reports

Automatically generate structured, audit ready security reports aligned with SOC 2 requirements, helping enterprise teams demonstrate compliance and due diligence without manual overhead.

Developer findings + Auto Fix Pull Request

Clear, actionable findings show exactly where vulnerabilities exist and why they matter. Signal can also generate fixes and open pull requests, allowing teams to remediate issues quickly and safely.

VS Code Integration

A seamless developer workflow through a VS Code extension which enables local scans, real time feedback, and persistent “security memory” directly inside the coding environment. They can simply use selection to scan a specific snippet, and scan workflows as well as generate reports to see the overview.

Challenges we ran into

Early on, we were told by the mentors; “This sounds like another Ai that comments on security” and they were right, the version wouldn’t stand out.

So we changed direction. Instead of completing on and improving the detection system, we focused on what others were missing, and we carefully found what competitors don’t have so we can actively implement it. Especially with AI generated code, we saw the real problem where vulnerabilities are repeated, reintroduced and forgotten. At the same time, enterprise does not need just detection but they need proof. Proof of what was found, and what was fixed, and what was accepted. That’s why we built Signal this way. It doesn't just find vulnerabilities but it remembers them and learns from them, and turns them into a structured ready insight.

Accomplishments that we're proud of

We moved beyond traditional, stateless security tools and designed a system that is meaningful, and remembers vulnerabilities, tracks fixes over time, and learns from past decisions. We’re especially proud of identifying the right architecture to differentiate ourselves from existing solutions, allowing us to go beyond simple detection and build something with lasting impact. We developed a feature that translates complex, low security vulnerabilities into clear, human readable reports aligned with SOC 2 requirements. This bridges the gap between a developer’s IDE and an auditor’s expectations was a major milestone for our team.

What we learned

When our mentors told us that this was just “another AI that comments on security”, we learnt that the raw detection of vulnerable code wasn’t enough, if everyone can make a scanner or ask a model for a review, we would have no differentiation at all. This made us realise that to differentiate from competition, we had to sell our workflow and business story, not just the product.

What's next for Signal

Looking ahead, we’re focused on expanding Signal from a security tool into a core intelligence layer for development. By leveraging the knowledge we store about each codebase, we can unlock new capabilities that continuously add value over time.

We plan to integrate Signal directly into coding environments through custom MCPs for tools like Copilot and Claude, allowing AI agents to actively use and update security memory and making Signal an essential companion rather than a competitor in agentic workflows.

We’re also building features that give users full control and transparency over this memory, including the ability to review and edit stored knowledge through both a chatbot and manual interfaces. Finally, we aim to introduce automated testing capabilities, further strengthening reliability and ensuring that fixes are not only suggested, but validated.

Questions and Answers

What problem does Signal solve? Signal addresses a growing issue in modern development, teams are shipping code faster than ever with the power of AI, but often without fully understanding its security implications. This leads to vulnerabilities making it into production.

Who is Signal for? Signal is designed for a wide range of users from vibe coders and junior developers who may not have deep security knowledge, to experienced engineers and enterprise teams that need structured compliance and audit ready reporting.

How does signal fit into a developer’s workflow? Signal integrates directly into existing workflow through a web dashboard and a VS code extension. Developers can scan locally, receive real time feedback, and access persistent security memory without disrupting how they build.

How is Signal different from tools like Claude, Copilot, or AI code reviewers? While tools like Claude or Copilot can generate and review code, they are stateless, meaning they don’t remember past vulnerabilities, fixes, or decisions.

Signal adds a persistent security layer on top of these tools. It remembers what has already happened in your codebase, tracks risk over time, and prevents the same mistakes from being repeated, turning security from a one-time check into a continuous, learning system.