AI bots now probe for vulnerabilities 24/7 — most apps aren't ready

AI is hacking.Is your Safe?

Your code is your business. Machines probe for vulnerabilities around the clock — auth flaws, injection attacks, hardcoded secrets, AI prompt exploits. One scan shows you exactly what's exposed. Prioritized fix list in under 60 seconds. No security team required.

custodia scanranked findingsfix guideauto-scan ✓
Machines hack now. Your code is your product. Know if it's secure.
Dashboard+CLI+MCPAll Included.
custodia.dev/dashboard
Custodia dashboard — scan overview, quota, reports
Web App
Dashboard

Scan repos from your browser. Full reports, PDF export, auto-monthly scans, and team access — no terminal required.

// terminal
$ custodia scan .

  Scanning 47 files…

  [CRITICAL]  INJ-01  SQL injection in /api/users
  [HIGH]     SEC-02  Hardcoded JWT secret
  [HIGH]     AUTH-03 Broken access control
  [MEDIUM]   DEP-01  lodash 4.17.20 — CVE-2021-23337

  Score: 34/100  ·  4 findings  ·  run custodia fix
Terminal
CLI

Run custodia scan . in any project. Drop into GitHub Actions for gate-free PR security checks on every push.

claude.aiMCP connected
Scan acme-corp/api-service for security issues
custodia/scan_repo · running…
2 CRITICAL · 3 HIGH · score 41/100
SQL injection in /routes/users.ts — want the fix guide?
AI-Native
MCP Server

Connect to Claude.ai, Cursor, or Claude Desktop. Audit any GitHub repo mid-conversation — no context switching.

What is Custodia?

YOUR CODE IS YOUR BUSINESS.
KNOW IF IT'S SECURE.

AI bots now probe for vulnerabilities around the clock. If your SaaS, API, or app handles user data, processes payments, or runs AI features — one unpatched flaw can take you offline, leak customer data, or kill a deal. Most teams don't check until something breaks.

Custodia scans your full codebase or just the diff — from the CLI, web dashboard, GitHub App, or MCP inside your AI editor. Auth flaws, injection attacks, AI prompt exploits, hardcoded secrets, vulnerable dependencies — all surfaced in under 60 seconds, with a prioritized fix list. No security team required.

Custodia at a glance
Company
Custodia, LLC · Pittsburgh, PA
Built for
SaaS founders, dev teams, and agencies
Use it in
Dashboard · CLI · MCP
Mission
Every code-based business should know if it's secure — before machines find out first
Solo Devs & Founders
Ship with confidence. One scan before a deploy shows you exactly what's vulnerable — no security background needed. $39/mo or free forever.
SaaS Teams & Agencies
Answer "is your code secure?" the next time a customer, investor, or prospect asks. One flat price for the whole team — not per seat.
AI-Native Workflows
Scan from Claude, Cursor, or your CI pipeline. If AI writes your code, Custodia checks it in the same workflow — before it ships.
Start Free →Read Our Story
If your code is your product, security isn't optional — it's just been too hard. Until now.
01 . The Loop

FOUR COMMANDS.
CYBERSECURITY ON AUTOPILOT.

Install once. The loop runs itself — scans, fixes, and emails you every month. No dashboards to maintain. No meetings with a security team. Just results in your inbox.

01
All Plans
custodia scan .
Security Baseline
Scans your entire codebase against OWASP Top 10, CWE, injection flaws, auth issues, hardcoded secrets, and AI-specific vulnerabilities. Full report in under 60 seconds.
02
All Plans
custodia ai-scan
Code Security Review
Deep vulnerability analysis beyond OWASP basics. Catches prompt injection, insecure output handling, excessive agency, broken authentication patterns, and more critical categories rule-based tools miss. Writes CUSTODIA_AGENT_FIXES.md and CUSTODIA_HUMAN_REPORT.md.
03
Pro+
custodia fix
Fix Guide
Bumps vulnerable npm, pip, gem, go, and cargo dependencies to patched versions. Generates CUSTODIA_FIX_GUIDE.md — a structured, per-finding fix doc you or your AI (Cursor, Claude Code, Copilot) can follow. No forced rewrites. You stay in control.
04
Pro+
custodia schedule owner/repo
Monthly Autopilot
Registers your repo for monthly automated scanning. Every 30 days: full scan runs, email report arrives. Score, delta vs last month, new findings, resolved issues. Set it and forget it.
[ every 30 days ]
Monthly Security Email
Score · Delta · New findings · Resolved · Top critical · Fix CTA
Start the Loop Free →

No credit card · 3 free scan credits / month · Under 5 minutes to first scan

The Custodia Cycle

HOW MODERN
CYBERSECURITY IS DONE.

Security isn't a one-time event. It's a repeating cycle — each phase feeding the next, closing the gap between what attackers know and what you know.

01
Scan
Know exactly what's broken.
AI-powered scanning against OWASP Top 10, CWE, LLM-01–15, CVEs, and AI-specific attack vectors. Full findings in under 60 seconds — auth flaws, injection points, hardcoded secrets, vulnerable dependencies.
Full codebase · Diff · Scheduled
Bring Your Own Agent
02
Fix
Bring your own AI agent.
Custodia generates a structured fix guide — CUSTODIA_FIX_GUIDE.md — one directive per finding, with file path, root cause, and exact remediation. Then hand it to Cursor, Claude Code, Copilot, or any agent you already use. No lock-in. You stay in control.
BYOK · Cursor · Claude Code · Copilot
03
Monitor
Stay ahead without checking in.
Register any repo for monthly auto-scans. Every 30 days your score, delta, new findings, and resolved issues land in your inbox. CI/CD gate on every PR. You never go blind between audits.
Monthly auto-scan · CI gate · Score delta
04
Comply
Audit-ready evidence, always on hand.
Every scan maps findings to SOC 2, OWASP, CWE, ISO 27001, NIST CSF, and EU AI Act controls. The compliance report is generated automatically — pass/fail per control, evidence bundle, shareable link. No manual mapping. No spreadsheets.
SOC 2 · ISO 27001 · NIST · OWASP
ScanFixMonitorComplythen repeat — each cycle, you're harder to breach than before.
When you need human expertise
The cycle surfaces what needs a human call.
When the scan finds a CRITICAL, or the fix guide surfaces an architectural issue your agent can't safely resolve — that's when a 30-minute session with a Custodia security officer pays for itself. Expert review of your exact findings, on your exact stack, with someone who holds an M.S. in cybersecurity.
Real code. Real data. Real improvement.
Every scan makes Custodia smarter.
Aggregate vulnerability patterns across real production repos — not synthetic benchmarks — feed directly back into detection accuracy. The most common, dangerous, and hard-to-catch vulnerabilities in real codebases drive every model update.
! The Problem

MACHINES HACK NOW.
YOUR CODE IS THE TARGET.

AI bots scan thousands of repos per hour looking for injection points, leaked credentials, and unpatched dependencies. If your code runs a business, it's already being probed. Legacy security tools can't keep up — they rely on rules written before AI attacks existed. Custodia reasons about your code in real time.

01
AI bots probe your code 24/7.
Automated attack tools scan GitHub repos, test login endpoints, and fuzz APIs around the clock. A hardcoded secret or SQL injection that was "fine for now" gets found in hours, not months. If your code is public or your API is live, you're already being tested.
02
AI-generated code ships with AI-sized blind spots.
Cursor, Copilot, and Claude write code fast — but they don't think about security. Prompt injection, insecure output handling, excessive agency, missing auth checks: AI-generated code introduces vulnerabilities that rule-based scanners can't even categorize.
03
Vulnerable deps ship because nobody checks.
npm install pulls in 847 packages. Any one could have a known CVE. Custodia scans your full dependency tree against OSV.dev in seconds, shows you what's vulnerable, and custodia fix patches it — locally or as a GitHub PR.
04
One breach kills a code-based business.
A data leak, a stolen API key, a ransomware hit — any one can take your product offline, trigger notification obligations, and destroy customer trust. Custodia's monthly auto-scan means you find it first, not your attackers.
02 . Quick Start

FROM INSTALL TO
AUDIT-READY IN MINUTES.

Every paid plan includes SOC 2, HIPAA, and PCI DSS compliance scanning — one flag, done. Run custodia scan . --framework soc2 and get a gap report mapped to specific controls, ready to hand to an auditor.

# Install globally
npm install -g @custodia/cli

# Launch interactive mode (guided menus — no flags needed)
custodia

# Authenticate with your API key (from dashboard)
custodia auth --key YOUR_API_KEY

# Full security scan — OWASP Top 10, CWE, secrets, deps
custodia scan .

# AI code review — OWASP LLM Top 10, prompt injection, agency
custodia ai-scan

# Auto-fix vulnerable deps (add --pr to open a GitHub PR)
custodia fix
custodia fix --pr

# Monthly auto-scan — registers repo for 30-day email reports
custodia schedule owner/repo

# Diff mode — only changed files (fast, quota-efficient)
custodia scan . --diff

# Scan any GitHub repo without cloning
custodia scan --repo owner/repo

# ── Compliance scans — included in all paid plans ─────────
# Gap report mapped to specific controls · findings tagged with IDs
custodia scan . --framework soc2   # SOC 2 Type II — CC1–CC9, A1
custodia scan . --framework hipaa  # HIPAA §164.308 / 310 / 312
custodia scan . --framework pci    # PCI DSS v4.0 Req 1–12

# [OK] Report saved to .custodia-reports/
# [OK] Score: 87/100 — READY FOR PRODUCTION
🔐
SOC 2 Type II
custodia scan . --framework soc2
  • Maps to CC1–CC9 + A1 Trust Services Criteria
  • Gap report: pass / partial / fail per control
  • Evidence bundle for Type II audit prep
  • Findings tagged with CC control IDs
🏥
HIPAA Security Rule
custodia scan . --framework hipaa
  • §164.308 Administrative Safeguards
  • §164.310 Physical · §164.312 Technical
  • Gap report per safeguard category
  • Supports HIPAA risk analysis documentation
💳
PCI DSS v4.0
custodia scan . --framework pci
  • Requirements 1–12: MFA, encryption, access controls
  • Gap report identifying non-compliant controls
  • Evidence for QSA self-assessment questionnaire
  • Findings tagged with Requirement numbers

Included in all paid plans · Pro $39/mo · Team $89/mo · Business $249/mo

03 . Your Toolkit

DASHBOARD. CLI. MCP.
ONE SECURITY STACK.

Three ways to scan — pick what fits your workflow. Dashboard for point-and-click, CLI for terminal and CI/CD, and MCP to scan directly inside Claude.ai or Cursor in plain English. Same pipeline, same findings, same quota across all three.

Dashboard — GUI
No CLI needed

Connect GitHub with one OAuth click. Pick any repo, choose Full or Diff scan, and review your findings inline — all from your browser. Schedule monthly auto-scans, manage API keys, and book expert sessions without touching a terminal.

  • Connect GitHub — one OAuth click
  • Pick any repo & scan in one click
  • Review findings inline in the browser
  • Schedule autopilot & manage keys
  • Book cybersec expert sessions
Open Dashboard →
CLI — Terminal
CI/CD ready

Install once, run anywhere. custodia launches interactive mode with guided menus — no flags required. Or go direct with custodia scan . Integrates with GitHub Actions, Cursor, Copilot, and Claude Code out of the box.

# Interactive mode
custodia

# Or go direct
custodia scan .
custodia fix
custodia schedule owner/repo
See All Commands ↓
MCP — AI‑Native
New

Connect Custodia to Claude.ai, Claude Desktop, or Cursor — then scan any GitHub repo and discuss findings in natural language. No context-switching. Security in conversation.

  • Ask Claude to scan any public or private repo
  • Findings land directly in the chat context
  • Ask follow-ups, request fix code, brief stakeholders
  • Works in claude.ai browser, Claude Desktop, Cursor
  • Same quota as CLI — nothing extra to buy
Setup Guide ↓
custodia.dev/dashboard
Custodia.dev dashboard — GUI security scanning interface
04 . Monthly Report Email

YOUR SECURITY POSTURE
IN YOUR INBOX.
EVERY MONTH.

Register a repo with custodia schedule and every 30 days Custodia runs the full scan pipeline and emails you. No login required. No dashboard to check. Security awareness delivered to where you actually look.

  • [OK]Security score this month + delta vs last month
  • [OK]New findings since last scan
  • [OK]Resolved / fixed findings
  • [OK]Top critical & high severity issues
  • [OK]Direct link to full report + custodia fix CTA
  • [OK]Posture trend over time
FROM: noreply@custodia.dev
Monthly scan: acme/webapp scored 78/100 — April 2026
Security Score
78/100
vs Last Month
+6
Improving ↑
3
New Findings
7
Resolved
1
Critical
4
High
Top Finding · Critical
SQL Injection — user input flows to raw query in /api/search
Run custodia fix →
Auto-Scan Mode

ONE COMMAND.
AUTOMATED FOREVER.

Register any GitHub repo for monthly automated security scanning. No login required after setup. No dashboard to manage. Every 30 days: full scan runs, email report arrives. Your security posture on autopilot.

01
Pro+
custodia schedule owner/repo
Register in one command
Run once from your terminal. Custodia stores your repo reference securely. For private repos, pass your GitHub token — it's encrypted with AES-256-GCM at rest. You never touch this again.
02
Fully automated
[ ⏱ cron: 09:00 UTC daily ]
Cron fires every 30 days
Custodia's daily cron checks which repos are due. When your 30-day window is up, it fetches the latest code from GitHub, strips all .env files, and runs the full 5-stage security pipeline — automatically.
03
Zero friction
noreply@custodia.dev
Email arrives. Nothing to do.
Your monthly security posture report lands in your inbox: score, delta vs last month, new findings, resolved issues, top critical vulnerability, and a direct link to the full report. All without opening a single dashboard.
30-day cycle
Day 0
You register
Day 30
Cron fires
Fetch
Latest code from GitHub
Scan
5-stage security pipeline
Email
Report in inbox
Day 60
Repeats automatically
Repos per plan
Pro — $39/mo1 repo
Team — $89/mo5 repos
Business — $249/mo12 repos
Private repos — fully supported

Pass a GitHub personal access token when scheduling. It's encrypted with AES-256-GCM before storage — Custodia never stores it in plaintext. The cron decrypts it only at run time to fetch files.

custodia schedule org/private-repo \
  --token ghp_xxxxxxxxxxxx
What runs each month
  • Full 5-stage security pipeline
  • OWASP Top 10 + LLM Top 10
  • Dependency CVE scan (OSV.dev)
  • Compliance mapping (Pro+)
  • Score delta vs prior month
  • PDF export (Pro+)
Enable Auto-Scan on Pro+ →

Pro from $39/mo · no per-seat pricing · cancel anytime

05 . What It Covers

Every Attack Surface. One Tool.

Traditional security, AI-specific risks, dependency CVEs, and compliance frameworks — covered in a single scan. No separate tools, no extra config.

Traditional Security
All Plans
  • OWASP Top 10 (SQLi, XSS, CSRF)
  • Authentication & session security
  • Hardcoded secrets & API keys
  • Input validation & injection
  • Logging & monitoring gaps
  • Dependency CVE scanning (OSV.dev)
AI App Security
All Plans (full on Pro+)
  • OWASP LLM Top 10
  • Prompt injection detection
  • Insecure AI output handling
  • AI-generated code auditing
  • Excessive agency patterns
  • Training data / PII leaks
Compliance Mapping
Dev / Pro
  • NIST AI RMF (GOVERN, MAP, MEASURE)
  • EU AI Act (Art. 9, 13, 14, 52)
  • ISO 42001 AI management
  • SOC 2 TSC controls
  • CWE cross-references
  • GRC gap report
5 stages
Custodia security pipeline
Triage → Domains → Compliance → Synthesis → Report
6 ecosystems
Dependency scanning
npm · pip · gem · go · cargo · more
0 stored
Code retention
Source code never retained beyond inference
< 60s
Full scan time
For most production codebases
05 . GitHub Actions
● ALL PLANS
↗ MARKETPLACE

NEVER PUSH
VULNERABLE CODE AGAIN.

One YAML file. Every push and pull request automatically triggers a diff scan — only the files you changed get checked, so it's fast and doesn't burn your quota. Catch vulnerabilities before they ever reach production.

01
Add your API key as a repo secret
Go to Settings → Secrets and variables → Actions. Add CUSTODIA_API_KEY with your key from the Custodia dashboard. No config file, no YAML changes needed.
02
Drop in the workflow file
Copy the YAML below (or from your dashboard) to .github/workflows/custodia.yml. It runs automatically on every push to main and on every pull request.
03
Every push is now scanned
The CLI auto-detects the GitHub Actions environment and diffs against the PR base or previous commit. Only changed files are sent — fast, quota-efficient, and compatible with every plan including Free.
View Setup Guide →
.github/workflows/custodia.yml
name: Custodia Security Scan
on:
  push:
    branches: ["main", "master"]
  pull_request:

jobs:
  custodia:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - uses: contactdavidpersonal-code/custodia-scan-action@v1
        with:
          api-key: ${{ secrets.CUSTODIA_API_KEY }}
MCP . AI‑Native
● NEW

SCAN FROM CLAUDE.
THEN TALK ABOUT IT.

Connect Custodia as an MCP server to Claude.ai, Claude Desktop, or Cursor. Ask Claude to scan any repo in plain English — findings land in the conversation so you can dig in, ask follow-up questions, and generate fixes without ever leaving your AI tool.

01
Dashboard → API Keys → Copy
Get your API key
Sign up or log in to custodia.dev. Copy your API key from the dashboard — it looks like sfp_xxxxxxxx. Same key the CLI uses. Free tier works.
02
URL: https://custodia.dev/api/mcp
Auth: Bearer sfp_...
Connect to your AI client
Claude.ai: Settings → Integrations → Add, paste the URL, set the Authorization header. Claude Desktop / Cursor: add one JSON block to your MCP config. Takes 60 seconds.
03
"Scan github.com/my-org/backend"
Scan and converse
Ask Claude to scan any repo. Findings land in the conversation — then ask follow-ups, request fix code, compare severities, or generate a security brief for your team.
Example conversation
claude.ai — Custodia MCP connected
U
Scan github.com/my-startup/backend for security issues.
C
Found 3 issues in 47 files (score 71/100). One CRITICAL: hardcoded JWT secret in src/config.js — attackers could forge auth tokens for any user. Two HIGHs: SQL injection in /api/search, and no rate limiting on /api/login. Want me to generate fix code for the JWT issue?
U
Yes fix the JWT one. Also explain the SQL injection to my co-founder who isn't technical.
C
Here's the JWT fix for src/config.js... [replacement code] For your co-founder: the search box sends user input straight to the database without checking it first — like a vending machine that accepts "give me everything + your cash" as a valid selection.
Compatible clients
Claude.ai
Browser — Settings → Integrations → Add URL
Remote HTTP
Claude Desktop
App — add to claude_desktop_config.json
stdio
Cursor
Settings → MCP Servers → Add entry
stdio
VS Code + Copilot
Copilot Chat → MCP configuration
stdio
Same quota. Same plan.
MCP scans use the same quota counter as CLI and dashboard scans. No double billing, no extra tier — your plan works across all three surfaces.
MCP tools exposed
scan_repoScan any GitHub repo — public or private
get_fix_guideGenerate fix guide for findings (Pro+)
check_quotaCheck remaining scan credits
Connect MCP →

Claude.ai · Claude Desktop · Cursor · VS Code Copilot · Any MCP client

06 . Why Custodia

LEGACY TOOLS WERE BUILT
FOR A DIFFERENT ERA.

Snyk, Semgrep, and SonarCloud were built for a different era. They match known CVEs and syntax patterns — but can't reason about your application logic, emerging vulnerability classes, or the full attack surface that matters today. Custodia covers all of it — and starts free.

CapabilityCustodiaSnykSemgrepSonarCloudGitHub GHAS
OWASP Top 10 / CVE scanning
Dependency CVE scanning~
OWASP LLM Top 10
Prompt injection detection
Deep code review (behavioral patterns)
EU AI Act / NIST AI RMF
Monthly email posture report~
IDE agent prompt (Cursor / Copilot)~~
MCP — scan from Claude.ai / Claude Desktop / Cursor
Fix guide (dep bumps + AI-ready fix doc)~
No per-seat pricing
Starting priceFree$25/dev/mo$40/dev/mo$10/mo$49/dev/mo

✓ = full support  ·  ~ = partial/plugin  ·  ✗ = not supported  ·  Pricing as of April 2026. Per-seat tools priced for a team of 3.

Start Free — No Card Required →
07 . Human in the Loop

A REAL CYBERSECURITY
EXPERT BEHIND
EVERY ACCOUNT.

Custodia is a cybersecurity firm, not just a scanner. Every paid plan includes a direct line to a credentialed cybersecurity professional — monthly video call, unlimited email support, and an expert who actually knows your stack.

What's included every month
30-min private video call
Use it however you want — no agenda forced on you
Unlimited email support
Questions, second opinions, findings walkthrough anytime
Business-first perspective
Advice grounded in real-world risk, not theoretical CVE checklists
AI + compliance expertise
OWASP LLM Top 10, EU AI Act, SOC 2, NIST — not just code bugs
Common session topics
Threat modelling
SOC 2 readiness
AI security risks
Code architecture
Incident response
Compliance gaps
Dependency CVEs
Team security training
"No other security tool ships with a credentialed expert on speed-dial. Custodia is a cybersecurity firm — our officers hold graduate degrees, carry active certifications, and are held to standards most teams can't hire for internally."
Available on paid plans
Free— Not included
Builder1 × 30-min session / month + email
Pro1 × 30-min session / month + email
Business1 × 30-min session / month + email
How we compare
Snyk
AI scanner only
Semgrep
Rules engine only
Checkmarx
Enterprise SAST, no advisor
Custodia
Cybersecurity platform + certified advisor
Get Started — First Scan FreeView Pricing
Token only consumed when you confirm a booking.
Cancel anytime — your session rolls back.
Cyber Insurance Evidence Package
PRO+

YOUR AUDIT TRAIL
BUILDS ITSELF.
Hand It to Your Broker.

Every scan on a paid plan is permanently stored with a SHA-256 cryptographic fingerprint, a timestamp, and your full findings. That's a provable record that on this date, this exact codebasewas assessed against OWASP, CWE, and NIST. Cyber insurance underwriters call this “evidence of ongoing security testing.” You build it automatically just by scanning.

What's in the Insurance PDF
🔒
SHA-256 code fingerprint
Cryptographic proof that this exact codebase was assessed on this date — not "some version of it." Permanently tied to the scan record.
📋
OWASP Top 10 + NIST CSF coverage table
Every control listed with a CLEAR / FINDING / CRITICAL status derived from actual findings — formatted for underwriter review.
📊
Domain scores + severity summary
Auth, data protection, secrets, injection, logging — each domain scored separately with a 4-box finding count breakdown (Critical / High / Medium / Low).
Validated controls list
Controls the scanner assessed and found correctly implemented — as important to underwriters as the findings.
📄
Signed attestation page
Pipeline version, models used, CVE database queried (OSV.dev), scope limitations — legally framed and ready to submit.
vs. Traditional Penetration Test
Pentest
$10–30k
One-time.
Point-in-time.
No ongoing trail.
Expires in 12 months.
Custodia Team+
$89/mo
Monthly scans.
Permanent audit trail.
OWASP + CWE + NIST.
Insurance PDF on demand.
Many brokers accept automated scan evidence for early-stage products in lieu of a formal penetration test. Check with your broker.
Renewal workflow
01Run a full scan — findings logged permanently with SHA-256 fingerprint
02Fix all CRITICAL and HIGH findings
03Run a second scan — clean result is documented automatically
04Download both Insurance PDFs — submit to broker as remediation evidence
Monthly auto-scan = automatic 12-month audit trail
Enable scheduled scanning on any Pro+ plan and Custodia runs the full pipeline every 30 days — no action required. After 6 months you have a continuous monitoring history that most funded startups can't produce. Underwriters specifically ask for this.
Start Building My Trail →
📥
Available on every Pro+ scan — one click
In your dashboard, every scan row shows “↓ PDF” (developer report) and “↓ Insurance” (underwriter package). Download either at any time for any scan in your history.
View Sample Report →
08 . Start Today

CYBERSECURITY
THAT KEEPS UP.
FREE TO START. FOREVER.

Install the CLI. Run your first scan free. When you're ready for fix guides, monthly autopilot, and compliance reporting — upgrade in your dashboard.

npm install -g @custodia/clithencustodia scan .
Install for
VS Code
Create Free Account →View Plans & Pricing
Free — $0
  • 3 scan credits / month
  • 10 diff scans / month
  • AI Security Scan (5-stage pipeline)
  • 30+ check IDs · OSV dep vuln scan
  • Dep Auto-Fix PRs + Dep Watch
  • No card required. Ever.
Dev+ — $39/mo
  • 10 scan credits / month
  • 60 diff scans / month
  • Fix Prompts · Code Fix Guide · AI Auto-Fix PRs
  • PR Inline Review · Diff Scan Baseline
  • Scheduled Monthly/Weekly Scans
  • CyberSec Officer Session (30 min/mo)
  • AI Code Review Agent · OWASP LLM Top 10 + NIST AI RMF
Pro — $89/mo
  • 25 scan credits / month
  • 150 diff scans / month
  • Everything in Dev+, plus:
  • Compliance Mapping (OWASP/CWE/NIST/SOC2/ISO 27001/EU AI Act)
  • GRC Gap Report · PDF Security Report
  • SOC 2 Readiness Report · ISO 42001 / EU AI Act
  • 3 API keys
Business — $249/mo
  • 60 scan credits / month
  • 400 diff scans / month
  • Everything in Pro, plus:
  • Outbound Webhooks (HMAC-signed)
  • White-Label PDF · Portfolio Score History + SLA
  • Remediation Workflow (assign/track/resolve)
  • 5 API keys

Free plan is free forever · Upgrade or cancel anytime in dashboard · Compliance mapping (SOC 2, OWASP, ISO 27001, EU AI Act) included from Pro tier

Custodia.dev — 100/100 Ready for Production