Built for AI startups — scan, fix & monitor your code from day one

AI is hacking.Is your Safe?

The Custodia Framework
Code-Based Business Cybersecurity
01
SCAN
Every vuln, ranked by severity, in under 5 min
02
FIX
Fix it yourself or hand it to Cursor, Claude, or Copilot — per finding
03
MONITOR
Auto monthly scans, drift alerts, zero surprises
04
CERTIFY
SOC 2, OWASP & NIST evidence always ready
Security starts at code — preventing millions of incidents before they happen
Live scan output
custodia.dev/demo-report
Real scan output · Your report looks exactly like this · First scan free
The Custodia Framework

SCANFIXMONITORCOMPLY

Four pillars. Every digital business needs them. A founder can run all four solo. A security officer can run them across ten clients. Unlock each one as you grow.

SCAN
Find every vulnerability.

AI-powered analysis of your entire codebase — auth flaws, injection, secrets, AI-specific risks, and real CVEs in your dependencies.

Code scanner
AI code review
Dep CVE scan (OSV)
OWASP Top 10 + LLM Top 10
Rules engine
All plans
FIX
Remediate automatically.

Auto-bump vulnerable dependencies. Generate paste-ready AI fix prompts for Cursor and Copilot. Open PRs directly against your repo.

Dep auto-fix + --pr
AI fix prompt generator
Cursor & Copilot ready
GitHub PR workflow
Launch and above
MONITOR
Stay secure as you ship.

Autopilot monthly scans on your repos. Diff scans catch only what changed. Email security reports. Security badge for your README.

Autopilot (scheduled scans)
Diff scans (PR-level)
Monthly email reports
Security badge
Score trending
Launch and above
COMPLY
Prove it to investors and customers.

Full GRC mapping across SOC 2, HIPAA, PCI DSS, ISO 27001, and EU AI Act. Evidence snapshots. Investor readiness reports. Audit-ready exports.

SOC 2 · HIPAA · PCI DSS
ISO 27001 · EU AI Act
GRC gap report
Evidence locker
Investor readiness score
Scale and above
Every Surface. One Platform. All Included.
Web DashboardCLI ToolMCP ServerGitHub AppGitHub ActionsVS Code ExtensionRepo ScannerDep WatcherAutopilotAPI AccessPDF ExportQuestionnaire AutofillInsurance Evidence PDFSecurity Badge
What is Custodia?

THE WAY STARTUPS
DO SECURITY.

Every digital business needs security. Most can't afford a CISO. Custodia is the platform that closes that gap — a founder can set it up in minutes and run it solo, a security officer can use the same platform to manage ten client portfolios. No dedicated team required.

Scan your codebase, fix vulnerabilities, monitor every repo on autopilot, and generate compliance evidence for SOC 2, ISO 27001, and investor due diligence — all from one platform that grows with your startup from first commit to enterprise deal.

Custodia at a glance
Company
Custodia, LLC · Pittsburgh, PA
Built for
Solo founders, growing startups & security officers managing clients
Use it in
Dashboard · CLI · GitHub App · MCP · VS Code
Mission
Be the default security platform for every digital business — from first commit to Series A and beyond
Founder — Run it yourself
Cursor wrote the code. Claude wrote more. Custodia scans it before it ships, fixes vulnerable dependencies, and runs monthly security checks on autopilot. No security team. No card. Start free.
Growing Startup — Pass the questions
Investors ask. Enterprise clients send questionnaires. Custodia generates your compliance evidence, autofills security questionnaires from your scan results, and produces the cyber insurance PDF your broker wants.
Security Officer — Manage your clients
Use the same platform to manage security across multiple repos and clients. Scan, monitor, and generate compliance reports across your entire portfolio — one dashboard, no tool sprawl.
Start Free →Read Our Story
Security doesn't have to be a monster. We'll show you how, step by step.
Your Growth Path

ONE PLATFORM. EVERY STAGE.

Upgrade when your startup does. More repos, more compliance, more data — Custodia scales with you, not against you.

0 → First Users
Build
Free
SCANFIXMONITORCOMPLY

Scan your codebase before you ship. OWASP Top 10, secrets, dep CVEs, AI risks. Get your security baseline. Badge for your README. No card, ever.

Start free →
First Users → Revenue
Launch
$39/mo
SCANFIXMONITORCOMPLY

Ship to real users without shipping your vulnerabilities. Auto-fix deps, open PRs against your repo, monthly autopilot scans, inline PR security review, and a CyberSec officer session every month.

Get Launch →
Revenue → Series A
Scale
$129/mo
SCANFIXMONITORCOMPLY

Win enterprise deals and pass security reviews. SOC 2, HIPAA, ISO 27001, EU AI Act — full GRC gap report, questionnaire autofill, cyber insurance PDF, evidence snapshots. Up to 10 repos on autopilot.

Get Scale →
Series A → Enterprise
Raise
$249/mo
SCANFIXMONITORCOMPLY

Show investors and enterprise clients you take security seriously — with the receipts. 30 repos, portfolio score history, white-label PDFs, priority CyberSec officer access, and Series A investor readiness reports.

Get Raise →
One platform · Founder to CISO · No security team required to start
01 . The Loop

FOUR COMMANDS.
CYBERSECURITY ON AUTOPILOT.

Install once. The loop runs itself — scans, fixes, and emails you every month. No dashboards to maintain. No meetings with a security team. Just results in your inbox.

01
All Plans
custodia scan .
Security Baseline
Scans your entire codebase against OWASP Top 10, CWE, injection flaws, auth issues, hardcoded secrets, and AI-specific vulnerabilities. Full report in under 5 minutes.
02
All Plans
custodia ai-scan
Code Security Review
Deep vulnerability analysis beyond OWASP basics. Catches prompt injection, insecure output handling, excessive agency, broken authentication patterns, and more critical categories rule-based tools miss. Writes CUSTODIA_AGENT_FIXES.md and CUSTODIA_HUMAN_REPORT.md.
03
Pro+
custodia fix
Fix Guide
Bumps vulnerable npm, pip, gem, go, and cargo dependencies to patched versions. Generates CUSTODIA_FIX_GUIDE.md — a structured, per-finding fix doc you or your AI (Cursor, Claude Code, Copilot) can follow. No forced rewrites. You stay in control.
04
Pro+
custodia schedule owner/repo
Monthly Autopilot
Registers your repo for monthly automated scanning. Every 30 days: full scan runs, email report arrives. Score, delta vs last month, new findings, resolved issues. Set it and forget it.
[ every 30 days ]
Monthly Security Email
Score · Delta · New findings · Resolved · Top critical · Fix CTA
Start the Loop Free →

No credit card · 3 free scan credits / month · Under 5 minutes to first scan

The Custodia Cycle

HOW MODERN
CYBERSECURITY IS DONE.

Security isn't a one-time event. It's a repeating cycle — each phase feeding the next, closing the gap between what attackers know and what you know.

01
Scan
Know exactly what's broken.
AI-powered scanning against OWASP Top 10, CWE, LLM-01–15, CVEs, and AI-specific attack vectors. Full findings in under 5 minutes — auth flaws, injection points, hardcoded secrets, vulnerable dependencies.
Full codebase · Diff · Scheduled
Bring Your Own Agent
02
Fix
Bring your own AI agent.
Custodia generates a structured fix guide — CUSTODIA_FIX_GUIDE.md — one directive per finding, with file path, root cause, and exact remediation. Then hand it to Cursor, Claude Code, Copilot, or any agent you already use. No lock-in. You stay in control.
BYOK · Cursor · Claude Code · Copilot
03
Monitor
Stay ahead without checking in.
Register any repo for monthly auto-scans. Every 30 days your score, delta, new findings, and resolved issues land in your inbox. CI/CD gate on every PR. You never go blind between audits.
Monthly auto-scan · CI gate · Score delta
04
Comply
Audit-ready evidence, always on hand.
Every scan maps findings to SOC 2, OWASP, CWE, ISO 27001, NIST CSF, and EU AI Act controls. The compliance report is generated automatically — pass/fail per control, evidence bundle, shareable link. No manual mapping. No spreadsheets.
SOC 2 · ISO 27001 · NIST · OWASP
ScanFixMonitorComplythen repeat — each cycle, you're harder to breach than before.
When you need human expertise
The cycle surfaces what needs a human call.
When the scan finds a CRITICAL, or the fix guide surfaces an architectural issue your agent can't safely resolve — that's when a 30-minute session with a Custodia security officer pays for itself. Expert review of your exact findings, on your exact stack, with someone who holds an M.S. in cybersecurity.
Real code. Real data. Real improvement.
Every scan makes Custodia smarter.
Aggregate vulnerability patterns across real production repos — not synthetic benchmarks — feed directly back into detection accuracy. The most common, dangerous, and hard-to-catch vulnerabilities in real codebases drive every model update.
The Reality

YOU'RE MOVING FAST.
STAY AHEAD OF WHAT'S COMING.

Your code gets more valuable — and more targeted — as your business grows. Automated bots, AI-powered attack tools, and dependency exploits don't wait until you feel ready. Here's what every startup is up against, and exactly what Custodia protects you from at each stage.

01
AI bots probe your code 24/7.
Automated attack tools scan GitHub repos, test login endpoints, and fuzz APIs around the clock. A hardcoded secret or SQL injection that was "fine for now" gets found in hours, not months. If your code is public or your API is live, you're already being tested.
02
AI-generated code ships with AI-sized blind spots.
Cursor, Copilot, and Claude write code fast — but they don't think about security. Prompt injection, insecure output handling, excessive agency, missing auth checks: AI-generated code introduces vulnerabilities that rule-based scanners can't even categorize.
03
Vulnerable deps ship because nobody checks.
npm install pulls in 847 packages. Any one could have a known CVE. Custodia scans your full dependency tree against OSV.dev in seconds, shows you what's vulnerable, and custodia fix patches it — locally or as a GitHub PR.
04
One breach kills a code-based business.
A data leak, a stolen API key, a ransomware hit — any one can take your product offline, trigger notification obligations, and destroy customer trust. Custodia's monthly auto-scan means you find it first, not your attackers.
02 . Quick Start

FROM INSTALL TO
AUDIT-READY IN MINUTES.

Every paid plan includes SOC 2, HIPAA, and PCI DSS compliance scanning — one flag, done. Run custodia scan . --framework soc2 and get a gap report mapped to specific controls, ready to hand to an auditor.

# Install globally
npm install -g @custodia/cli

# Launch interactive mode (guided menus — no flags needed)
custodia

# Authenticate with your API key (from dashboard)
custodia auth --key YOUR_API_KEY

# Full security scan — OWASP Top 10, CWE, secrets, deps
custodia scan .

# AI code review — OWASP LLM Top 10, prompt injection, agency
custodia ai-scan

# Auto-fix vulnerable deps (add --pr to open a GitHub PR)
custodia fix
custodia fix --pr

# Monthly auto-scan — registers repo for 30-day email reports
custodia schedule owner/repo

# Diff mode — only changed files (fast, quota-efficient)
custodia scan . --diff

# Scan any GitHub repo without cloning
custodia scan --repo owner/repo

# ── Compliance scans — included in all paid plans ─────────
# Gap report mapped to specific controls · findings tagged with IDs
custodia scan . --framework soc2   # SOC 2 Type II — CC1–CC9, A1
custodia scan . --framework hipaa  # HIPAA §164.308 / 310 / 312
custodia scan . --framework pci    # PCI DSS v4.0 Req 1–12

# [OK] Report saved to .custodia-reports/
# [OK] Score: 87/100 — READY FOR PRODUCTION
🔐
SOC 2 Type II
custodia scan . --framework soc2
  • Maps to CC1–CC9 + A1 Trust Services Criteria
  • Gap report: pass / partial / fail per control
  • Evidence bundle for Type II audit prep
  • Findings tagged with CC control IDs
🏥
HIPAA Security Rule
custodia scan . --framework hipaa
  • §164.308 Administrative Safeguards
  • §164.310 Physical · §164.312 Technical
  • Gap report per safeguard category
  • Supports HIPAA risk analysis documentation
💳
PCI DSS v4.0
custodia scan . --framework pci
  • Requirements 1–12: MFA, encryption, access controls
  • Gap report identifying non-compliant controls
  • Evidence for QSA self-assessment questionnaire
  • Findings tagged with Requirement numbers

Included in all paid plans · Pro $39/mo · Team $129/mo · Business $249/mo

03 . Your Toolkit

DASHBOARD. CLI. MCP.
ONE SECURITY STACK.

Three ways to scan — pick what fits your workflow. Dashboard for point-and-click, CLI for terminal and CI/CD, and MCP to scan directly inside Claude.ai or Cursor in plain English. Same pipeline, same findings, same quota across all three.

Dashboard — GUI
No CLI needed

Connect GitHub with one OAuth click. Pick any repo, choose Full or Diff scan, and review your findings inline — all from your browser. Schedule monthly auto-scans, manage API keys, and book expert sessions without touching a terminal.

  • Connect GitHub — one OAuth click
  • Pick any repo & scan in one click
  • Review findings inline in the browser
  • Schedule autopilot & manage keys
  • Book cybersec expert sessions
Open Dashboard →
CLI — Terminal
CI/CD ready

Install once, run anywhere. custodia launches interactive mode with guided menus — no flags required. Or go direct with custodia scan . Integrates with GitHub Actions, Cursor, Copilot, and Claude Code out of the box.

# Interactive mode
custodia

# Or go direct
custodia scan .
custodia fix
custodia schedule owner/repo
See All Commands ↓
MCP — AI‑Native
New

Connect Custodia to Claude.ai, Claude Desktop, or Cursor — then scan any GitHub repo and discuss findings in natural language. No context-switching. Security in conversation.

  • Ask Claude to scan any public or private repo
  • Findings land directly in the chat context
  • Ask follow-ups, request fix code, brief stakeholders
  • Works in claude.ai browser, Claude Desktop, Cursor
  • Same quota as CLI — nothing extra to buy
Setup Guide ↓
custodia.dev/dashboard
Custodia.dev dashboard — GUI security scanning interface
04 . Monthly Report Email

YOUR SECURITY POSTURE
IN YOUR INBOX.
EVERY MONTH.

Register a repo with custodia schedule and every 30 days Custodia runs the full scan pipeline and emails you. No login required. No dashboard to check. Security awareness delivered to where you actually look.

  • [OK]Security score this month + delta vs last month
  • [OK]New findings since last scan
  • [OK]Resolved / fixed findings
  • [OK]Top critical & high severity issues
  • [OK]Direct link to full report + custodia fix CTA
  • [OK]Posture trend over time
FROM: noreply@custodia.dev
Monthly scan: acme/webapp scored 78/100 — April 2026
Security Score
78/100
vs Last Month
+6
Improving ↑
3
New Findings
7
Resolved
1
Critical
4
High
Top Finding · Critical
SQL Injection — user input flows to raw query in /api/search
Run custodia fix →
Auto-Scan Mode

ONE COMMAND.
AUTOMATED FOREVER.

Register any GitHub repo for monthly automated security scanning. No login required after setup. No dashboard to manage. Every 30 days: full scan runs, email report arrives. Your security posture on autopilot.

01
Pro+
custodia schedule owner/repo
Register in one command
Run once from your terminal. Custodia stores your repo reference securely. For private repos, pass your GitHub token — it's encrypted with AES-256-GCM at rest. You never touch this again.
02
Fully automated
[ ⏱ cron: 09:00 UTC daily ]
Cron fires every 30 days
Custodia's daily cron checks which repos are due. When your 30-day window is up, it fetches the latest code from GitHub, strips all .env files, and runs the full 5-stage security pipeline — automatically.
03
Zero friction
noreply@custodia.dev
Email arrives. Nothing to do.
Your monthly security report lands in your inbox: score, delta vs last month, new findings, resolved issues, top critical vulnerability, and a direct link to the full report. All without opening a single dashboard.
30-day cycle
Day 0
You register
Day 30
Cron fires
Fetch
Latest code from GitHub
Scan
5-stage security pipeline
Email
Report in inbox
Day 60
Repeats automatically
Repos per plan
Pro — $39/mo1 repo
Team — $129/mo5 repos
Business — $249/mo12 repos
Private repos — fully supported

Pass a GitHub personal access token when scheduling. It's encrypted with AES-256-GCM before storage — Custodia never stores it in plaintext. The cron decrypts it only at run time to fetch files.

custodia schedule org/private-repo \
  --token ghp_xxxxxxxxxxxx
What runs each month
  • Full 5-stage security pipeline
  • OWASP Top 10 + LLM Top 10
  • Dependency CVE scan (OSV.dev)
  • Compliance mapping (Pro+)
  • Score delta vs prior month
  • PDF export (Pro+)
Enable Auto-Scan on Pro+ →

Pro from $39/mo · no per-seat pricing · cancel anytime

05 . What It Covers

Every Attack Surface. One Tool.

Traditional security, AI-specific risks, dependency CVEs, and compliance frameworks — covered in a single scan. No separate tools, no extra config.

Traditional Security
All Plans
  • OWASP Top 10 (SQLi, XSS, CSRF)
  • Authentication & session security
  • Hardcoded secrets & API keys
  • Input validation & injection
  • Logging & monitoring gaps
  • Dependency CVE scanning (OSV.dev)
AI App Security
All Plans (full on Pro+)
  • OWASP LLM Top 10
  • Prompt injection detection
  • Insecure AI output handling
  • AI-generated code auditing
  • Excessive agency patterns
  • Training data / PII leaks
Compliance Mapping
Dev / Pro
  • NIST AI RMF (GOVERN, MAP, MEASURE)
  • EU AI Act (Art. 9, 13, 14, 52)
  • ISO 42001 AI management
  • SOC 2 TSC controls
  • CWE cross-references
  • GRC gap report
5 stages
Custodia security pipeline
Triage → Domains → Compliance → Synthesis → Report
6 ecosystems
Dependency scanning
npm · pip · gem · go · cargo · more
0 stored
Code retention
Source code never retained beyond inference
< 5 min
Full scan time
For most production codebases
05 . GitHub Actions
● ALL PLANS
↗ MARKETPLACE

NEVER PUSH
VULNERABLE CODE AGAIN.

One YAML file. Every push and pull request automatically triggers a diff scan — only the files you changed get checked, so it's fast and doesn't burn your quota. Catch vulnerabilities before they ever reach production.

01
Add your API key as a repo secret
Go to Settings → Secrets and variables → Actions. Add CUSTODIA_API_KEY with your key from the Custodia dashboard. No config file, no YAML changes needed.
02
Drop in the workflow file
Copy the YAML below (or from your dashboard) to .github/workflows/custodia.yml. It runs automatically on every push to main and on every pull request.
03
Every push is now scanned
The CLI auto-detects the GitHub Actions environment and diffs against the PR base or previous commit. Only changed files are sent — fast, quota-efficient, and compatible with every plan including Free.
View Setup Guide →
.github/workflows/custodia.yml
name: Custodia Security Scan
on:
  push:
    branches: ["main", "master"]
  pull_request:

jobs:
  custodia:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - uses: contactdavidpersonal-code/custodia-scan-action@v1
        with:
          api-key: ${{ secrets.CUSTODIA_API_KEY }}
MCP . AI‑Native
● NEW

SCAN FROM CLAUDE.
THEN TALK ABOUT IT.

Connect Custodia as an MCP server to Claude.ai, Claude Desktop, or Cursor. Ask Claude to scan any repo in plain English — findings land in the conversation so you can dig in, ask follow-up questions, and generate fixes without ever leaving your AI tool.

01
Dashboard → API Keys → Copy
Get your API key
Sign up or log in to custodia.dev. Copy your API key from the dashboard — it looks like sfp_xxxxxxxx. Same key the CLI uses. Free tier works.
02
URL: https://custodia.dev/api/mcp
Auth: Bearer sfp_...
Connect to your AI client
Claude.ai: Settings → Integrations → Add, paste the URL, set the Authorization header. Claude Desktop / Cursor: add one JSON block to your MCP config. Takes under 2 minutes.
03
"Scan github.com/my-org/backend"
Scan and converse
Ask Claude to scan any repo. Findings land in the conversation — then ask follow-ups, request fix code, compare severities, or generate a security brief for your team.
Example conversation
claude.ai — Custodia MCP connected
U
Scan github.com/my-startup/backend for security issues.
C
Found 3 issues in 47 files (score 71/100). One CRITICAL: hardcoded JWT secret in src/config.js — attackers could forge auth tokens for any user. Two HIGHs: SQL injection in /api/search, and no rate limiting on /api/login. Want me to generate fix code for the JWT issue?
U
Yes fix the JWT one. Also explain the SQL injection to my co-founder who isn't technical.
C
Here's the JWT fix for src/config.js... [replacement code] For your co-founder: the search box sends user input straight to the database without checking it first — like a vending machine that accepts "give me everything + your cash" as a valid selection.
Compatible clients
Claude.ai
Browser — Settings → Integrations → Add URL
Remote HTTP
Claude Desktop
App — add to claude_desktop_config.json
stdio
Cursor
Settings → MCP Servers → Add entry
stdio
VS Code + Copilot
Copilot Chat → MCP configuration
stdio
Same quota. Same plan.
MCP scans use the same quota counter as CLI and dashboard scans. No double billing, no extra tier — your plan works across all three surfaces.
MCP tools exposed
scan_repoScan any GitHub repo — public or private
get_fix_guideGenerate fix guide for findings (Pro+)
check_quotaCheck remaining scan credits
Connect MCP →

Claude.ai · Claude Desktop · Cursor · VS Code Copilot · Any MCP client

06 . Why Custodia

LEGACY TOOLS WERE BUILT
FOR A DIFFERENT ERA.

Snyk, Semgrep, and SonarCloud were built for a different era. They match known CVEs and syntax patterns — but can't reason about your application logic, emerging vulnerability classes, or the full attack surface that matters today. Custodia covers all of it — and starts free.

CapabilityCustodiaSnykSemgrepSonarCloudGitHub GHAS
OWASP Top 10 / CVE scanning
Dependency CVE scanning~
OWASP LLM Top 10
Prompt injection detection
Deep code review (behavioral patterns)
EU AI Act / NIST AI RMF
Monthly email security report~
IDE agent prompt (Cursor / Copilot)~~
MCP — scan from Claude.ai / Claude Desktop / Cursor
Fix guide (dep bumps + AI-ready fix doc)~
No per-seat pricing
Starting priceFree$25/dev/mo$40/dev/mo$10/mo$49/dev/mo

✓ = full support  ·  ~ = partial/plugin  ·  ✗ = not supported  ·  Pricing as of April 2026. Per-seat tools priced for a team of 3.

Start Free — No Card Required →
07 . Human in the Loop

A REAL CYBERSECURITY
EXPERT BEHIND
EVERY ACCOUNT.

Custodia is a cybersecurity firm, not just a scanner. Every paid plan includes a direct line to a credentialed cybersecurity professional — monthly video call, unlimited email support, and an expert who actually knows your stack.

What's included every month
30-min private video call
Use it however you want — no agenda forced on you
Unlimited email support
Questions, second opinions, findings walkthrough anytime
Business-first perspective
Advice grounded in real-world risk, not theoretical CVE checklists
AI + compliance expertise
OWASP LLM Top 10, EU AI Act, SOC 2, NIST — not just code bugs
Common session topics
Threat modelling
SOC 2 readiness
AI security risks
Code architecture
Incident response
Compliance gaps
Dependency CVEs
Team security training
"No other security tool ships with a credentialed expert on speed-dial. Custodia is a cybersecurity firm — our officers hold graduate degrees, carry active certifications, and are held to standards most teams can't hire for internally."
Available on paid plans
Free— Not included
Builder1 × 30-min session / month + email
Pro1 × 30-min session / month + email
Business1 × 30-min session / month + email
How we compare
Snyk
AI scanner only
Semgrep
Rules engine only
Checkmarx
Enterprise SAST, no advisor
Custodia
Cybersecurity platform + certified advisor
Get Started — First Scan FreeView Pricing
Token only consumed when you confirm a booking.
Cancel anytime — your session rolls back.
Cyber Insurance Evidence Package
PRO+

YOUR AUDIT TRAIL
BUILDS ITSELF.
Hand It to Your Broker.

Every scan on a paid plan is permanently stored with a SHA-256 cryptographic fingerprint, a timestamp, and your full findings. That's a provable record that on this date, this exact codebasewas assessed against OWASP, CWE, and NIST. Cyber insurance underwriters call this “evidence of ongoing security testing.” You build it automatically just by scanning.

What's in the Insurance PDF
🔒
SHA-256 code fingerprint
Cryptographic proof that this exact codebase was assessed on this date — not "some version of it." Permanently tied to the scan record.
📋
OWASP Top 10 + NIST CSF coverage table
Every control listed with a CLEAR / FINDING / CRITICAL status derived from actual findings — formatted for underwriter review.
📊
Domain scores + severity summary
Auth, data protection, secrets, injection, logging — each domain scored separately with a 4-box finding count breakdown (Critical / High / Medium / Low).
Validated controls list
Controls the scanner assessed and found correctly implemented — as important to underwriters as the findings.
📄
Signed attestation page
Pipeline version, models used, CVE database queried (OSV.dev), scope limitations — legally framed and ready to submit.
vs. Traditional Penetration Test
Pentest
$10–30k
One-time.
Point-in-time.
No ongoing trail.
Expires in 12 months.
Custodia Team+
$129/mo
Monthly scans.
Permanent audit trail.
OWASP + CWE + NIST.
Insurance PDF on demand.
Many brokers accept automated scan evidence for early-stage products in lieu of a formal penetration test. Check with your broker.
Renewal workflow
01Run a full scan — findings logged permanently with SHA-256 fingerprint
02Fix all CRITICAL and HIGH findings
03Run a second scan — clean result is documented automatically
04Download both Insurance PDFs — submit to broker as remediation evidence
Monthly auto-scan = automatic 12-month audit trail
Enable scheduled scanning on any Pro+ plan and Custodia runs the full pipeline every 30 days — no action required. After 6 months you have a continuous monitoring history that most funded startups can't produce. Underwriters specifically ask for this.
Start Building My Trail →
📥
Available on every Pro+ scan — one click
In your dashboard, every scan row shows “↓ PDF” (developer report) and “↓ Insurance” (underwriter package). Download either at any time for any scan in your history.
View Sample Report →
08 . Start Today

CYBERSECURITY
THAT KEEPS UP.
FREE TO START. FOREVER.

Install the CLI. Run your first scan free. When you're ready for fix guides, monthly autopilot, and compliance reporting — upgrade in your dashboard.

npm install -g @custodia/clithencustodia scan .
Install for
VS Code
Create Free Account →View Plans & Pricing
Free — $0
  • 3 scan credits / month
  • 10 diff scans / month
  • AI Security Scan (5-stage pipeline)
  • 30+ check IDs · OSV dep vuln scan
  • Dep Auto-Fix PRs + Dep Watch
  • No card required. Ever.
Dev+ — $39/mo
  • 10 scan credits / month
  • 60 diff scans / month
  • Fix Prompts · Code Fix Guide · AI Auto-Fix PRs
  • PR Inline Review · Diff Scan Baseline
  • Scheduled Monthly/Weekly Scans
  • CyberSec Officer Session (30 min/mo)
  • AI Code Review Agent · OWASP LLM Top 10 + NIST AI RMF
Pro — $129/mo
  • 25 scan credits / month
  • 150 diff scans / month
  • Everything in Dev+, plus:
  • Compliance Mapping (OWASP/CWE/NIST/SOC2/ISO 27001/EU AI Act)
  • GRC Gap Report · PDF Security Report
  • SOC 2 Readiness Report · ISO 42001 / EU AI Act
  • 3 API keys
Business — $249/mo
  • 60 scan credits / month
  • 400 diff scans / month
  • Everything in Pro, plus:
  • Outbound Webhooks (HMAC-signed)
  • White-Label PDF · Portfolio Score History + SLA
  • Remediation Workflow (assign/track/resolve)
  • 5 API keys

Free plan is free forever · Upgrade or cancel anytime in dashboard · Compliance mapping (SOC 2, OWASP, ISO 27001, EU AI Act) included from Pro tier

Custodia.dev — 100/100 Ready for Production