Fast vulnerability scanning built
for SOC2, PCI DSS, HIPAA, and ISO 27001

Slate scans your apps and APIs for security vulnerabilities, explains them in plain English, and gives you AI-ready fixes so you can be audit-ready.

app.slatesecurity.io

Product screenshot

Trusted by teams at

How it works

Built for simplicity and speed

Enter your domain

Paste your URL and run your first scan. No agent to install, no sales call to book. Results in under 10 minutes.

See what's exposed

Every finding ranked by severity and mapped to the compliance frameworks your buyers ask about.

Fix it with confidence

Each issue comes with plain-English remediation steps written for developers. Resolve it. Rescan. Move on.

New scan

Target URL

https://acme.io

Scan queued · ~8 min remaining

Status

Scanning

Checks

40+

Frictionless setup

Paste a URL.
Results in minutes.

Minimal setup. Maximum speed. Scan from the web or your terminal — either way you get a full vulnerability report in under 10 minutes.

app.slatesecurity.io

Web UI screenshot

Web UI

No setup required. Enter your domain in the dashboard, hit scan, and watch findings appear in real time. Share reports with a link.

app.slatesecurity.io

CLI screenshot

CLI

Run scans from your terminal, integrate into CI/CD pipelines, or script automated checks. Everything the web UI does, from the command line.

What we find

Vulnerabilities explained in plain-English.
AI-ready fixes.

Every finding comes with a plain-English explanation, step-by-step remediation guidance, and a ready-to-use AI agent prompt you can paste straight into Cursor to fix it.

SQL Injectioncritical

GET /api/users?id=

Reflected Cross-Site Scriptinghigh

GET /search?q=

Broken Object-Level Authorizationhigh

GET /api/invoices/:id

Sensitive Data in API Responsemedium

GET /api/config

Open Redirectmedium

GET /auth/callback?next=

Tap to explore.Hover to explore.

SQLI-01

SQL Injection

GET /api/users?id=

critical

User-supplied input is concatenated directly into a SQL query without sanitization. An attacker can craft a value that reads, modifies, or deletes any data in the database — including other users' records.

Remediation steps

Use parameterized queries or prepared statements in every database call.

Never build SQL strings by concatenating user input.

Apply an ORM with built-in parameter binding (e.g. Prisma, SQLAlchemy).

Fix with AI agent

You are a security-focused code agent. A SQL injection vulnerability was detected at `GET /api/users?id=`.

**Task:** Find every place in the codebase where user-supplied input is interpolated into a raw SQL string and rewrite each call to use parameterized queries or prepared statements.

**Scope:**
- Search for patterns like `db.query(`...${...}`)`, string concatenation in SQL calls, and any ORM raw-query escape hatches.
- Focus on files under `src/db/`, `src/api/`, and `src/routes/`.

**Acceptance criteria:**
1. No raw SQL string interpolation of user input remains.
2. All changed queries use parameterized placeholders (`?` or `$1` depending on the driver).
3. Existing unit tests pass. Add a test that sends a SQL-injection payload and asserts it is safely handled.
4. Do not change query logic or return types — only the parameterization.

XSS-02

Reflected Cross-Site Scripting

GET /search?q=

high

The search query parameter is echoed back into the HTML response without encoding. An attacker can craft a URL with a malicious script payload and execute arbitrary JavaScript in the victim's browser session.

Remediation steps

HTML-encode all user-controlled values before rendering them in a page.

Enable a strict Content-Security-Policy header to block inline scripts.

Use a templating engine with auto-escaping turned on (e.g. Jinja2, Handlebars).

Fix with AI agent

You are a security-focused code agent. A reflected XSS vulnerability was detected at `GET /search?q=`.

**Task:** Ensure the `q` parameter (and any other user-controlled query parameters) are HTML-encoded before being rendered into page output.

**Scope:**
- Find the route handler and template/component that renders the search results page.
- Check all other query-parameter reflections across `src/routes/` and `src/views/`.

**Acceptance criteria:**
1. The `q` value is HTML-entity-encoded wherever it appears in rendered output.
2. A `Content-Security-Policy` header is set in the response (or in the global middleware) that disallows inline scripts.
3. Add a test that sends `<script>alert(1)</script>` as the query and asserts the raw tag does not appear in the response body.

BOLA-03

Broken Object-Level Authorization

GET /api/invoices/:id

high

The endpoint returns any invoice record by ID without verifying the caller owns it. Any authenticated user can enumerate IDs and read another customer's billing records.

Remediation steps

On every request, verify the authenticated user's ID matches the resource owner.

Never rely on ID obscurity — use UUIDs AND ownership checks.

Add an integration test asserting that cross-tenant access returns 403.

Fix with AI agent

You are a security-focused code agent. A broken object-level authorization (BOLA) vulnerability was detected at `GET /api/invoices/:id`.

**Task:** Add an ownership check so the endpoint only returns an invoice if the authenticated user owns it.

**Scope:**
- Find the route handler for `GET /api/invoices/:id` in `src/api/` or `src/routes/`.
- Check sibling CRUD endpoints (`PUT`, `DELETE`) on the same resource for the same issue.

**Acceptance criteria:**
1. After fetching the record, the handler compares `invoice.userId` (or equivalent) to the authenticated session's user ID.
2. If they do not match, the endpoint returns `403 Forbidden` — not a 404 and not the record.
3. Add an integration test: authenticate as user A, attempt to fetch user B's invoice, assert 403.
4. Do not change the response shape for authorized requests.

EXPO-04

Sensitive Data in API Response

GET /api/config

medium

The config endpoint serializes the full server configuration object, inadvertently leaking internal API keys, database connection strings, and service credentials to any authenticated caller.

Remediation steps

Define an explicit allowlist of fields returned by every API endpoint.

Audit all serialization layers for accidental secret exposure.

Rotate any credentials that were exposed immediately.

Fix with AI agent

You are a security-focused code agent. Sensitive server credentials are being leaked via `GET /api/config`.

**Task:** Replace the full config serialization with an explicit allowlist of safe, client-facing fields.

**Scope:**
- Find the `/api/config` route handler and its serialization logic.
- Audit other endpoints that return configuration or system objects for the same pattern.

**Acceptance criteria:**
1. The response only includes fields explicitly approved for client consumption (e.g. `publicApiUrl`, `featureFlags`).
2. Keys like database URLs, internal API tokens, and service credentials are absent from the response.
3. Add a test that calls `GET /api/config` and asserts none of the known secret field names appear in the JSON body.
4. Note any credentials that were exposed so they can be rotated — do not rotate them in this PR.

REDIR-05

Open Redirect

GET /auth/callback?next=

medium

The `next` parameter after OAuth login accepts arbitrary external URLs. An attacker can craft a login link that silently redirects the user to a phishing page after successful authentication.

Remediation steps

Allowlist all valid post-login redirect destinations.

Reject any `next` value that doesn't share your origin.

Validate redirect targets server-side before following.

Fix with AI agent

You are a security-focused code agent. An open redirect vulnerability was detected at `GET /auth/callback?next=`.

**Task:** Validate the `next` parameter server-side so it can only redirect to same-origin paths.

**Scope:**
- Find the OAuth callback handler in `src/auth/` or `src/routes/auth/`.
- Check any other post-authentication redirect logic for the same pattern.

**Acceptance criteria:**
1. The handler parses the `next` value and rejects it if the host differs from the application's own origin.
2. If `next` is invalid or absent, the user is redirected to a safe default (e.g. `/dashboard`).
3. Add tests: (a) a same-origin `next` is followed, (b) an external `next` is ignored and falls back to the default.
4. Do not break existing OAuth flow tests.

Built for developers

Why engineering teams pick Slate

Security scanning that fits how you already work — fast scans, readable output, and fixes you can ship without a dedicated AppSec team.

app.slatesecurity.io

Plain English finding

Plain English findings

Explained like a senior dev would. Each finding explains what's wrong, why it matters, and what to fix it.

Minimal configuration

Paste a URL in the dashboard or pass a domain to the CLI. No servers to provision, no infrastructure to deploy — start scanning in minutes.

Automation-friendly CLI

Run scans in GitHub Actions, GitLab CI, or any pipeline. JSON output and exit codes designed for PR checks and deploy gates.

SOC 2

HIPAA

PCI DSS

ISO 27001

Audit readiness

Find issues early.
Show up audit-ready.

Controls and audits under SOC 2, HIPAA, PCI DSS, or ISO 27001 all touch application security — with different rules and cadences. Slate scans your web apps and APIs, surfaces exploitable issues, and gives you fixes you can ship before review day.

Pricing

Get started for free.

Pay annually upfront and save 20%. Additional targets on Startup and Scale are $20.00/month each.

Startup

$20.00/month

One app or API with unlimited scans to catch issues before they stack up.

1 target included
Unlimited scans
Severity ranked findings reports
Plain English remediation steps
AI-prompt fixes
48-hour email support
Add-on targets $20.00/month each

Scale

$60.00/month

Three targets, unlimited scans, and white-label reports for buyers and auditors.

Everything in Startup
3 targets included
Unlimited scans
White label reports
24-hour email support
Add-on targets $20.00/month each

Enterprise

Custom

Unlimited scope, SSO, and dedicated support for regulated teams at scale.

Everything in Scale
Unlimited targets
Unlimited scans
Single sign-on (SSO)
SCIM provisioning
On-prem deployments
Dedicated support

Find the gaps before
audit day.

Run a free scan on your app or API—results in under 10 minutes, with severity-ranked findings and AI-ready fixes. No setup call required.

Fast vulnerability scanning built for SOC2, PCI DSS, HIPAA, and ISO 27001

Built for simplicity and speed

Enter your domain

See what's exposed

Fix it with confidence

Paste a URL.Results in minutes.

Web UI

CLI

Vulnerabilities explained in plain-English.AI-ready fixes.

SQL Injection

Why engineering teams pick Slate

Plain English findings

Minimal configuration

Automation-friendly CLI

Find issues early.Show up audit-ready.

Get started for free.

Startup

Scale

Enterprise

Find the gaps beforeaudit day.

Fast vulnerability scanning built
for SOC2, PCI DSS, HIPAA, and ISO 27001

Paste a URL.
Results in minutes.

Vulnerabilities explained in plain-English.
AI-ready fixes.

Find issues early.
Show up audit-ready.

Find the gaps before
audit day.