Phoenix Purple

Secure the code
your AI writes.

SAST, SCA, IaC, container and secret scanning that finds the bugs that are actually reachable, proves they're exploitable, and opens the fix as a pull request. Built for teams shipping AI-generated code at pace.

verified_userReachability-validated auto_fix_highAuto-fix PRs boltPipeline-less terminalIDE, CLI & AI assistant bug_reportZero-day detection shieldCWE / CVE coverage savings97% resolved before a token is spent
0 teams already scanning
Early access opens in waves for teams shipping AI-generated code.
merge_type fix/sql-injection-handler smart_toyAI remedy ready
Purple Security Scan
3 modules · reachability validated · 4.2s
check_circle
C
SQL Injection in query builder
SAST · reachable from /api/orders
checkSafe to merge auto_fix_highAuto-fix PR ready

The problem

AI now writes code faster than security can understand it.

Every sprint ships more generated code, more dependencies, more paths, and more possible mistakes. The old scanner model was built for a slower world.

More code lands. AI assistants generate pull requests no human can fully read line by line.

Context disappears. Legacy scanners see files and findings, not intent, ownership, or reachable execution paths.

Risk hides in noise. Thousands of alerts arrive with no proof they are exploitable, while the few real issues move toward production.

Why teams choose Phoenix Purple

Security that fits the way AI code gets shipped.

01

Validated before it becomes work

Findings are checked against reachability, exploitability and real code paths before they reach a developer.

Noise drops before the backlog grows.
02

Built for generated code

Phoenix catches the novel patterns AI assistants introduce, then explains the evidence in language engineers can trust.

03

Fixes land as PRs

Autofix opens pull requests and labels them safe to merge or needs review, so remediation keeps moving.

One graph connects every check

SAST, SCA, IaC, containers and secrets should not create five disconnected backlogs.

Phoenix Purple connects every finding to code paths, runtime context, ownership and exploitability evidence — so security sees chains, not scanner output.

Token efficiency

Cut token costs without cutting security coverage.

Phoenix Purple uses graph context and targeted analysis instead of repeatedly sending full repository context to expensive LLMs. Compare how scan costs change across 1,000 repositories.

document_scannerStandard LLM scanning

High token volume

Large code and vulnerability context gets sent repeatedly for every repo, PR and finding.

Costs climb fast at 1,000 repositories.
Phoenix Purple iconPhoenix Purple

Graph-native context

Cached intelligence, reachability evidence and targeted model use reduce token spend at scan scale.

Built to cut AI scan cost by up to 10×.

Knowledge graph

The intelligence that secures your code can help build it.

Phoenix builds a living map of your entire codebase — every function, every connection, every data path. That graph proves which findings are real and traces the chains an attacker could follow. It also gives your AI coding tools the full context of how your software actually works.

Phoenix Purple · Knowledge Graph · Agentic Code Triager

How it works

Choose a check. See the evidence. Open the fix.

Every module feeds the same reachability engine, so SAST, SCA, IaC, containers and secrets land as validated findings, not another backlog.

Phoenix Purple Workbench Live modules · validated findings · autofix-ready

Scroll next: raw findings collapse into reachable risk, then into pull requests. That is the loop.

Testimonials

Trusted by teams who measure outcomes

Not “better dashboards” - measurable reduction in critical exposure and time-to-remediation.

Ready for the next step?

See how Phoenix Purple turns graph context into developer-ready action.

Prioritize the reachable risk, route it to the right workflow, and keep remediation moving without adding another noisy dashboard.

Prioritization

112K findings should not become 112K tasks.

Phoenix collapses raw scanner output into a smaller set of proven actions: graph-validated risk, human review, and autofix-ready pull requests.

radarProduction scan
0K
raw findings

Code, packages, infrastructure, containers and secrets normalized into one evidence graph.

account_tree
0
Graph-proven risks

Reachable, exploitable, owned and routed with evidence attached.

validated path
auto_fix_high
0K
Autofix-ready

Grouped remediations Phoenix can open as safe-to-review pull requests.

PR prepared
psychology
3%
Needs AI review

Ambiguous chains escalate to deeper reasoning with human control.

human-in-control

Where you work

Meet developers where they work.

Security that shows up in the tools your team already uses — not in another dashboard they have to remember to check.

code

In the IDE

Catch and fix issues as you write, right inside VS Code, Cursor, JetBrains and Windsurf.

terminal

In the terminal

Run a full scan from the CLI, in any pipeline or none, and get results in seconds.

smart_toy

In AI assistant

Phoenix connects to Claude Code, Cursor and MCP assistants, so agents can scan, query and fix in context.

extension

As a skill

Drop Phoenix into your agent's skillset so security reasoning is part of how it builds, not a step bolted on afterwards.

Ask the graph

Talk to your code today. Get the answer you need.

Ask a question in plain language. Phoenix walks the knowledge graph, follows the real chains, and answers with the evidence. Then it turns that into a fix.

1
Ask in plain language

No query language, no rules to write. Type "Which findings can actually reach remote code execution?" straight into the Agentic Code Triager.

Agentic Code Triager · Query
Phoenix Agentic Code Triager query input screenshot
Knowledge Graph · Traversal
Phoenix Knowledge Graph traversal screenshot
2
Phoenix walks the graph

It traces every function, call and data path across all 1,918 nodes and 2,720 edges to find the chains that actually connect — not the ones that only look scary.

3
Get a grounded answer

Every claim is backed by the exact files and lines on the chainability map, so you can trust the answer instead of guessing or re-checking it by hand.

Chainability Map
Phoenix Chainability Map evidence screenshot
Autofix · Pull Request
Phoenix Autofix pull request opened screenshot
4
Ship the fix

Promote the answer straight into an autofix PR, tiered safe to merge or needs review — the same engine that found it writes the remediation.

Remediation plan

What Phoenix would open as PRs this week.

A real upgrade plan for a vulnerable Spring application: safe fixes first, reviewed changes next, and blocked migrations clearly separated from automation.

The point is not another table. It is an execution order your team can actually trust.
ID Package Current → Fix Tier CVEs (key) PR eligible
F-02 commons-text
1.81.10.0
SAFE CVE-2022-42889 (Text4Shell) check_circleAuto
F-07 commons-io
2.72.15.1
SAFE CVE-2021-29425 check_circleAuto
F-08 assertj-core
3.17.23.25.3
SAFE ReDoS / info-disclosure check_circleAuto
F-04 org.json:json
2019072220231013
MODERATE CVE-2022-45688, CVE-2023-5072 call_mergePR
F-05 nimbus-jose-jwt
8.39.37.3
MODERATE CVE-2023-52428 call_mergePR · compile check
F-06 commons-fileupload
1.51.5 · pin
MODERATE CVE-2023-24998 (already patched) call_mergePR
F-01 h2
1.3.1762.2.224
BREAKING CVE-2021-42392 (JNDI RCE) visibilityReviewed
F-03 spring-boot BOM
2.4.52.7.18 → 3.2.x
BREAKING CVE-2022-22965 (Spring4Shell) visibilityReviewed · 2-step
F-03 spring-boot 3.x — migration — BLOCKED jakarta.* + CommonsMultipartResolver removal blockNever
F-01 H2 console — intentional — BLOCKED Intentional design blockNever
SAFE → auto-merged MODERATE → PR opened BREAKING → human review BLOCKED → never automated

Execution order — most risk reduced first.

Week 1
F-02F-07F-08
One Gradle PR, zero risk. Eliminates Text4Shell and the path-traversal chain in a single merge.
Week 1
F-04F-05
JWT module PR. Compile-verify nimbus 9.x and run the JWT test suite before merge.
Week 2
F-06
Force-pin commons-fileupload 1.5 and add a WAF multipart rule as defence in depth.
Week 2
F-03 · Step 1
Bump the Spring Boot BOM to 2.7.18, which closes Spring4Shell without the 3.x migration.
Week 3
F-01
Upgrade H2 to 2.2.224 and validate every SQL-injection level against the new driver.
Week 4+
F-03 · Step 2
jakarta.* migration and CommonsMultipartResolver replacement — planned, never auto-merged.

Private preview

Get in line
for access.

Phoenix Purple is opening in batches for security engineers, AI developers and engineering leaders building with AI coding tools.

0 teams already scanning

Trusted by security teams at

Bazaarvoice logo Admiral logo Q2 logo ClearBank logo Optimizely logo

Derek

Derek Fisher

Head of product security at a global fintech

Derek Fisher – Head of product security at a global fintech. Speaker, instructor, and author in application security.

Derek is an award winning author of a children’s book series in cybersecurity as well as the author of “The Application Security Handbook.” He is a university instructor at Temple University where he teaches software development security to undergraduate and graduate students. He is a speaker on topics in the cybersecurity space and has led teams, large and small, at organizations in the healthcare and financial industries. He has built and matured information security teams as well as implemented organizational information security strategies to reduce the organizations risk.

Derek got his start in the hardware engineering space where he learned about designing circuits and building assemblies for commercial and military applications. He later pursued a computer science degree in order to advance a career in software development. This is where Derek was introduced to cybersecurity and soon caught the bug. He found a mentor to help him grow in cybersecurity and then pursued a graduate degree in the subject.

Since then Derek has worked in the product security space as an architect and leader. He has led teams to deliver more secure software in organizations from multiple industries. His focus has been to raise the security awareness of the engineering organization while maintaining a practice of secure code development, delivery, and operations.

In his role, Jeevan handles a range of tasks, from architecting security solutions to collaborating with Engineering Leadership to address security vulnerabilities at scale and embed security into the fabric of the organization.

Jeevan Singh

Jeevan Singh

Founder of Manicode Security

Jeevan Singh is the Director of Security Engineering at Rippling, with a background spanning various Engineering and Security leadership roles over the course of his career. He’s dedicated to the integration of security practices into software development, working to create a security-aware culture within organizations and imparting security best practices to the team.
In his role, Jeevan handles a range of tasks, from architecting security solutions to collaborating with Engineering Leadership to address security vulnerabilities at scale and embed security into the fabric of the organization.

James

James Berthoty

Founder of Latio Tech

James Berthoty has over ten years of experience across product and security domains. He founded Latio Tech to help companies find the right security tools for their needs without vendor bias.

christophe

Christophe Parisel

Senior Cloud Security Architect

Senior Cloud Security Architect

Chris

Chris Romeo

Co-Founder
Security Journey

Chris Romeo is a leading voice and thinker in application security, threat modeling, and security champions and the CEO of Devici and General Partner at Kerr Ventures. Chris hosts the award-winning “Application Security Podcast,” “The Security Table,” and “The Threat Modeling Podcast” and is a highly rated industry speaker and trainer, featured at the RSA Conference, the AppSec Village @ DefCon, OWASP Global AppSec, ISC2 Security Congress, InfoSec World and All Day DevOps. Chris founded Security Journey, a security education company, leading to an exit in 2022. Chris was the Chief Security Advocate at Cisco, spreading security knowledge through education and champion programs. Chris has twenty-six years of security experience, holding positions across the gamut, including application security, security engineering, incident response, and various Executive roles. Chris holds the CISSP and CSSLP certifications.

jim

Jim Manico

Founder of Manicode Security

Jim Manico is the founder of Manicode Security, where he trains software developers on secure coding and security engineering. Jim is also the founder of Brakeman Security, Inc. and an investor/advisor for Signal Sciences. He is the author of Iron-Clad Java: Building Secure Web Applications (McGraw-Hill), a frequent speaker on secure software practices, and a member of the JavaOne Rockstar speaker community. Jim is also a volunteer for and former board member of the OWASP foundation.

Join our Mailing list!

Get all the latest news, exclusive deals, and feature updates.

The IKIGAI concept
Protected By
Shield Security PRO