Oxeye combines static and runtime analysis of the 5Cs - code, container, cluster, cloud, and their connections/communications to find and prioritize vulnerabilities for modern distributed applications.
Oxeye was built to overcome the shortcomings of using multiple, disjointed application security tools, which resulted in a lot of noise and difficulty in determining which vulnerabilities were important and which ones were not.
Built-in Cloud Native AST
Open Source Analysis (SCA)
Static Code Analysis (SAST)
Dynamic Analysis (DAST)
API Security Testing
Runtime Contextual Analysis
Application flow analysis for “hidden” vulnerabilities
Infrastructure analysis for toxic risk assessment
1 minute deployment
Prioritize based on reachability and exploitability
Highlight loaded packages and in-use code
API to Code inward-out and outward-in
Actively validate the findings
Correlate multiple scanners for maximum accuracy
Shifting left, doing it right
Focus on the shortlist of critical-risk vulnerabilities
Provide developers the code and stacktrace
Built in reproduction steps
Integral part of the SDLC
Full CI/CD Integration
Oxeye determines which vulnerabilities are exploitable in custom code, and open source and third party packages. We find the ones that are most critical, then validate each one by conducting a pinpoint pentest.
Get a clear view of your entire application at runtime with our dynamic SBOM.
We gather all potential vulnerabilities from custom code, and open source and third party packages.
We then trace application flows from the internet-facing API to the vulnerable line of code, and determine which packages are loaded and in-use, and which ones are not. Oxeye ignores those that are never used.
Oxeye fetches configuration data from the Cluster, Container and Cloud layers to understand the internet-accessibility risk factor, then adds additional risk factors such as extra permissions to get a more refined view.
Oxeye provides the option of generating and injecting malicious payloads into the API-to-code path of vulnerabilities to validate them (fuzzing).
Oxeye recalculates severity by focusing on the exploitable vulnerabilities, to help prioritize remediation efforts.
Deploy Oxeye as a daemonset in just two minutes, regardless of how many services you have in your application. See actionable results in minutes.
See the path that vulnerabilities take, from the externally-facing API, through services and message queues, to the vulnerable line of code.
Connect to JIRA, Slack, and your CI/CD pipeline to create tickets, notify team members, and enforce your policies automatically.
Oxeye decompiles binaries to scan your code, even for compiled languages such as Go and Java, which enables vulnerability discovery in third party binaries.
Get a comprehensive inventory of your application and services, in tabular and graphical formats, as well as all the components and endpoints of each service.
The Oxeye platform automatically updates whenever there are changes to the application, code or vulnerabilities.
Replace your current SAST, DAST, SCA and ASOC tools and realize a superior return on investment.
Our AppSec Platform doesn't require access to your code repos, and we don't make or store a copy of it anywhere. This ensures that your code is never at risk.
Eliminate uncertainty from the application security process, and save your development and AppSec teams time.