How it works

Proof before production.

Four steps from integration to blocked deploy. No manual config, no false positives.

01INTEGRATE

Add xora to your CI pipeline

One runner step. Works with GitHub Actions, GitLab CI, CircleCI, or any shell-based pipeline. Point it at your staging URL and set --block-on-exploit.

xora runner

$ npm install -g @xora/cli
$ xora auth --token $XORA_API_KEY
→ Authenticated. Ready to run.

02ATTACK

Agents probe your staging environment

On every deploy, xora spawns a set of autonomous agents tailored to your stack. They probe for SQL injection, IDOR, XSS, auth bypass, and more — the way a real attacker would, not a scanner.

xora runner

→ Detected: Node.js · Express · PostgreSQL
→ Spawning 6 agents…
→ Agent: sql-injection · started
→ Agent: idor-probe · started
→ Agent: auth-bypass · started

03PROOF

Every exploit documented end-to-end

If an agent finds something, you get the full reproduction: the exact request, the exact response, and step-by-step instructions to verify it yourself. Not a risk score. Not a CVE. Proof.

xora runner

✗ EXPLOIT FOUND
  type:     SQL Injection
  endpoint: GET /api/users?id=1'--
  result:   full DB read access confirmed
  steps:    see report.json

04BLOCK

Deploy halted. Fix and re-run.

The CI step exits non-zero. The deploy stops. Your team gets a clear signal: what was found, where, and how to reproduce it. Fix the issue and re-run — xora confirms the fix.

xora runner

✗ 2 exploits found. Deploy halted.
  → See: https://app.xora.io/runs/r-8ab2f
$ # after fix:
$ xora deploy --validate --env staging
✓ Clean. 0 exploits. Deploy unblocked.

Ready to run?

We're onboarding teams one by one. Drop your email and we'll reach out.

Get early access