Join the conversation

Join the community of Machine Learners and AI enthusiasts.

Sign Up
SeaWolf-AIΒ 
posted an update 3 days ago
Post
4958
🐯 Chitos β€” The Security Scanner That Actually Proves It

Most security scanners hand you a suspect list and walk away. That gap between detection and proof is where attackers live β€” and it's exactly the gap that Chitos was built to close.

Chitos is the successor to Mythos, a static analyzer built for quick code health checks. Mythos was good at pattern matching β€” spotting dangerous sinks, mapping CWEs, producing readable reports. But static analysis has a structural ceiling. A rule that sees eval(user_input) can tell you that looks dangerous. It cannot tell you whether the input is reachable, whether sanitization three layers up covers this path, or whether there's a live exploit chain for your exact framework version. Chitos was built to answer those questions.

πŸ” Phase 1 applies 50 language-agnostic rules across Python, JavaScript, Go, Java, C/C++, Rust, PHP, YAML and more β€” covering injection sinks, deserialization gadgets, credential leakage, broken crypto, and prototype pollution. Every candidate is re-verified before reaching the report. Findings that can't be substantiated are excluded, not handed to you as noise.

πŸ”¬ Phase 2 dispatches an autonomous web-search agent to hunt live CVE databases, exploit advisories, and public PoC repositories. It formulates hypotheses, verifies them, and synthesizes a structured threat narrative. This phase needs a user-supplied Claude API key β€” Phases 1 and 3 run entirely free.

🎯 Phase 3 is where Chitos diverges from everything else. Against targets you own or are authorized to test, it fires real payloads β€” XSS, SQLi, path traversal, command injection β€” mutates on block, captures hard evidence, and connects every proven finding into a kill-chain showing which vulnerabilities to remediate first.

No installation. No account. No code sent to third-party APIs.

Article: https://huggingface.co/blog/FINAL-Bench/chitos

Try it now πŸ‘‰ https://chitos.vidraft.net

The detection-to-proof gap is the right target. The trap is the second gap right behind it.

A reachability proof is only as true as your call-graph model. Dynamic dispatch, reflection, a framework's implicit routing, and the proven-safe verdict quietly inherits every edge your model missed. Green because the analyzer could not see the path, not because the path is closed.

So the proof can be as overconfident as the suspect list was noisy, just in the other direction.

Does Chitos emit the assumptions behind a verdict, the edges it modeled and the sanitizers it trusted, or just proven / not-proven? A proof I cannot audit is a prettier suspect list.

Β·

You've put your finger on exactly the right nerve β€” and it's also where Chitos parts ways with static analyzers.

Your critique targets static reachability proofs: the "safe" verdict inheriting the edges the call-graph never saw. Chitos's confirmed verdicts don't come from there. Phase 3 fires real payloads and observes real responses, so a confirmation is an executed round-trip, not an inferred reachable path β€” it's what the target actually did, not what our model claimed it would do. For positives, that sidesteps the call-graph-blindness problem.

Where your point lands fully is on negatives. That's precisely why Chitos never emits "proven-safe." Unconfirmed is reported as not demonstrated, never closed. Absence of a proof is not a safety claim β€” and we work hard not to blur that line in the UI.

On auditability, I completely agree. Today each finding already carries its attack vector, the payloads attempted, the response delta, and the verifier's reasoning. The next step is making that "what I tried and what I trusted" trail a first-class citizen for negatives too β€” because an un-auditable green light is, as you say, just a prettier suspect list. Thank you for the framing.