Open-source security suite · Apache-2.0
One suite, three pillars. The bodyguard your AI didn’t ship with.
Safety infrastructure for the AI agent era: secure the AI you use, secure your company, and scan the world for the bugs AI assistants leave behind. Plain English, right where you code, in under a minute, before you ship.
Works with Claude Code Cursor OpenClaw Codex Antigravity local models (Hermes) Same tools, any agent, zero cloud tokens on local.
# in your project, inside Claude Code or Cursor: /lictor-security-check CRITICAL Supabase service key is in bundle.js:1247 anyone with your URL has full database write access. HIGH /api/users returns every row to any logged-in user. MED Stripe webhook isn’t signature-checked. (+5 more) ✓ 142 files scanned in 48s · report saved to SECURITY-AUDIT.md
The platform
Lictor is one engine (Core) and one dashboard (Guardian), pointed at three jobs: the AI you use, the company you run, and the world you ship into.
Secure the AI you use. Drops into Claude Code, Cursor, Codex, Antigravity and the top-10 AI clients. The bodyguard your assistant didn’t ship with.
Secure the company. Two products: an isolated AI workspace your team can’t leak through, and an automated internal pentest priced for an SMB.
Scan the world. External attack-surface recon that finds the bugs AI assistants leave behind, at internet scale.
Under all three: one engine (Core) and one dashboard (Guardian).
Founding supporters
Open-source security audits for AI-built apps. Apache 2.0. Built by a 20-year security engineer who got tired of watching Lovable/Bolt/v0 apps leak Firebase keys on day one.
Takes 4 seconds. Costs nothing. It’s the difference between “interesting project” and “trusted by thousands.”
Live from the GitHub stargazers API · no auth needed · full list →
Lictor Isolation OS is a USB stick you boot into a clean, isolated workspace. Gemini, ChatGPT and Claude with your own accounts, full power, and zero access to your company network. Pull it out, and there’s no trace.
Boot the stick into a hardened, ephemeral OS, separate from the machine’s disk, the domain, and the company LAN.
The top AI clients come pre-installed: Claude Code, Codex, Cursor, Gemini, Antigravity, ChatGPT. Sign in with your own accounts; nothing to configure.
The workspace can talk to the AI providers and nothing else. Your domain, prod, and files stay invisible. Air-gap by construction.
api.anthropic.com reachable api.openai.com reachable 10.0.0.0/8 blocked 192.168.0.0/16 blocked default gateway blocked
The boundary is physical, not a policy you hope holds. We proved it in the red-zone build: the AI reaches api.anthropic.com, but every path to a private network (10.x, 192.168.x, your gateway) is blocked.
The model: pay once, download the image, boot it. No install, no setup. Available today as a container red-zone (open source); the bootable USB OS is in early access.
Lictor ships as a Claude Code skill suite. Install once, run from any project. No dashboard to learn, no jargon to translate, no “contact sales” banner.
Your Supabase service key is in bundle.js line 1247
Anyone with your URL has full database write access. Rotate the key, then move it server-side.
// .env.local SUPABASE_SERVICE_KEY=••••••••••••••••••••
A logged-out visitor can list all orders, names, and emails. Add an auth check before the handler returns data.
Access-Control-Allow-Origin is set to *. Lock it to your own domain so other sites can't make authenticated requests on a user's behalf.
The full OWASP Top 10 for Web, API, Mobile & LLM, plus CWE Top 25. See all 48 →
No “information disclosure vulnerability,” just “anyone can read your customer list.”
Run /lictor-explain, /lictor-fix-it, /lictor-rotate.
No token, no signup, no telemetry, no per-seat pricing.
Install
Lictor runs everywhere AI-built apps get built. Every option is free, open source, and runs entirely on your own machine.
git clone https://github.com/Raffa-jarrl/Lictor-AI.git ~/Code/lictor
New: one-command installers for the top 5 AI agents, and triage runs on local models (Hermes / Qwen) at zero cloud-token cost.
4 slash commands. Then run /lictor-security-check.
bash ~/Code/lictor/skills/install.sh
Project rules + MCP. Then @lictor scan in chat.
bash ~/Code/lictor/skills/install-cursor.sh
MCP server, usable by any agent, including Hermes/Qwen-backed.
bash ~/Code/lictor/skills/install-openclaw.sh
Registers in ~/.codex/config.toml. Then ask it to scan.
bash ~/Code/lictor/skills/install-codex.sh
Registers in Antigravity’s MCP config. Then ask it to scan.
bash ~/Code/lictor/skills/install-antigravity.sh
One scanner, same checks, across the top 5 AI agents, one command each. Any other MCP host (Windsurf · Cline · Continue.dev) → point it at scripts/lictor-mcp.py. Also ships a standalone CLI (lictor-local.py) and the Lictor Shield browser extension.
The suite
Three more layers when your project starts handling real users: web, CLIs, browser extensions, MCP servers, desktop apps, serverless functions, bots, CI/CD pipelines. Same engine, ships everywhere at once.
Audits any deployed AI-built site you visit. Catches the issues before you sign up. Local-only, so no URL ever leaves your browser.
For when your AI-built app calls OpenAI / Anthropic at runtime. Blocks prompt injection + secret leaks: 32 injection patterns, 15 secret patterns, Luhn-validated card detection. Never ships raw input/output, only 16-char fingerprints.
import { wrap } from "@lictor/sentinel";
const client = wrap(new OpenAI(), {
preflight: ["prompt-injection", "secrets-in-input"],
postflight: ["pii-leak"],
});
// Same call site. Same response shape.
// Sentinel intercepts pre + post.
For when your AI-built app gets its first customer who asks “are we SOC 2 safe?” Per-incident timeline, audit-log export for SOC 2 / GDPR Article 32, Slack webhook for criticals, append-only log enforced at the database level.
The crew
Most AI security tools are a black box: input goes in, findings come out. Lictor’s 11 specialist agents are named, transparent, and surface their work. You see which agent found what, and why.
Reads your project, plans the audit, hands work to the right specialist. Surfaces a daily briefing so you always know what the crew did and what’s next.
Scores every finding against three audience personas before it ships. A finding less than 6/10 doesn’t make the report.
Hunts the bug shapes vibe-coders ship most: RLS gaps, env-var leaks, unsigned webhooks, hallucinated dependencies.
Translates every finding into plain English. Not “information disclosure vulnerability,” but “your /api/users page gives out the customer list to anyone.”
For every issue, drafts the smallest possible fix and the exact file + line to put it in. One paragraph, one diff, one rotated key.
Weekly reviewer that grades the crew’s own work. Catches false positives, drifting voice, missed patterns.
Plus five more: Octopus (engineering), Mongoose (currency tester), Bat (hook crafter), Starling (virality intel), Cuttlefish (aesthetic curator). Every agent is a markdown file you can read. See the SOULs
91.5% of vibe-coded apps had at least one AI-hallucination flaw in Q1 2026. Recent incidents exposed tens of thousands of users via simple RLS misconfigurations. 8 million people use these platforms. Most of them don’t know what an “RLS policy” is.
Snyk, Veracode, Checkmarx: they all assume a 5-developer team and a CISO who speaks SOC 2. Lictor assumes you, an AI assistant, and an app you shipped over a weekend.
Every Lictor finding is written as “your X does Y, anyone can do Z.” No CVE numbers in the headline. No CVSS scores. If the finding can’t be explained to a non-technical co-founder, Lyrebird rewrites it.
Apache 2.0. Every check is a markdown file you can read. Every agent has a SOUL.md you can fork. No proprietary engine, no black box. Read it. Run it. Fork it. Trust comes from the code, not from a certificate.
The things people actually ask before running a security check on an app they built with AI.
/lictor-security-check inside Claude Code (or via MCP in Cursor, Windsurf, Cline). It walks your project, runs 48 checks tuned to the bugs AI assistants ship most — mapped to the full OWASP Top 10 for Web, API, Mobile and LLM apps, plus the CWE Top 25 — and writes a plain-English report in about a minute. No signup./lictor-fix-it and it walks each finding one at a time, shows the exact change, and applies it with your approval. For leaked keys, /lictor-rotate walks you through rotating them at the provider.Twenty years of writing security reports that nobody outside compliance teams could read.
Lictor is built by a 20-year cybersecurity engineer based in Israel. Twenty years of CISO advisory at Fortune 500 and security architecture for venture-backed startups.
Lictor exists because the people shipping the most software right now don’t have a CISO. Solo founders building an AI-generated SaaS on Saturday, indie hackers prototyping with an AI assistant at midnight, designers shipping an AI-built backend before their morning coffee. They have themselves, an AI assistant, and 48 hours to ship something. They need security tooling that speaks plain English and doesn’t require a sales call.
Built by a 20-year cybersecurity engineer · Israel
Coming Q1 2027
AI threat protection for high-value individuals. iOS VPN profile (in development) that watches outbound AI API calls from your phone, for executives, journalists, founders whose AI assistant has access to sensitive data.
We’ll only email you when Sentry is ready to install. No newsletter.