Business Logic
Scanners find CVEs.
We find the coupon you can stack forever.
Business logic bugs do not look like bugs. They look like workflows. CYBRET mines invariants out of your code and traffic — ownership, order, quantity, price, state — then hunts for the paths that quietly violate them. Race conditions, privilege chains, idempotency gaps, the discount that somehow applies twice. Zero signatures, real exploits, every time.
27
Invariants learned per app
0
Signatures used
89%
Real bugs confirmed
7x
Faster than human pen-test
Capabilities
The class of bugs
that pattern-matchers miss.
◉
Workflow invariant miner
Reads routes, jobs, and traffic to infer what your app secretly believes — "orders move forward", "refunds are smaller than originals" — and flags the paths that break the belief.
⌖
Privilege-chain analyzer
Composes authorisation across endpoints to catch the 3-call sequence that turns a reader into an admin. Chains are shown as graphs, not stack traces.
◐
Race-condition detector
Fires concurrent requests against state-mutating flows to surface idempotency gaps, TOCTOU bugs, and the classic "two purchases, one wallet" drain.
◇
Discount / coupon tamper tests
Parameter tampering across cart, checkout, and refund, with automatic proof when a coupon stacks, a price rounds wrong, or a currency field drifts.
⎔
State-machine drift alerts
Every mined state graph is diffed per release. New transitions, skipped states, and dead-end statuses show up as code-review comments before they ship.
⊡
Ownership-check validator
Every object-returning route is checked for an ownership predicate anchored to the caller identity. Missing or weakened predicates are treated as exploitable until proven otherwise.
How it works
Logic as spec,
violations as evidence.
The trick is treating your workflows as contracts the code pretends to honour. Every mined rule becomes a test. Every test either holds or it does not — and you get the proof either way.
01
Mine invariants
Read repos, OpenAPI, DB schemas, and a few hours of traffic. CYBRET infers rules: price ≥ 0, refund ≤ original, order must have owner, job runs exactly once.
Code + traffic02
Model the workflow
Routes are composed into state machines and privilege graphs. What your app is supposed to do is explicit — and therefore violable.
State + authZ03
Hunt violations
Reasoning agents attempt to violate each invariant through parameter tampering, concurrency, replay, and identity rotation, with a kill-switch and blast-cap.
Reversible04
Prove, fix, watch
Confirmed violations ship with a reproducer capsule, the exact ownership check to add, and a monitor that screams if the invariant drifts again.
ReproducibleSurface
Invariants, violations, and proof.
Spec sheet
The boring details
that determine fit.
For the tech lead reviewing the architecture doc, the AppSec engineer shadowing the engagement, and the CFO who just wants the coupon abuse to stop.
Languages
TypeScript · JavaScript · Python · Ruby · Go · Java · Kotlin · C#
Framework coverage
Rails · Django · Flask · FastAPI · Spring · Express · NestJS · Go (chi, gin)
Invariant source
Static code · OpenAPI · DB schema · passive traffic sample · historic logs
Safety
Blast-radius cap · kill-switch · prod-safe shadow mode · data-shaped fixtures
Outputs
Reproducer capsules · fix diffs · invariant monitors · state-graph diffs
Deployment
SaaS · single-tenant · BYO-VPC · air-gapped on Enterprise
Integrations
GitHub · GitLab · Bitbucket · Jira · Linear · Slack · PagerDuty · Splunk
Data residency
US, EU (Frankfurt), UK, AU, CA · BYOK on Enterprise
Next in the fabric
01 / EXPOSURE
Reachability in one graph.
Logic findings land on the same graph as your cloud, identity, and code exposure — so "that coupon bug" is weighted by what it actually lets attackers do.
02 / VALIDATION
Proof, not assertions.
Every mined invariant violation becomes a reproducer capsule. Validation runs the capsule in a safe twin and keeps running it every time you ship.
Start today
Connect a repo.
See your first proven path.
Read access. 30 minutes. No credit card.