Logic Vulnerability

The class of bug no scanner sees,
because no one told it the rules.

Pattern-based scanners catch taint flows. They miss the bug where a user ID flows to a database without an ownership check. CYBRET mines invariants from your code, your specs, and your real traffic, then generates semantic fuzz harnesses that prove, with a safe replay, that an authenticated user can read somebody else's order.

Book a Demo All products

Invariants mined per service

15%

Of critical bugs (industry avg)

Signatures

<30s

Invariant to test case

Capabilities

Signatures are over.
Rules are the new primitive.

◇

Invariant mining engine

Reads your controllers, your OpenAPI, and a week of real traffic to extract the rules the system actually enforces: ownership, state machines, temporal constraints, monetary bounds.

◎

Semantic fuzzer

Not byte-level noise. Typed, auth-aware requests that target invariant boundaries, mutated until an invariant breaks or every branch is covered.

⌖

Intent-deviation detector

When a handler deviates from the documented intent (spec says owner-only, code checks role-only) we raise a finding with both artifacts cited, and the divergence line.

◐

Multi-step chain solver

Some logic bugs need three requests in a specific order. A symbolic solver plans the chain, checks preconditions, and constructs a reproducible attack without brute force.

◈

Counterfactual test generator

"If this user were in a different tenant, would the same request succeed?" We generate the identity-swapped, tenant-swapped, role-swapped variants automatically.

⬡

Proof-of-exploit capsule

Each finding ships with a safe, replayable capsule the engineer can run locally. No vague "potential issue" — the bug either reproduces, or the finding is retracted.

How it works

From your system's rules
to a test that breaks them.

Logic bugs are 15% of critical findings and 0% of most scanners. We close the gap by teaching the scanner what your system is supposed to enforce, and then trying, carefully, to break it.

Mine

Invariants extracted from code (ownership guards, state transitions), from spec (OpenAPI, GraphQL schemas, Prisma models), and from traffic (baseline enforcement patterns).

Code + spec + traffic

Propose

Each invariant becomes a hypothesis: "only the order owner can refund." A semantic fuzzer plans requests that would falsify it, auth-aware and tenant-aware.

Hypothesis-driven

Prove

Safe-mode replay runs the candidate attack against a disposable environment. A violation becomes a capsule: request chain, response, delta, and the invariant it broke.

Production-safe

Protect

Confirmed violations ship to the service owner with the spec line, the code line, the invariant, and a suggested guard. Regressions are caught by the same harness in CI.

Regression-proof

Surface

Invariants, violations, and the replay.

Get a guided tour

app.cybret.ai / logic-vuln / billing-svc

Invariants mined

Broken

Drifting

Holding

Invariants · billing-svc

order.owner == request.userbroken

Source · code + spec

refund.amount ≤ order.totalholding

Source · code

status: draft → submitted → paidholding

Source · spec

cart.total == Σ(item.price × qty)drifting

Source · traffic

Proof-of-exploit capsuleBOLA · CONFIRMED

00.000s

POST /orders

user=alice → 201 · id=ord_18af

00.214s

GET /orders/ord_18af

user=alice → 200 · owner=alice

00.318s

POST /orders/ord_18af/refund

user=bob → 200 · amount=$249

violation · order.owner == request.user

Spec sheet

The boring details
that determine fit.

For the AppSec lead who has tried fuzzing and got nothing but 500s. We built this for them first.

Invariant sources

Code (controllers, guards) · OpenAPI · GraphQL · Prisma / SQL schema · live traffic

Language coverage

TypeScript · JavaScript · Python · Go · Java · Kotlin · Ruby · C# · Rust

Fuzz harness generation

Auth-aware · tenant-aware · multi-step · symbolic precondition solver

Safety

Production-safe mode · rate-limited · idempotent-only · canary tenants · full audit log

Outputs

Jira · Linear · ServiceNow · Slack · PR comment · replay capsule · CI regression test

Deployment

SaaS · single-tenant · BYO-VPC · air-gapped on Enterprise

Integrations

GitHub · GitLab · Bitbucket · Postman · Burp · k6 · Datadog · Grafana

Data residency

US · EU (Frankfurt) · UK · AU · CA · BYOK on Enterprise

Next in the fabric

SOLUTION / BUSINESS LOGIC

For the product-side picture.

Logic Vulnerability is the engine. The Business Logic solution page frames how to deploy it across pricing, entitlement, and workflow bugs.

02 / VALIDATION

Prove the break, safely.

Every invariant violation is promoted into a continuously-verified exploit capsule. Validation runs it against prod look-alikes, so critical means confirmed.

Start today

Connect a repo.
See your first proven path.

Read access. 30 minutes. No credit card.

Book a Demo Talk to sales

The class of bug no scanner sees,because no one told it the rules.

Signatures are over.Rules are the new primitive.

From your system's rulesto a test that breaks them.