Not an internal dashboard for your team. A signed PDF in your name, attached to your invoice. Built for Next.js / Node freelancers and agencies before launch.
Signed by Hykaro Security · Independent Security Consultant
Verified
/ semgrep
/ trivy
/ gitleaks
/ npm audit
/ osv-scanner
/ bandit
/ checkov
/ hadolint
/ tflint
/ kube-bench
/ eslint-security
/ axe-core
/ pa11y
/ lighthouse
/ rgaa-checker
/ sonarjs
/ phpstan
/ psalm
/ mypy
/ ruff
/ clippy
/ gosec
/ semgrep
/ trivy
/ gitleaks
/ npm audit
/ osv-scanner
/ bandit
/ checkov
/ hadolint
/ tflint
/ kube-bench
/ eslint-security
/ axe-core
/ pa11y
/ lighthouse
/ rgaa-checker
/ sonarjs
/ phpstan
/ psalm
/ mypy
/ ruff
/ clippy
/ gosec
app.hykaro.security/scans/019e0d93
LIVE / 22 SCANNERS
What you get after a scan: consolidated findings, severity, affected files, PDF ready to ship.
One project. One price. No subscription.
Per-project pricing, never per-seat. Start free on one project, pay when you ship.
Demo
Evaluate on your real project
24h window · unlimited scans
1 target (1 repo or 1 URL)
Hykaro-branded PDF (no white-label)
No AI triage
€19 credited toward any tier
demo · one-shot
Essential
One-shot audit, in your name
7-day window · unlimited scans
Up to 3 targets (repos + URLs)
White-label PDF (logo, signature)
RGAA + EAA accessibility audit included (opt-in)
GitHub webhook: auto-scan on push
90-day download retention
per project · one-shot
Recommended
Standard
Most picked
30-day window · unlimited scans
Up to 5 targets
RGAA + EAA accessibility audit included (opt-in)
AI triage by Claude (false positives)
Inter-run diff (regression detection)
GitHub webhook + email support <24h
per project · one-shot
Premium
Audit + guided remediation
90-day window · unlimited scans
Up to 10 targets (repos + URLs)
Compliance report (GDPR + RGAA + EAA)
30-min Loom walkthrough by expert
30-min Q&A call post-delivery
AI triage + diff + priority support
per project · one-shot
Need several audits? Buy degressive Essentiel packs (up to −25%). See credit packs
All prices excl. tax. Full refund if a scan fails or the report is empty. Running the scan is free: we bill the subscription (continuous CI tracking) and the client deliverable (one-shot PDF).
Not listed here? Email me: hello@basile.tigerbox.app
Different beast. Snyk and Aikido sell an internal dashboard to in-house teams: per-developer subscription, report stays on your side. Hykaro produces a white-label PDF you hand to your client with your invoice. It's a vendor tool, not an internal-team tool.
Essential tier and up: your logo, signature, color. No Hykaro mention visible to the client. The €19 demo is intentionally Hykaro-branded (qualifying gate).
Scaleway Paris hosting (Postgres + R2-compatible). No data leaves the EU, no US sub-processor in the scan pipeline. DPA available on request.
Unlimited. Webhook, CI/CD, manual: scan as much as you want during your tier window (7 / 30 / 90 days). Server-side anti-abuse: same commit SHA triggered twice returns cached result (0 compute, 0 latency). 30-min cooldown between manual scans of the same target. Hard cap 60 scans/h per organization, you'll never hit it in normal use.
Not in MVP. One-shot tiers are designed for delivery moments (pre-deployment audit, pre-handoff audit), not for continuous pipeline gating. Investing 2h integrating a tool that becomes inactive after your window isn't worth it. For that use case, the Studio monthly tier arrives in phase 3 (RFC-014). In MVP, you use the GitHub webhook for auto-scan on push during your window, useful for sprint iteration, not for continuous deploy gating.
Yes. Included free in all paid tiers (Essential, Standard, Premium). Not in the €19 demo. Toggle the 'accessibility' profile when you scan, and Hykaro generates a quantified RGAA score + WCAG 2.1 AA + EAA checklist + prioritized correction plan, in the same PDF section as security. Particularly useful for FR agencies delivering to clients subject to EAA (effective June 28, 2025).
Yes but opt-in, not default. The 'quality' profile (phpcs, eslint, tsc, depcheck, knip…) is very noisy and would drown out real security findings if enabled by default. You toggle it intentionally when you want a code-quality audit beyond security. All tiers. These findings are capped at 'low' severity so they don't pollute critical/high KPIs.
Several. A project holds multiple targets: a Git repo + a frontend URL + a separate backend repo, for example. Essential tier = up to 3 targets, Standard = 5, Premium = 10. A webhook hitting any target triggers a project-wide scan.
The project goes read-only: you can re-download the PDF (per the tier retention) but no more scans. To extend, buy a tier again. No hidden subscription.
Full refund if the scan fails technically or the report is empty. No "changed my mind" refund once the PDF is downloaded: the deliverable is irreversible. Consistent with a client deliverable.
Next.js, React, Node, TypeScript, PHP, Symfony, Laravel, Python, Go. Auto-detection at clone. If your stack isn't listed, I'll tell you on the demo whether Hykaro is a fit, no surprises.
The Hykaro CLI is open-core, so yes. The SaaS is the managed option (orchestration, PDF, AI triage). On-prem is available on the Enterprise tier (phase 3). Reach out.
AI triage by Claude only receives consolidated findings (CWE, file:line, 5-line max snippet). No secrets, no full code, no client data. And you can disable AI triage with no extra cost.
Run your first audit for €19.
30 minutes. No setup. Credited if you buy a tier afterward.
No internal dashboard. A signed, dated, white-label PDF in your name, ready to attach to your invoice.
01
White-label PDF in your name
Your logo, signature, branding. You hand the PDF to your client, attached to your invoice. No Hykaro mention visible to the client, it's your audit, your brand.
02
22 relevant scanners
Auto stack detection. No generic noise: SAST, secrets, deps, IaC, web, targeted Next / Node / PHP / Python.
03
EU-hosted, GDPR-ready
Scaleway Paris. Your data never leaves the EU. DPA available on request.
04
AI triage by Claude
Standard tier and up. Anthropic Claude flags false positives. You only read the real findings.
05
Audit to PDF, no setup
Connect repo → scan → PDF. No config, no credit card for the €19 demo.
Docker --network=none
/GDPR-ready
/TLS 1.3 · AES-256
/100% EU (Scaleway)
Coding with an AI assistant? We catch what it missed.
Claude Code, Cursor, v0, Lovable, Bolt: all ship 10x faster. None of them read a scan report. Hykaro re-reads for you before you push to prod.
€19 demo on your real project. Full PDF delivered in under 30 minutes.
Hardcoded API keys
OpenAI, Stripe, AWS tokens left in .env.example, fixtures, or tests generated by the assistant.
Hallucinated dependencies
npm packages invented by the LLM, versions that don't exist, abandoned deps with known CVEs.
Unsafe API routes
Unvalidated deserialization, XSS via dangerouslySetInnerHTML, SQL injection from string concat.
Dockerfile root + latest tags
Container running as root, :latest without pinning, secrets in build args. Standard LLM output.
How it works
From repo to PDF, in one afternoon.
Three steps. No setup, no credit card for the demo. You connect, we scan, you deliver.
Step 01
Connect your GitHub repo.
Install the read-only Hykaro GitHub app, pick the repo to audit. No local clone, no config file. Stack auto-detected on the server clone.
GitHub · pick a repoOrg · acme
acme/apimain
acme/webshop
acme/landing-v2main
Permissionsread-only
Step 02
22 scanners running in parallel.
SAST, secrets, deps, IaC, web. Isolated Docker container with --network=none. Anthropic Claude triages false positives. Under 30 min on a standard project.
scan #4711Running
gitleaksok
semgrepok
trivyok
bearerRunning
lighthousequeued
14 / 22 scanners~12 min
Step 03
White-label PDF, ready for the client.
Your logo, signature, colors. Attach the PDF to your invoice, the client never sees Hykaro. 90-day retention minimum, depending on tier.
ACME-AUDIT-2026-05.pdfPDF · 2.4 Mb
Audit report
ACME-AUDIT-2026-05
score
A−
0
critical
2
high
7
medium
Signed byAcme Studio
Built for the stacks you actually sell.
Auto detection. We pick the 22 scanners that matter for your project.
Next.js
React
Node
TypeScript
PHP
Symfony
Laravel
Python
relevant scanners
22
average duration
<30 min
hosting (Scaleway)
100% EU
Comparison
Why Hykaro instead of the enterprise tools?
Snyk, Aikido, Semgrep Pro are continuous dev platforms for in-house teams. Hykaro is the vendor's tool: a signed audit delivered to your client.
Criterion
Hykaro
One-shot · vendor
Snyk
SaaS subscription
Aikido
SaaS subscription
Semgrep Pro
SaaS subscription
Entry price
€19 one-shot
$25/mo/dev
$290/mo
$1000/mo
Model
Per project
Seat subscription
Subscription
Subscription
Client-ready white-label PDF
RGAA + EAA audit included
Setup
30 min
1-2 days
1 day
2-3 days
EU hosting
Scaleway Paris
US
US/EU
US
AI triage
partial
Built for pre-launch freelancers
Hykaro
One-shot · vendor
Entry price
€19 one-shot
Model
Per project
Client-ready white-label PDF
RGAA + EAA audit included
Setup
30 min
EU hosting
Scaleway Paris
AI triage
Built for pre-launch freelancers
Snyk
SaaS subscription
Entry price
$25/mo/dev
Model
Seat subscription
Client-ready white-label PDF
RGAA + EAA audit included
Setup
1-2 days
EU hosting
US
AI triage
Built for pre-launch freelancers
Aikido
SaaS subscription
Entry price
$290/mo
Model
Subscription
Client-ready white-label PDF
RGAA + EAA audit included
Setup
1 day
EU hosting
US/EU
AI triage
partial
Built for pre-launch freelancers
Semgrep Pro
SaaS subscription
Entry price
$1000/mo
Model
Subscription
Client-ready white-label PDF
RGAA + EAA audit included
Setup
2-3 days
EU hosting
US
AI triage
Built for pre-launch freelancers
→ Hykaro = client-deliverable audit. Not a continuous dev platform.