How it works

Threat model first, then read the code

Assay's edge is ordering: it builds a threat model before it reads a line of source, so the investigation is hypothesis-driven instead of pattern-matching. Every finding is backed by a verbatim quote, and a post-validator drops anything the model can't prove.

The 5-stage methodology

  1. Triage — map the artifact: entry points, declared permissions, files worth reading.
  2. Claim extraction — what does it claim to do?
  3. Threat model — given the claims, where could it go wrong? (done before reading source code)
  4. Investigation — read code, gather evidence for each threat, one sub-agent per threat.
  5. Synthesis — a safe / caution / unsafe verdict + audit.md with verbatim file:line citations.
Cite or drop. The post-validator physically re-reads every cited file after synthesis; if a quoted snippet isn't there, the evidence is dropped, and a finding with no surviving evidence is dropped entirely. Confabulated findings — the model "remembering" code that isn't in the artifact — are the failure mode this exists to kill.

Two scan modes, one verdict format

Assay scan architecture — MCP mode spawns claude -p and calls assay_* tools; legacy mode runs the Go orchestrator with the Anthropic SDK; both converge through verdict validation to produce audit.json + audit.md.

Both produce the same audit.json + audit.md on disk. assay serve --scan-mode fake replays recorded fixtures for demos and offline development — no LLM call.

Threat coverage

Assay reasons about threat classes specific to the AI dev stack, not generic CVEs. Highlights:

The full catalog lives in docs/threat-model-2026.md and the design in ARCHITECTURE.md.

Out of scope in v0

← QuickstartFAQ →