diff --git a/CERTifAI_Investor_OnePager_DE.pdf b/CERTifAI_Investor_OnePager_DE.pdf new file mode 100644 index 0000000..87901ab Binary files /dev/null and b/CERTifAI_Investor_OnePager_DE.pdf differ diff --git a/CERTifAI_Investor_OnePager_EN.pdf b/CERTifAI_Investor_OnePager_EN.pdf new file mode 100644 index 0000000..4755179 Binary files /dev/null and b/CERTifAI_Investor_OnePager_EN.pdf differ diff --git a/compliance-agent/src/llm/fixes.rs b/compliance-agent/src/llm/fixes.rs index 765cf7f..05e66a4 100644 --- a/compliance-agent/src/llm/fixes.rs +++ b/compliance-agent/src/llm/fixes.rs @@ -11,9 +11,18 @@ Rules: - The fix must be a drop-in replacement for the vulnerable code - Preserve the original code's style, indentation, and naming conventions - Add at most one brief inline comment on the changed line explaining the security fix -- If the fix requires importing a new module, include the import statement on a separate line prefixed with "// Add import: " +- If the fix requires importing a new module, include the import on a separate line prefixed with the language's comment syntax + "Add import: " - Do not refactor, rename variables, or "improve" unrelated code -- If the vulnerability is a false positive and the code is actually safe, return the original code unchanged with a comment "// No fix needed: ""#; +- If the vulnerability is a false positive and the code is actually safe, return the original code unchanged with a comment explaining why no fix is needed + +Language-specific fix guidance: +- Rust: use `?` for error propagation, prefer `SecretString` for secrets, use parameterized queries with `sqlx`/`diesel` +- Python: use parameterized queries (never f-strings in SQL), use `secrets` module not `random`, use `subprocess.run([...])` list form, use `markupsafe.escape()` for HTML +- Go: use `sql.Query` with `$1`/`?` placeholders, use `crypto/rand` not `math/rand`, use `html/template` not `text/template`, return errors don't panic +- Java/Kotlin: use `PreparedStatement` with `?` params, use `SecureRandom`, use `Jsoup.clean()` for HTML sanitization, use `@Valid` for input validation +- Ruby: use ActiveRecord parameterized finders, use `SecureRandom`, use `ERB::Util.html_escape`, use `strong_parameters` +- PHP: use PDO prepared statements with `:param` or `?`, use `random_bytes()`/`random_int()`, use `htmlspecialchars()` with `ENT_QUOTES`, use `password_hash(PASSWORD_BCRYPT)` +- C/C++: use `snprintf` not `sprintf`, use bounds-checked APIs, free resources in reverse allocation order, use `memset_s` for secret cleanup"#; pub async fn suggest_fix(llm: &Arc, finding: &Finding) -> Result { let user_prompt = format!( diff --git a/compliance-agent/src/llm/review_prompts.rs b/compliance-agent/src/llm/review_prompts.rs index 10028fd..b0388aa 100644 --- a/compliance-agent/src/llm/review_prompts.rs +++ b/compliance-agent/src/llm/review_prompts.rs @@ -15,9 +15,17 @@ Do NOT report: - Style, naming, formatting, documentation, or code organization preferences - Theoretical issues without a concrete triggering scenario - "Potential" problems that require assumptions not supported by the visible code -- Language-idiomatic patterns (e.g. Rust's `||` short-circuit evaluation, variable shadowing, `impl` patterns) - Complexity or function length — that's a separate review pass +Language-idiomatic patterns that are NOT bugs (do not flag these): +- Rust: `||`/`&&` short-circuit evaluation, variable shadowing, `let` rebinding, `clone()`, `impl` blocks, `match` arms with guards, `?` operator chaining, `unsafe` blocks with safety comments +- Python: duck typing, EAFP pattern (try/except vs check-first), `*args`/`**kwargs`, walrus operator `:=`, truthiness checks on containers, bare `except:` in top-level handlers +- Go: multiple return values for errors, `if err != nil` patterns, goroutine + channel patterns, blank identifier `_`, named returns, `defer` for cleanup, `init()` functions +- Java/Kotlin: checked exception patterns, method overloading, `Optional` vs null checks, Kotlin `?.` safe calls, `!!` non-null assertions in tests, `when` exhaustive matching, companion objects, `lateinit` +- Ruby: monkey patching in libraries, method_missing, blocks/procs/lambdas, `rescue => e` patterns, `send`/`respond_to?` metaprogramming, `nil` checks via `&.` safe navigation +- PHP: loose comparisons with `==` (only flag if `===` was clearly intended), `@` error suppression in legacy code, `isset()`/`empty()` patterns, magic methods (`__get`, `__call`), array functions as callbacks +- C/C++: RAII patterns, move semantics, `const_cast`/`static_cast` in appropriate contexts, macro usage for platform compat, pointer arithmetic in low-level code, `goto` for cleanup in C + Severity guide: - high: Will cause incorrect behavior in normal usage - medium: Will cause incorrect behavior in edge cases @@ -47,9 +55,18 @@ Do NOT report: - Logging of non-sensitive operational data (finding titles, counts, performance metrics) - "Information disclosure" for data that is already public or user-facing - Code style, performance, or general quality issues -- Missing validation on internal function parameters (trust the caller within the same crate) +- Missing validation on internal function parameters (trust the caller within the same module/crate/package) - Theoretical attacks that require preconditions not present in the code +Language-specific patterns that are NOT vulnerabilities (do not flag these): +- Python: `pickle` used on trusted internal data, `eval()`/`exec()` on hardcoded strings, `subprocess` with hardcoded commands, Django `mark_safe()` on static content, `assert` in non-security contexts +- Go: `crypto/rand` is secure (don't confuse with `math/rand`), `sql.DB` with parameterized queries is safe, `http.ListenAndServe` without TLS in dev/internal, error strings in responses (Go convention) +- Java/Kotlin: Spring Security annotations are sufficient auth checks, `@Transactional` provides atomicity, JPA parameterized queries are safe, Kotlin `require()`/`check()` are assertion patterns not vulnerabilities +- Ruby: Rails `params.permit()` is input validation, `render html:` with `html_safe` on generated content, ActiveRecord parameterized finders are safe, Devise/Warden patterns for auth +- PHP: PDO prepared statements are safe, Laravel Eloquent is parameterized, `htmlspecialchars()` is XSS mitigation, Symfony security voters are auth checks, `password_hash()`/`password_verify()` are correct bcrypt usage +- C/C++: `strncpy`/`snprintf` are bounds-checked (vs `strcpy`/`sprintf`), smart pointers manage memory, RAII handles cleanup, `static_assert` is compile-time only, OpenSSL with proper context setup +- Rust: `sha2`/`blake3` for fingerprinting is not "weak crypto", `unsafe` with documented invariants, `secrecy::SecretString` properly handles secrets + Severity guide: - critical: Remote code execution, auth bypass, or data breach with no preconditions - high: Exploitable vulnerability requiring minimal preconditions @@ -73,9 +90,17 @@ Do NOT report: - Style preferences, formatting, naming conventions, or documentation - Code organization suggestions ("this function should be split") - Patterns that are valid in the language even if you'd write them differently -- Rust-specific: variable shadowing, `||`/`&&` short-circuit, `let` rebinding, builder patterns, `clone()` usage - "Missing type annotations" unless the code literally won't compile or causes a type inference bug +Language-specific patterns that are conventional (do not flag these): +- Rust: variable shadowing, `||`/`&&` short-circuit, `let` rebinding, builder patterns, `clone()`, `From`/`Into` impl chains, `#[allow(...)]` attributes +- Python: `**kwargs` forwarding, `@property` setters, `__dunder__` methods, list comprehensions with conditions, `if TYPE_CHECKING` imports, `noqa` comments +- Go: stuttering names (`http.HTTPClient`) discouraged but not a bug, `context.Context` as first param, init() functions, `//nolint` directives, returning concrete types vs interfaces in internal code +- Java/Kotlin: builder pattern boilerplate, Lombok annotations (`@Data`, `@Builder`), Kotlin data classes, `companion object` factories, `@Suppress` annotations, checked exception wrapping +- Ruby: `attr_accessor` usage, `Enumerable` mixin patterns, `module_function`, `class << self` syntax, DSL blocks (Rake, RSpec, Sinatra routes) +- PHP: `__construct` with property promotion, Laravel facades, static factory methods, nullable types with `?`, attribute syntax `#[...]` +- C/C++: header guards vs `#pragma once`, forward declarations, `const` correctness patterns, template specialization, `auto` type deduction + Severity guide: - medium: Convention violation that will likely cause a bug or maintenance problem - low: Convention violation that is a minor concern diff --git a/compliance-agent/src/llm/triage.rs b/compliance-agent/src/llm/triage.rs index 09566cf..5970f6f 100644 --- a/compliance-agent/src/llm/triage.rs +++ b/compliance-agent/src/llm/triage.rs @@ -17,13 +17,23 @@ Actions: - "dismiss": False positive, not exploitable, or not actionable. Remove it. Dismiss when: -- The scanner flagged a language idiom as a bug (e.g. Rust short-circuit `||`, variable shadowing, `clone()`) +- The scanner flagged a language idiom as a bug (see examples below) - The finding is in test/example/generated/vendored code - The "vulnerability" requires preconditions that don't exist in the code - The finding is about code style, complexity, or theoretical concerns rather than actual bugs - A hash function is used for non-security purposes (dedup, caching, content addressing) - Internal logging of non-sensitive operational data is flagged as "information disclosure" - The finding duplicates another finding already in the list +- Framework-provided security is already in place (e.g. ORM parameterized queries, CSRF middleware, auth decorators) + +Common false positive patterns by language (dismiss these): +- Rust: short-circuit `||`/`&&`, variable shadowing, `clone()`, `unsafe` with safety docs, `sha2` for fingerprinting +- Python: EAFP try/except, `subprocess` with hardcoded args, `pickle` on trusted data, Django `mark_safe` on static content +- Go: `if err != nil` is not "swallowed error", `crypto/rand` is secure, returning errors is not "information disclosure" +- Java/Kotlin: Spring Security annotations are valid auth, JPA parameterized queries are safe, Kotlin `!!` in tests is fine +- Ruby: Rails `params.permit` is validation, ActiveRecord finders are parameterized, `html_safe` on generated content +- PHP: PDO prepared statements are safe, Laravel Eloquent is parameterized, `htmlspecialchars` is XSS mitigation +- C/C++: `strncpy`/`snprintf` are bounds-checked, smart pointers manage memory, RAII handles cleanup Confirm only when: - You can describe a concrete scenario where the bug manifests or the vulnerability is exploitable diff --git a/onepager_de.html b/onepager_de.html new file mode 100644 index 0000000..9635557 --- /dev/null +++ b/onepager_de.html @@ -0,0 +1,419 @@ + + + + + +CERTifAI — Investor One-Pager + + + + +
+
+ +
+
+

CERTifAI

+
KI-native Sicherheits- & Compliance-Plattform
+
+
+ Vertraulich — Nur für Investoren
+ März 2026 +
+
+ +
+

+ CERTifAI ist eine DSGVO-konforme, datensouveräne KI-Plattform, die autonomes + Sicherheitsscanning mit intelligenter Compliance-Automatisierung vereint. Wir helfen Unternehmen, + ihren Code abzusichern, Compliance skalierbar durchzusetzen und + volle Datensouveränität zu bewahren — gestützt auf über 200 atomare Sicherheitskontrollen, + KI-gesteuerte Triage und einen lückenlosen Audit-Trail für jeden Befund. +

+
+ +
+
+

Compliance Scanner

+
Autonomer KI-Sicherheitsagent
+
    +
  • 200+ atomare Kontrollen — Feingranulare Sicherheitsprüfungen mit vollständiger Herkunftsverfolgung
    • +
  • SAST + DAST + SBOM — Vollumfängliche Sicherheitstests mit Schwachstellenverfolgung
    • +
  • KI-gesteuerte Pentests — Autonome, LLM-orchestrierte Penetrationstests mit verschlüsselten Berichten
    • +
  • Automatische PR-Reviews — Sicherheitsbewusste Code-Review-Kommentare bei jedem Pull Request
    • +
  • Audit-Trail — Unveränderliche Befund-Nachverfolgung von Erkennung bis Behebung
    • +
  • LLM-basierte Triage — Intelligente False-Positive-Filterung mit Konfidenz-Scoring
    • +
  • Code-Wissensgraph — Architekturvisualisierung mit Auswirkungs- & Datenflussanalyse
    • +
  • Multi-Tracker-Sync — Automatische Issues in GitHub, GitLab, Jira, Gitea
    • +
  • MCP-Server — Live-Sicherheitsdaten in Claude, Cursor & anderen KI-Tools
    • +
+
+ +
+

CERTifAI Plattform

+
Souveräne GenAI-Infrastruktur
+
    +
  • Multi-Provider LLM-Verwaltung — Einheitliche Schnittstelle für LiteLLM, OpenAI, HuggingFace, Anthropic
    • +
  • KI-Agenten-Orchestrierung — LangGraph-Integration mit Live-Monitoring & Agenten-Registry
    • +
  • Enterprise SSO — Keycloak-basiertes OAuth2/PKCE, LDAP, Multi-Realm-Authentifizierung
    • +
  • Nutzungs- & Abrechnungsanalyse — Token-Tracking, modellbasierte Aufschlüsselung
    • +
  • News-Intelligence — KI-gestützte Nachrichtenzusammenfassung, Trendanalyse, Follow-up-Chat
    • +
  • Entwickler-Toolchain — LangFlow, Langfuse, LangChain sofort einsatzbereit
    • +
  • RBAC & Feature Flags — Rollenbasierter Zugriff mit kontrolliertem GenAI-Rollout pro Org
    • +
  • Mehrsprachigkeit — Vollständige i18n-Unterstützung (DE, FR, ES, PT)
    • +
  • RAG-basierter Chat — Natürlichsprachliche Q&A auf Basis Ihrer Codebasis
    • +
+
+
+ +
+
+
15 Mrd.+
+
AppSec TAM bis 2027
+
+
+
200+
+
Atomare Sicherheits-
kontrollen
+
+
+
80%
+
Zeitersparnis bei
Compliance-Prüfungen
+
+
+
10x
+
Günstiger als
manuelle Pentests
+
+
+
100%
+
Datensouveränität
garantiert
+
+
+ +
+
Warum CERTifAI gewinnt
+
+
+
KI-native Sicherheit
+
LLM-gesteuerte Pentests & Triage ersetzen manuelle Audits (5.000–50.000 €). Kein Wettbewerber bietet autonome KI-Pentests.
+
+
+
Volle Provenienz
+
Jeder Befund rückverfolgbar zu Kontrolle, Regel und Quelle. Lückenloser Audit-Trail von Erkennung bis Behebung.
+
+
+
Datensouveränität
+
Keine Daten verlassen Ihre Infrastruktur. DSGVO-konform durch Architektur. EU-Hosting-Optionen verfügbar.
+
+
+
Shift-Left PR-Reviews
+
Sicherheitsbefunde erscheinen als PR-Kommentare vor dem Merge. Entwickler beheben Probleme direkt am Code.
+
+
+
Entwickelt in Rust
+
Speichersicherer, hochperformanter Stack. Fullstack-WASM + SSR mit Dioxus. Enterprise-taugliche Zuverlässigkeit.
+
+
+
Einheitliche Steuerung
+
Sicherheit + KI-Infrastruktur in einem Dashboard. Wettbewerber benötigen 5+ separate Tools.
+
+
+
+ +
+
Roadmap — In Kürze verfügbar
+
+
+
SOC2 & ISO 27001
+
Vorgefertigte Kontroll-Mappings für Zertifizierungsreife
+
+
+
Policy-as-Code
+
Eigene Compliance-Regeln via deklarative YAML-Policies
+
+
+
CI/CD-Gates
+
Deployments bei kritischen Befunden blockieren
+
+
+
Executive Reports
+
Auto-generierte Compliance-Berichte für die Geschäftsführung
+
+
+
+ +
+
+
Geschäftsmodell
+
    +
  • SaaS Cloud — Verwaltete Multi-Tenant-Plattform für KMUs
    • +
  • Enterprise-Lizenz — Dedizierte Bereitstellung mit Support & Integrationen
    • +
  • Professional Services — Individuelle Regeln, Pentest-Berichte, Compliance-Audits
    • +
  • API-Stufen — Kostenlose Community-Stufe, kostenpflichtiger Enterprise-Zugang
    • +
+
+
+
Zielmärkte
+
    +
  • Regulierte Branchen — Finanzen, Gesundheitswesen, Behörden (DSGVO, HIPAA, SOC2)
    • +
  • Enterprise DevSecOps — Shift-Left-Security für Entwicklungsteams
    • +
  • EU-Datensouveränität — Unternehmen mit souveräner KI-Infrastruktur
    • +
  • Sicherheitsberatungen — Automatisierte Pentests & Berichtserstellung
    • +
+
+
+ +
+ +
+
Vertraulich — Nicht zur Weitergabe bestimmt
+
CERTifAI — März 2026
+
+ + + diff --git a/onepager_en.html b/onepager_en.html new file mode 100644 index 0000000..77f13c8 --- /dev/null +++ b/onepager_en.html @@ -0,0 +1,421 @@ + + + + + +CERTifAI — Investor One-Pager + + + + +
+
+ +
+
+

CERTifAI

+
AI-Native Security & Compliance Platform
+
+
+ Confidential — For Investor Review
+ March 2026 +
+
+ +
+

+ CERTifAI is a GDPR-compliant, data-sovereign AI platform combining autonomous security scanning + with intelligent compliance automation. We help enterprises secure their code, + enforce compliance at scale, and maintain full data sovereignty — powered by + 200+ atomic security controls, AI-driven triage, and a complete audit trail for every finding. +

+
+ +
+
+

Compliance Scanner

+
Autonomous AI Security Agent
+
    +
  • 200+ Atomic Controls — Fine-grained security checks with full provenance tracking per finding
    • +
  • SAST + DAST + SBOM — Full-spectrum security testing with dependency vulnerability tracking
    • +
  • AI-Driven Pentesting — Autonomous LLM-orchestrated penetration testing with encrypted reports
    • +
  • Automated PR Reviews — Security-aware code review comments on every pull request
    • +
  • Audit Trail — Immutable finding lifecycle tracking from detection to remediation
    • +
  • LLM-Powered Triage — Intelligent false-positive filtering with confidence scoring
    • +
  • Code Knowledge Graph — Architecture visualization with impact & data-flow analysis
    • +
  • Multi-Tracker Sync — Auto-creates issues in GitHub, GitLab, Jira, Gitea
    • +
  • MCP Server — Live security data in Claude, Cursor & other AI dev tools
    • +
+
+ +
+

CERTifAI Platform

+
Sovereign GenAI Infrastructure
+
    +
  • Multi-Provider LLM Management — Unified interface for LiteLLM, OpenAI, HuggingFace, Anthropic
    • +
  • AI Agent Orchestration — LangGraph integration with live monitoring & agent registry
    • +
  • Enterprise SSO — Keycloak-based OAuth2/PKCE, LDAP, multi-realm authentication
    • +
  • Usage & Billing Analytics — Token tracking, per-model breakdown, seat management
    • +
  • News Intelligence — AI-powered news summarization, trend analysis, follow-up chat
    • +
  • Developer Toolchain — LangFlow, Langfuse, LangChain integrations out of the box
    • +
  • RBAC & Feature Flags — Role-based access with controlled GenAI rollout per org
    • +
  • Full i18n — Multi-language support (DE, FR, ES, PT) for global teams
    • +
  • RAG-Powered Chat — Natural language Q&A grounded in your codebase
    • +
+
+
+ +
+
+
$15B+
+
AppSec TAM by 2027
+
+
+
200+
+
Atomic Security
Controls
+
+
+
80%
+
Compliance Review
Time Saved
+
+
+
10x
+
Cheaper than
Manual Pentests
+
+
+
100%
+
Data Sovereignty
Guaranteed
+
+
+ +
+
Why CERTifAI Wins
+
+
+
AI-Native Security
+
LLM-driven pentesting & triage replace $5K–$50K manual engagements. No competitor offers autonomous AI pentests.
+
+
+
Full Provenance
+
Every finding traces back to its control, rule, and source. Complete audit trail from detection through remediation.
+
+
+
Data Sovereignty
+
Zero data leaves your infrastructure. GDPR-compliant by architecture. EU-hosted deployment options.
+
+
+
Shift-Left PR Reviews
+
Security findings surface as PR comments before code merges. Developers fix issues at the source, not in production.
+
+
+
Built in Rust
+
Memory-safe, high-performance stack. Fullstack WASM + SSR with Dioxus. Enterprise-grade reliability.
+
+
+
Unified Control Plane
+
Security + AI infrastructure in one dashboard. Competitors require 5+ separate tools to match.
+
+
+
+ +
+
Roadmap — Coming Soon
+
+
+
SOC2 & ISO 27001
+
Pre-built control mappings for certification readiness
+
+
+
Policy-as-Code
+
Custom compliance rules via declarative YAML policies
+
+
+
CI/CD Gates
+
Block deploys on critical findings with pipeline integration
+
+
+
Executive Reports
+
Auto-generated compliance posture reports for leadership
+
+
+
+ +
+
+
Business Model
+
    +
  • SaaS Cloud — Managed multi-tenant platform for SMBs
    • +
  • Enterprise License — Dedicated deployment with support & custom integrations
    • +
  • Professional Services — Custom rules, pentest reports, compliance audits
    • +
  • API Tiers — Free community tier, paid enterprise API access
    • +
+
+
+
Target Markets
+
    +
  • Regulated Industries — Finance, healthcare, government (GDPR, HIPAA, SOC2)
    • +
  • Enterprise DevSecOps — Shift-left security for engineering teams
    • +
  • EU Data Sovereignty — Companies requiring sovereign AI infrastructure
    • +
  • Security Consultancies — Automated pentesting & report generation
    • +
+
+
+ +
+ +
+
Confidential — Do Not Distribute
+
CERTifAI — March 2026
+
+ + + diff --git a/onepager_en_preview.png b/onepager_en_preview.png new file mode 100644 index 0000000..8f3c29e Binary files /dev/null and b/onepager_en_preview.png differ