Do you see my source code?

No. The scanner runs entirely in your GitHub Actions runner. Sekura sees prompts and responses to the LLM proxy but never your repository contents.

What counts as an LLM token?

Standard Anthropic and OpenAI input + output tokens. The proxy returns the exact count on every response so usage is visible live in the dashboard.

Can I run on a self-hosted runner?

Yes — available on Pro and Enterprise. Useful for scanning private targets that public GitHub runners cannot reach (internal staging, VPN-only deployments).

What about my existing CI pipeline?

One workflow file gets added to your repo on install. Edit it freely; running `npx sekura ci-setup` again will not overwrite your changes.

paste a repo. get proof.

scan your repo →see pricing

companies that trust sekura

Start free. See the price.

Four ways to start — scan a repo free, order a one-off managed scan, run continuous CI, or deploy on-prem. Public prices, no “request a demo” wall. For continuous plans we meter exactly one thing: LLM tokens — scan minutes come from your existing GitHub Actions quota, and your code never leaves GitHub.

continuous · cli & ci

Every PR, every push

Free

Public repos, SAST + crypto.

$0/month

Start free

Public repos only
SAST + crypto-agility scans
2M LLM tokens / month
200k LLM tokens / scan cap
PR review comments + SARIF
7-day retention
Best-effort support

Pro

Private repos, auto-fix PRs.

$49/user / month

Everything in Free
Private repos
Auto-fix-PR mode
50M LLM tokens / month
5M LLM tokens / scan cap
HTML reports
90-day retention
99.5% control-plane SLA

Enterprise

DAST, compliance, self-hosted runners.

Contact sales

Talk to sales

Everything in Pro
DAST + exploit chain
Self-hosted runner support
Compliance frameworks (PCI, SOC 2, HIPAA)
Executive PDF reports
Unlimited retention
Usage-based billing on LLM tokens
99.9% SLA + custom support

one-off · pay per scan

Managed scans

No subscription. We run the scan and deliver a full report — every finding with a proof-of-exploit. From $199.

$199

AI skill / MCP scan

security scan of an AI agent skill or MCP server: prompt injection, tool poisoning, supply-chain risk, excessive agency, and malicious code — with an install recommendation.

order this scan →

$299

SAST — source code analysis

static analysis of your repository: 9 engines + AI triage, exploit-aware findings, fix suggestions.

order this scan →

$499

DAST — live application test

dynamic testing of your running application: recon, vulnerability analysis, safe exploitation evidence.

order this scan →

$699

SAST + DAST

both: code-informed dynamic testing — findings correlated between source and live behavior.

order this scan →

Common questions

Do you see my source code?: No. The scanner runs entirely in your GitHub Actions runner. We see prompts and responses to the LLM (briefly, through proxy.sekura.ai) but never your repo contents.
What counts as an LLM token?: Standard Anthropic / OpenAI input + output tokens. The proxy returns the exact count on every response so you can see usage in the dashboard live.
Can I run on a self-hosted runner?: Yes — Pro and Enterprise. Useful for scanning private targets that public GitHub runners can't reach (internal staging, VPN-only deployments).
What about my existing CI?: One workflow file gets added to your repo on install. Edit it freely; running `npx sekura ci-setup` again won't overwrite your changes.