Trojan

Agentic security testing for vibe-coded apps — before you ship.

Comment

About Trojan

What Inspired Us

The reality of modern development: vibe-coding → ship fast → security skipped. We've all been there: pushing code to production without a second thought about vulnerabilities. The statistics are sobering:

  • 84% of survey respondents are using or planning to use AI tools in their development process, an increase over last year (76%) (Stack Overflow).
  • 24-31% annual growth for vibe coding market through 2028.
  • 60% of hackathon projects deploy without security review.
  • 80% of small teams lack dedicated security resources.
  • $4.45M average cost of a data breach (IBM, 2023).

We built Trojan to catch critical vulnerabilities before they reach production—without slowing down your development velocity.

The Problem

Traditional security tools are:

  • Too noisy: Hundreds of false positives bury real issues.
  • Too slow: Hours or days for results.
  • Too complex: Require security expertise to configure.
  • Not actionable: Tell you what's wrong, not how to fix it.

Developers need something that:

  • Works in minutes, not hours.
  • Focuses on actionable findings.
  • Integrates into their existing workflow.
  • Provides fixes, not just warnings.

Our Solution

Trojan is a multi-agent security scanner that combines the power of AI agents with deterministic testing to find and fix vulnerabilities in real-time.

How It Works:

  1. AI Agent Triage — Analyzes repository structure and identifies security-sensitive files
  2. Specialist Agents — Four parallel AI agents analyze code:
    • 🔐 Authentication Specialist (weak passwords, session management)
    • 💉 Injection Specialist (SQL, Command, Code injection)
    • 👁️ Sensitive Data Specialist (hardcoded secrets, PII exposure)
    • 🔒 Cryptographic Specialist (weak algorithms, improper encryption)
  3. Fix Workflow — Automatically generates fixes and creates GitHub pull requests

How We Built It

Tech Stack:

  • Frontend: Next.js 16, React 19, TypeScript, Tailwind CSS
  • Backend: Next.js API Routes with Server-Sent Events (SSE) for real-time streaming
  • Orchestrating AI Agents: LangGraph (Python) with OpenAI GPT-4o-mini
  • Database: Supabase for Github OAuth

Architecture Highlights:

  1. Streaming Architecture: Server-Sent Events stream vulnerabilities as they're found, giving users immediate feedback
  2. Parallel Processing: Multiple specialist agents analyze files simultaneously using Python threading
  3. Batch Processing: Files processed in configurable batches (default: 30) to optimize LLM token usage
  4. Modular Agent System: Each specialist is a separate module, making it easy to add new vulnerability types

Key Features:

  • ⚡ Real-time vulnerability detection with live code visualization
  • 🎯 Industry-standard checks (OWASP Top 10, CWE mappings)
  • 🔧 Automatic fix generation with GitHub PR creation
  • 🎨 Beautiful, minimalistic, intuitive UI with smooth animations

Challenges We Faced

  1. Frontend-Backend Synchronization

    • Challenge: Keeping visualization in sync with backend analysis
    • Solution: Implemented SSE streaming with event queuing to ensure animations complete before switching files

  2. LLM Token Limits & Costs

    • Challenge: Processing large repositories without exceed

Accomplishments that we're proud of

  • Having a fully functioning MVP
  • Getting more than 5 hours of sleep

What we learned

  • Agentic orchestration with LangGraph
  • Better cybersecurity practices
  • MCP

What's next for Trojan

  • Black box testing
  • Further refine the agentic scanning process (limited to one agent builder at the moment)
  • Project history saved
  • Fix more than 1 vulnerability in 1 PR
  • Deploy

Built With

Share this project:

Updates