How Securie works
Keep business-critical code safe to ship: security, dependencies, tests, reliability, maintenance debt, release gates, and signed evidence.
We start with deterministic checks — regex + SQL AST + OSV.dev CVE matches against your manifest. Cheap, zero inference cost, ~80% coverage on the high-signal classes. Findings here surface immediately; nothing downstream looks at them.
Claude Opus 4.7 reads your PR — diff plus the full source of the files it touches — and emits per-finding rationale + proposed fix across all 8 maintenance axes. Bench-validated at 1.00 recall on OWASP Juice Shop (20 documented vulns) and 0.93-0.987 precision at 15-100 file scale on safe-presumed source trees. Nine retained per-class specialists emit supplementary cues consumed as context.
For every proposed fix, we apply the patch to a checked-out sandbox copy, detect your test runner (cargo / npm / pytest / go / mvn / dotnet / etc.) via the project manifest, and run your own tests. PASS = fix verified; FAIL = fix rejected; NO_TESTS = the surface honestly renders 'verification unavailable — accept at your discretion'. We never invent a synthetic oracle.
Every Suggested Change ships under a slimmed DSSE envelope: { finder_run_id, model_id, prompt_hash, source_sha, finding_sha, fix_sha, fix_verification_result }. Signed by Securie's attestation key, optionally published to Sigstore rekor. You can re-verify offline with standard cosign tooling without calling Securie.
Disputed finding? Business+ unlocks a PR-comment 'Run replay' button. We spin up a Firecracker microVM, reproduce the bug deterministically, attach a signed recording. Throttled per tenant; not the default proof gate — most fixes ship under stage 04 without ever needing this.
Opus precision is 0.93-0.987 at scale — not 100%. The four false positives in our 0.98-precision sweep were qualitatively reviewable as real findings, not hallucinations, but the gate is set conservatively: a precision floor of 0.90 over a rolling 30-day window inverts the decision and restores the closed-world envelope.
If your project has no test runner, fix-verification surfaces 'verification unavailable' honestly. The fix still ships if you choose to accept it — but Securie won't claim it's verified when it isn't.
Not an Opus-wrapper (the customer's test suite is the trusted oracle). Not an autonomous pentest / red-team-as-a-service. Not a GRC / compliance-automation tool. Not a SIEM + LLM chat replacement.