Skip to main content
Early access: get Pro free for 3 months →
DocsContact
Defend

AI Assistant

The HZSec AI assistant is pre-loaded with your scan findings and a library of real-world breach intelligence. Ask it anything about your results — without your source code ever leaving your machine.

How it works

When you send a message, HZSec builds a context payload from your scan findings and sends it to the Anthropic API. The context contains structured metadata about each finding — severity, type, CWE reference, compliance framework tags, and a line-number hint. It does not contain source code, file paths, variable names, or any content from your files.

This means the assistant can answer what is wrong and why and how to fix it, but it cannot quote your code back to you — which is intentional.

What the assistant can see
  • · Finding type (e.g., SECRET_EXPOSED, VULN_SQLI)
  • · Severity level and CVSS score (for CVEs)
  • · Detector category and CWE/CVE reference
  • · Compliance framework tags (OWASP, CIS, SOC 2)
  • · File type hint (e.g., "Python file") and approximate line number
  • · Breach intelligence context (matched breaches from the library)

Breach intelligence

10 documented real-world breaches are embedded as permanent assistant context. When a finding pattern matches a breach — for example, a hardcoded credential matches the Uber 2022 pattern — the assistant references the specific incident and the timeline from exposure to exploit.

IncidentRoot causeImpact
Uber (2022)Hardcoded credentials in source codeFull internal system access
Equifax (2017)Unpatched Apache Struts CVE-2017-5638147M records exfiltrated
Verkada (2021)Exposed admin credentials in public JS150000 cameras compromised
Log4Shell (2021)JNDI injection in log4j (CVE-2021-44228)RCE on millions of servers
Capital One (2019)Misconfigured WAF + SSRF106M records exposed
Toyota (2023)GitHub repo with hardcoded API key2M customer records exposed
CircleCI (2022)Secrets in memory scraped from CI runnerCustomer tokens compromised
Twitch (2021)Misconfigured server + .git exposed125GB source code leaked
Okta (2022)Session token from third-party contractor366 customers affected
Codecov (2021)Supply chain: bash uploader modifiedCI secrets harvested en masse

When your scan matches a breach pattern, the assistant surfaces it automatically. You don't need to prompt for it.

API key setup

Free tier — bring your own key

The free tier requires an Anthropic API key. Get one from console.anthropic.com. In HZSec, go to Settings → AI Assistant → API Key, paste your key, and click Save.

The key is encrypted with AES-256-GCM before being written to disk and is never sent to HZSec. See Architecture for the full encryption details.

Pro tier — managed key

Pro subscribers get 1,000 assistant messages per month included — no API key setup required. The managed key is provisioned server-side and never stored on your device. If you exceed 1,000 messages, you can add your own key to continue without limits.

# Free tier — use your own key
hzsec config set anthropic-key sk-ant-...

# Check remaining managed messages (Pro)
hzsec config get assistant-quota
# Remaining: 847 / 1000 this month

What to ask

The assistant is not limited to your current findings. You can ask general security questions, review a code snippet you paste in, or explore a CVE in depth.

Walk me through every CRITICAL finding and tell me which one to fix first.

Prioritization across findings

The exposed AWS key — how quickly could it be exploited if it was committed to a public repo?

Breach timeline context

What's the difference between the SQL injection in finding #3 and a parameterized query?

Remediation explanation

Which of my open findings map to OWASP A01?

Compliance-aware triage

Show me what this app looks like from an attacker's perspective given these findings.

Threat modeling

I patched the lodash CVE — is there anything else in the dependency chain I should check?

Dependency chain analysis

Offline behavior

Scanning and Live Monitor work fully offline — they never need a network connection. The AI assistant requires a live connection to the Anthropic API. If you're offline, the assistant shows a “No connection” state but all findings, scores, and audit log entries remain accessible locally.

← ArchitectureLive Monitor →