Everything you need to know about HZSec — how it works, what it stores, and what each plan includes.
HZSec is a local-first desktop security platform for developers. It scans your code for vulnerabilities, monitors files in real time, and gives you an AI assistant pre-loaded with your findings — without uploading a single line of code to the cloud.
HZSec is available for macOS (Apple Silicon, signed and notarized) and Windows 10/11 (standard installer, authentically signed). A Linux build is on the roadmap.
Not currently. HZSec is a proprietary product with a free tier that requires no credit card. The local-first architecture means your code never leaves your machine regardless of license tier.
Download the desktop app, install it, sign in with your HZSec account to pull your license, then point it at any local folder. Your first scan takes under 30 seconds.
Email hello@hzsec.io for support. For early access users, response time is typically within one business day.
Never. HZSec scans run entirely on your machine. No source files, no file paths, and no code snippets are transmitted anywhere during a scan. You can verify this with any network monitor while a scan runs.
HZSec stores scan results, your security score history, the audit log of findings and fixes, and your settings — all on your local machine. None of this is synced to HZSec servers.
Scanning and Live Monitor work fully offline. The AI assistant requires a network connection to call the Anthropic API, but your source code is never included in those calls — only finding metadata is used as context.
If you bring your own key (free tier), it is stored locally using AES-256-GCM encryption with PBKDF2-SHA512 key derivation. On Pro, HZSec manages the key for you and it is never stored on your device.
Yes. Run a scan while monitoring outbound network traffic in Charles, Proxyman, or macOS's built-in network monitor. You will see no outbound calls carrying source content during a scan.
Most projects under 50,000 lines complete in under 30 seconds. Large monorepos may take a couple of minutes depending on how many modes are active. You can run a targeted quick scan on just the changed files for faster feedback.
Six detection categories: exposed secrets and credentials, insecure configuration settings, known-vulnerable code patterns, dependency CVEs via CISA and NVD, web exposure risks, and system-level hardening gaps.
Yes. You can point the scanner at any local path — a single file, a module directory, or your entire repo. The scanner respects .gitignore by default so build artifacts and dependencies are excluded.
For common, deterministic findings — exposed API key format, debug flag set to true, insecure HTTP config — HZSec can apply the fix directly. You always see a diff before anything changes, and you can reject or modify it.
Each scan produces a 0–100 score based on the severity and count of open findings relative to your codebase size. HZSec tracks this over time so you can see whether security is improving or slipping between scans.
Yes. You can scan the entire monorepo at once or target individual packages within it. The score and audit log work at whatever path level you choose.
No. The assistant uses your scan results and finding metadata as context — not raw source files. It knows what issues exist and where, but your code stays on your machine and is never sent to Anthropic.
On the free tier, yes — you bring your own key. On Pro, HZSec provides a managed key with 1,000 messages per month included. You can also supply your own key at any tier for unlimited messages.
10+ documented real-world breaches — Uber (2022), Equifax (2017), Verkada (2021), Log4Shell (2021), and others — are embedded as assistant context. When your scan matches a breach pattern, the assistant references the exact incident and how fast it was exploited.
Live Monitor watches any folder you specify. When a file change introduces a new security finding, HZSec surfaces it immediately — no manual rescan required. It's useful for watching your source directory while you code.
Yes. The assistant isn't limited to your current scan findings. You can ask about secure coding patterns, review a code snippet, explore a CVE in depth, or get a second opinion on a remediation approach.
Scanning and Live Monitor run fully offline. The AI assistant requires a network connection to reach the Anthropic API. Your source code is never transmitted — only structured finding context is used.
The free tier includes all six scan modes, Live Monitor, the breach intelligence library, and the full audit log. You bring your own Anthropic key for the AI assistant. Free is free forever — no trial expiry.
Pro adds a managed Anthropic key (no setup), 1,000 AI assistant messages per month, security playbooks, and email support. It's $19/month or $190/year.
No. The free tier requires no credit card. You only need payment details when upgrading to Pro or Team.
Pro and Team both include a 7-day free trial. You can cancel at any time from your billing portal — access continues until the end of the paid period.
Team is custom-priced for squads of 3 or more. It includes 5,000 assistant messages per seat, multi-seat billing, shared notes, and priority support. Email hello@hzsec.io to discuss.
Currently OWASP Top 10, CIS benchmarks for common environments, and SOC 2 trust service criteria. Every finding is automatically tagged — no manual mapping required. Coverage expands as new scan rules are added.
No. HZSec is a developer security tool — it helps you find issues, track fixes, and prepare evidence. It doesn't replace a professional penetration test or issue compliance certifications.
For each framework, HZSec calculates a percentage based on which controls have passing findings versus open issues. A 71% OWASP score means 71% of the framework's mapped controls pass based on what's been scanned.
When you fix a finding and the same issue reappears in a later scan, HZSec marks it as recurring. This flags patterns that need a deeper root-cause fix rather than a surface patch, and it's visible in the audit log.
Yes. The audit log can be exported as a structured report with scan timestamps, finding summaries, severities, and applied fixes. It's formatted to be shareable without additional interpretation.
No. Compliance mapping, audit log, gap calculations, and recurrence tracking are available on all plans including Free. Team adds shared notes and multi-seat audit trails for collaborative compliance work.
Email us at hello@hzsec.io or download HZSec and try it yourself — the free tier requires no credit card.