Security research platform
Live operator workflow28+ secret formatsPaygo API + workspace

Built for the part
of security work
that happens
after detection.

SecPulse is for triage, disclosure, binary inspection, operator tooling, and evidence handling. The product is opinionated about the messy middle between “we found something” and “someone fixed it.”

0

Findings already tracked

0

Owner notifications sent

0

Confirmed remediations

Operator board

One queue. Four views.

Active

Detection

Surface

repo scan · binary scan · executable analysis

Text-first secrets, embedded credentials, and higher-interest binaries all feed the same queue.

Intelligence

Surface

reuse graph · scan delta · liveness

Pivot from a single finding into blast radius, comparable scan shifts, and verified-live history.

Disclosure

Surface

evidence workspace · notes · owner contact

Attach artifacts, keep the trail clean, and move straight into a disclosure-ready workflow.

69 live toolspaygo APIevidence workspacerepo-driven disclosure

Active findings

Live

tracked across secrets, exposures, and disclosures

Owner contact loop

Ready

GitHub issue creation and remediation tracking built in

Usage model

Plans + credits

subscription for teams, pay-as-you-go for bursty work

Live interaction

Try one public signal before you ever sign in

The public site should prove there is a real platform underneath it. Start with breach checking, then look at how the current finding mix is distributed across the workspace.

Public breach check

Run a quick check against known breach data without leaving the page.

Current platform distribution

Loading stats…

Product surface

A calmer operating model for messy security work

The point is not to show more widgets. The point is to keep detection, triage, evidence, and disclosure in one system that feels coherent under pressure.

Research queue, intelligence, and disclosure all connect directly
Faster path from scan result to owner-facing action
Better fit for repo-driven and artifact-heavy workflows

Findings + triage

Research queue

Move from raw exposure to validated finding, owner notification, and remediation without leaving the same workspace.

status historyassignment + prioritysource-aware evidence

Continuous coverage

Recon + monitoring

Run GitHub scans, asset discovery, dark web checks, and the live tool catalog from one place instead of juggling separate scripts.

scheduled scansasset inventorytool runtime + paygo API

Built for actual teams

Operator workflow

Credits, plans, notifications, and AI assistance fit into the same command surface so the platform feels operational, not stitched together.

credits + subscriptionsSlack / Discord / webhookssession-aware AI + jailbreak lockout
Platform capabilities

What is actually in the product now

This is the current SecPulse surface area. The goal is less “feature list for investors” and more “here is the operating kit a researcher or team actually gets.”

Capability

Secret detection

Scan GitHub repos for 28+ leaked secret formats — Anthropic, OpenAI, AWS, Stripe, GitHub, Slack, SendGrid, Google, GitLab, Discord, PyPI, npm, Shopify, and more.

Capability

Vulnerability disclosure

Structured reporting for 28 vulnerability types — XSS, SQLi, CORS, IDOR, SSRF, SSTI, race conditions, and more.

Capability

Auto-notify via GitHub

One-click GitHub issue creation on affected repos with remediation steps. Batch-notify hundreds at once.

Capability

Dark web monitor

Watchlist keywords across dark web sources. Search ahmia.fi and leak databases. Get alerts on credential dumps.

Capability

Intelligence

Scan repos, search GitHub, bulk import findings, monitor paste sites, continuous asset monitoring.

Capability

Breach check

Check emails and domains against known data breaches. SHA256-hashed for privacy — we never store plaintext.

Capability

Alert rules

Create rules matching findings by severity, type, and source. Notifications via Slack, Discord, or webhooks.

Capability

Asset inventory

Track repos, orgs, domains, emails, and services. Continuous monitoring with last-checked timestamps.

Capability

AI assistant

Built-in SecPulse AI writes disclosure reports, explains vulnerabilities, streams replies live, and flips into roast mode when someone tries a jailbreak.

Capability

Researcher profiles

Public profiles with stats and 17 badges across 4 tiers. Reputation system for community recognition.

Capability

Team accounts

Create teams, invite members, share findings and assets. Role-based access control up to 50 members.

Capability

API access

Generate API tokens for programmatic access. Full REST API with docs. RSS feed for activity monitoring.

Capability

Scheduled scans

Automated daily cron scans for monitored assets. Continuous coverage with zero manual effort.

Capability

Paste monitoring

Track keywords across paste sites (Pastebin etc) for leaked creds, domain names, and emails.

Capability

Responsible disclosure

Open, ethical disclosure workflow. Track finding status from submission through remediation.

34 SecOps + 35 InfoSec tools

A wider tool bench, not just a scanner page

SecPulse now runs a much broader catalog across SecOps and InfoSec. The platform covers discovery, posture review, config analysis, and offensive security checks from the same tool surface.

proinfosec

CORS Misconfiguration Scanner

test for dangerous CORS configs — origin reflection, null origin, wildcard + credentials

Configuration

live
prosecops

Security Header Analyzer

check for missing or misconfigured headers — CSP, HSTS, X-Frame-Options, and more

Configuration

live
prosecops

Subdomain Enumeration

discover subdomains via certificate transparency logs and surface interesting prefixes

Attack Surface

live
enterpriseinfosec

IDOR Endpoint Tester

test API endpoints for insecure direct object references

Access Control

live
enterpriseinfosec

Open Redirect Checker

test URL parameters for open redirect vulnerabilities

Web App

live
enterpriseinfosec

API Endpoint Fuzzer

fuzz endpoints with SQL injection, XSS, path traversal, and command injection payloads

API Security

live
enterprisesecops

Vulnerability Scanner

comprehensive checks for headers, CORS, TLS, tech fingerprinting, and exposed paths

Exposure

live
prosecops

Attack Surface Monitor

track newly exposed hosts, apps, and services over time

Attack Surface

live
prosecops

Certificate Expiry Watch

watch TLS certificates and alert before they age out

TLS

live
enterprisesecops

Domain Takeover Watch

watch for dangling DNS and subdomain takeover conditions

Attack Surface

live
enterpriseinfosec

SSRF Probe

probe server-side fetch flows for SSRF behavior and metadata access

Web App

live
proinfosec

Rate Limit Auditor

verify rate limiting, burst handling, and account lockout behavior

Abuse

live
enterpriseinfosec

Cache Poisoning Probe

probe shared caches for poisonable keys and host confusion

Infrastructure

live
Try all tools with a free account
Current direction

Recent work that changed how the platform feels

This isn’t just a prettier landing page. The product underneath moved closer to a real operator surface, and the public site should show that more honestly.

01

Full live tool runtime

SecOps and InfoSec tools now run through one shared execution layer instead of a tiny hardcoded subset.

02

Credits that actually top up

Stripe-backed credit purchases and superadmin-issued credits now feed the same paygo balance and transaction history.

03

Disclosure path cleaned up

Policy, owner notification loop, and trust language now point to real platform flows rather than placeholder destinations.

04

AI copilot now bites back

SecPulse AI streams replies, keeps session context, and drops repeat jailbreak attempts straight into roast mode instead of pretending not to notice.

Who it fits

Built for real workloads, not a fictional perfect user

The same product needs to work for solo researchers, product teams, and internal security operators. The shape of the work changes, but the workflow should not fall apart.

Use case

Indie developers

Scan your repos before pushing to production. Check breaches, monitor leaked keys, and get notified when something slips through.

  • Free tier forever
  • 100 findings included
  • Automated daily scans
Use case

Startups

Track security posture across every repo and domain you ship. Integrate with Slack or Discord so the whole team sees new findings in real time.

  • Webhook integrations
  • Asset monitoring
  • Unlimited findings
Use case

Security teams

Run SecPulse as an operator surface for disclosure, monitoring, validation, and on-demand tooling. Built for teams that need both day-to-day coverage and burst capacity.

  • Dark web + breach monitoring
  • 69 live SecOps and InfoSec tools
  • Team accounts and pay-as-you-go usage

Simple pricing

Start free. Upgrade when your scale demands it.

Free

for individual researchers getting started

Free
  • manual finding submission
  • 100 findings
  • basic public profile + badges
  • AI chat (20 messages/day)
  • 2 API tokens
  • 5 monitored assets
  • 2 alert rules
  • breach check
  • community stats
Most popular

Pro

for active researchers and bug hunters

A$12/month
  • everything in Free
  • unlimited findings
  • automated repo scanning
  • GitHub code search
  • paste site monitoring (20 keywords)
  • bulk import/export
  • unlimited AI chat
  • 20 API tokens
  • 50 monitored assets
  • 25 alert rules
  • + 8 more

Enterprise

for security teams and organizations

A$39/month
  • everything in Pro
  • unlimited everything
  • dark web monitoring (unlimited keywords)
  • team accounts (up to 50 members)
  • finding assignment & priority
  • custom secret patterns
  • scheduled cron scans
  • generic webhook + Jira/PagerDuty
  • all security tools (unlimited)
  • IDOR tester
  • + 5 more

All prices in Australian dollars. Cancel any time.

Pay only for what you use

Pay-as-you-go

Credits work alongside any plan for overages, or on their own without a subscription. No hidden fees, and token-authenticated tool runs are available through the paygo API.

API

2
API Requestany API call beyond plan limit
A$0.001/request
Burst API (1000)1000 API requests burst
A$0.50/bundle

Scans

4
Repo Scanscan a repo for all secret patterns
A$0.05/scan
GitHub Code Searchsearch GitHub for a pattern
A$0.03/search
Paste Site Scanscan paste sites for one keyword
A$0.02/keyword
Dark Web Scansearch darkweb for one keyword
A$0.05/keyword

Security tools

7
CORS Scannertest domain for CORS misconfig
A$0.10/domain
Header Analyzercheck security headers
A$0.05/url
Subdomain Enumdiscover subdomains via CT logs
A$0.08/domain
IDOR Testertest endpoint for IDOR
A$0.15/endpoint
Open Redirect Checktest for open redirects
A$0.08/url
API Fuzzerfuzz endpoint with payloads
A$0.20/endpoint
Vulnerability Scancomprehensive analysis
A$0.25/target

AI

1
AI Chat MessageAI message beyond plan limit
A$0.01/message

Notifications

2
GitHub Issuecreate disclosure issue
A$0.03/issue
Bulk ExportCSV or JSON export
A$0.02/export

Supported secret patterns

Auto-detection for these providers — new ones added regularly.

CriticalAnthropic API Key
CriticalOpenAI Project API Key
CriticalAWS Access Key ID
CriticalAWS Temporary Access Key ID
CriticalGitHub Classic Personal Access Token
CriticalGitHub Fine-Grained Personal Access Token
HighGitHub OAuth Token
HighGitHub User-to-Server Token
HighGitHub Server-to-Server Token
CriticalGitHub Refresh Token
CriticalStripe Live Secret Key
HighStripe Restricted Live Key
HighGoogle API Key
HighSlack Bot Token
HighSlack User Token
HighSlack App-Level Token
HighSlack Incoming Webhook
HighSendGrid API Key
HighMailgun API Key
CriticalGitLab Personal Access Token
Highnpm Access Token
HighPyPI API Token
HighDiscord Webhook URL
HighHugging Face Access Token
CriticalShopify Admin API Access Token
HighShopify Shared Secret
HighLinear API Key
HighOpenRouter API Key
Latest from the blog

From the team

View all articles

Security by design

We're a security platform — we hold ourselves to the same bar we ask of others.

Secrets never stored

We hash secret prefixes only. Full keys are never persisted or logged.

Hardened headers

Strict CSP, HSTS, and cross-origin isolation. We scan our own headers daily.

GitHub OAuth only

No passwords on our side. Sign in with GitHub — we only see your public profile.

Full audit log

Every action — finding submission, role change, plan update — is logged and visible to you.

Responsible disclosure

Open disclosure workflow. Contact security@secpulse.tech and we respond within 24h.

Infrastructure

Neon Postgres with TLS at rest. Vercel edge deployment. Daily database backups.

FAQ

Frequently asked

Anything else? Email support@secpulse.tech.

SecPulse

Bring the work into one system.

Sign in with GitHub and start from the dashboard. Use the free workspace, then add credits only when you need more throughput.