Sandyaa: Open-source autonomous security bug hunter

Source code auditing has traditionally relied on static analyzers that flag long lists of potential issues, leaving engineers to sort bugs from noise. A new open-source project from offensive-security firm SecureLayer7 takes a different route, using LLMs to read a codebase, trace how data moves through it, and produce working exploit code for the vulnerabilities it confirms. Their open-source tool, called Sandyaa, was released under an MIT license.

How the auditor operates

Sandyaa accepts either a local directory or a Git URL and runs the audit end to end with no interactive prompts. It builds context across files, splits large codebases into chunks sized to code density and token budget, and runs recursive analysis passes that revisit the same code multiple times to refine findings. Each confirmed bug is written to a findings/ folder containing an analysis write-up, a Python proof-of-concept, a setup guide, and an evidence.json file that links every claim back to specific file paths and line numbers.

Eight recursive phases drive the analysis: call-chain tracing, data-flow expansion, self-verification, vulnerability chaining, proof-of-concept refinement, contradiction detection, assumption validation, and exploitability proof. A separate attacker-control analyzer drops findings that cannot be reached from untrusted input, reducing noise from theoretical issues.

Sandyaa looks for memory-safety bugs including use-after-free, buffer overflow, type confusion, and double-free; logic bugs such as authentication bypass, TOCTOU, and state machine errors; injection vulnerabilities including SQL, command, XSS, SSRF, and path traversal; cryptographic misuse; concurrency races; integer overflow and signedness issues; and unsafe APIs including deserialization, XXE, and prototype pollution.

Building trust in the output

SecureLayer7 began running Sandyaa against live targets only after tightening the verification stack to the point where reviewing tool output became more productive than reading code from scratch. Sandeep Kamble, CTO at SecureLayer7, told Help Net Security that the team “kept tightening the verification pipeline self-verification, vulnerability chaining, contradiction detection, and an attacker-control filter that drops findings unreachable from untrusted input.” He added that the threshold for adoption was practical: “At some point the false-positive rate really low enough that reviewing Sandyaa output was a better use of researcher time than reading code cold.”

Two bugs surfaced by the tool have been publicly disclosed so far, both in the Spring AI project: a SQL injection in MariaDBFilterExpressionConverter and a JSONPath injection in PgVectorStore AbstractFilterExpressionConverter.

Safety around exploit execution

Sandyaa can run the proof-of-concept code it generates to confirm exploitability, a behavior that raises obvious questions about side effects on unfamiliar codebases. Kamble said execution is gated by default: “PoC execution is opt-in, off by default. The attacker-control filter runs before PoC generation, so we don’t build PoCs for paths that aren’t reachable anyway.”

No API key, with Gemini as an option

Sandyaa piggybacks on a user’s existing Claude Code session. Once a developer is logged into the Claude Code CLI, Sandyaa reuses that authentication and requires no ANTHROPIC_API_KEY. Some analysis phases can run on Gemini if the gemini CLI is on the user’s PATH, again with no API key required. Setting GEMINI_API_KEY is supported only for resolving model tiers at startup.

The architecture relies on what the project calls Recursive Language Models. The model drives a Python REPL that runs regex filters, chunks files, and spawns sub-LLM queries, with results aggregated in code. This design lets the tool process repositories larger than a single context window would allow.

Platform support and status

The project is actively tested on macOS. Linux should work but has not been validated. Native Windows is not supported because Sandyaa shells out using Unix-only commands and spawns the Claude CLI directly; users on Windows can run it through WSL2. Requirements include Node.js 18 or newer, git, and a logged-in Claude Code installation. Configuration lives in .sandyaa/config.yaml, where users set the target path, chunk size, minimum severity, exploitability threshold, and output options.

Sandyaa is available for free on GitHub.

Must read:

• 25 open-source cybersecurity tools that don’t care about your budget
• GitHub CISO on security strategy and collaborating with the open-source community

Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!