mythos-agent v3.1.0
GitHub

Open-source · MIT · v3.1.0

AI code review for application security.

Mythos Agent reasons about your code the way a security-focused reviewer would — generating hypotheses, hunting CVE variants, and ranking findings by confidence.

View on GitHub

Read the Vision

  • 43 scanner categories
  • 329+ rules
  • 8 languages
  • Claude · GPT-4o · Ollama · offline

Demo

One command. No API key required.

A real npx mythos-agent quick against a vulnerable fixture. Pattern scan runs in ~10 ms, offline, no config.

Terminal running npx mythos-agent quick against a vulnerable fixture. The scanner returns 13 findings in 10 milliseconds, highlighting five critical and high-severity issues with file:line pointers and a suggested auto-fix command.
Transcript: npx mythos-agent quick → scanned 47 files in 10 ms → 5 findings visible with file:line pointers → auto-fix hint. 13 total findings.

Features

Five ideas that set Mythos Agent apart.

Hypothesis-driven scanning

Per-function hypotheses about what could go wrong — "this transaction doesn't lock the row; potential race condition" — instead of fixed pattern rules.

AI reasoning, not regex

CVE variant analysis

The Big-Sleep technique finds structurally similar bugs across your codebase — same root cause, different syntax, different file.

Catches the siblings of known CVEs

Multi-agent pipeline

Four coordinated stages — Recon · Hypothesize · Analyze · Exploit — each informing the next. Findings ranked by confidence and exploitability.

4-stage orchestration

Autonomous proof generation

AI-guided fuzzing with feedback loops, plus PoC exploit generation, so findings are real — not theoretical false-positives.

Reproducible exploits, not guesses

Works offline

Pattern mode runs without an API key. For AI mode, bring your own LLM — Claude, GPT-4o, Ollama, LM Studio.

Pattern scan is free forever

How it works

Four-stage pipeline. Each stage feeds the next.

  1. 01

    Recon

    Map the codebase. Entry points, data flow, framework boundaries, risky surfaces.

  2. 02

    Hypothesize

    Generate per-function hypotheses. "This query could be vulnerable if it concats user input."

  3. 03

    Analyze

    Every scanner runs. Taint engine and variant detector confirm or reject each hypothesis.

  4. 04

    Exploit

    Chain findings into real attack paths. Confidence-rank. Generate PoC exploits where possible.

Beyond the pipeline: call-graph + taint engine, DAST smart fuzzer, AI hypothesis agent, variant analysis, and git-history mining all feed into the same confidence score.

Scanners

43 categories. 329+ built-in rules.

15 production-wired today, 28 experimental — plus deep integrations with Semgrep, Gitleaks, Trivy, Checkov, and Nuclei.

  • Code patterns 25+
    SQLi, XSS, command injection, eval, SSRF default
  • Framework rules 27
    React, Next.js, Express, Django, Flask, Spring, Go default
  • Secrets 22
    AWS, GitHub, Stripe, API keys, DB URLs + entropy default
  • Dependencies (SCA) OSV
    Known CVEs across 10 lockfile formats default
  • IaC 13
    Docker, Terraform, Kubernetes misconfig default
  • AI / LLM Security 13
    Prompt injection, unsafe AI output, cost attacks default
  • API Security 12
    OWASP API Top 10: BOLA, mass assignment, broken auth default
  • Cloud Misconfig 14
    Public storage, wildcard IAM, open firewalls default
  • Security Headers 8
    CSP, HSTS, X-Frame-Options, Referrer-Policy default
  • JWT 9
    Algorithm, expiry, storage, revocation, audience default
  • Session 7
    Fixation, expiry, cookie flags, localStorage tokens default
  • Business Logic 6
    Negative amounts, coupon reuse, inventory races default
  • Crypto Audit 11
    Weak hashes, ECB, hardcoded keys, deprecated TLS default
  • Privacy / GDPR 9
    PII, consent, retention (GDPR article mapping) default
  • Race Conditions 7
    TOCTOU, non-atomic ops, double-spend default
  • ReDoS regex
    Catastrophic backtracking, nested quantifiers default
  • Supply Chain 12
    Typosquatting, dep confusion, install scripts experimental
  • Zero Trust 8
    Service trust, mTLS, segmentation experimental
  • GraphQL 8
    Introspection, depth limit, field auth experimental
  • WebSocket 7
    Origin check, message validation, broadcast XSS experimental
  • CORS 7
    Origin reflection, credentials, substring bypass experimental
  • OAuth / OIDC 7
    Missing state, no PKCE, implicit flow experimental
  • SSTI 7
    Jinja2, EJS, Handlebars, Pug, Nunjucks experimental

Plus 21 more experimental scanners (SQL injection deep, NoSQL, deserialization, XXE, open redirect, DNS rebinding, memory safety, and more) shipped in the tarball but not yet wired into default scan.

View full catalog on GitHub

Trust

Built for security-minded teams.

Mythos Agent complements — not replaces — Semgrep, Snyk, and CodeQL. It adds AI reasoning on top of traditional SAST, not a wholesale replacement for a mature rules engine.

EU CRA stance published · SOC 2 / HIPAA / PCI mappings in docs · GDPR article mapping on privacy findings · 48-hour vulnerability acknowledgment

Install

Four ways to start. All of them take under a minute.

npx mythos-agent scan
GitHub Action docs VS Code extension npm package