What Is Kalibur?
Kalibur is an AI-powered whitebox security audit tool built by a pentester with 10+ years in software engineering and cybersecurity. Unlike surface scanners like Snyk or SonarQube that match patterns against known vulnerability databases, Kalibur reads your entire codebase and reasons about it — tracing data flows, chaining vulnerabilities, and identifying attack paths that require context to find.
Connect your GitHub repository, select a branch, and Kalibur returns a full audit report in approximately 20 minutes. No rules to write, no configuration files.
What The Output Looks Like
Each finding includes a CVSS score, CWE classification, affected file and line reference, a detailed impact breakdown, and a one-click fix prompt ready to paste into Cursor, Claude Code, or your editor of choice. A full PDF report — severity rankings, remediation steps, board-ready formatting — downloads in one click.
In a demo audit of a sample API codebase, Kalibur surfaced 9 findings including:
- SQL injection (CVSS 9.1) on a publicly reachable unauthenticated endpoint — direct string interpolation of a query parameter into raw SQL
- Hardcoded JWT secret in config
- CSRF gap on state-changing routes
- IDOR on the invoice API allowing any authenticated user to access any invoice
- Directory traversal on the file upload route
These are findings that slip through traditional static analysis because they require reasoning about data flow and chained conditions — not just flagging a known bad function call.
The Fix Prompt Feature
Every finding ships with a ready-to-paste prompt for Cursor or Claude Code. This is the feature that closes the gap between finding a vulnerability and actually fixing it. Instead of a dev ticket that sits in a backlog for three weeks, the remediation path is immediate. For teams already using AI-assisted coding, this fits directly into existing workflow.
Pricing
| Option | Cost |
|---|
| Pay as you go | From $25 / audit |
| Manual pentest | $5,000 – $50,000 / engagement |
No retainer, no quote process, no 2–6 week wait. Pay per audit. For teams that need to ship with security evidence attached, the cost comparison is straightforward.
Who It Is For
Development teams that need audit-grade security coverage without hiring a pentesting firm. Pentesters who want to compress the static analysis phase so they can focus on what requires human judgment. CTOs and engineering leads who need a board-ready report without a six-week engagement timeline.
Limitations
Beta stage: Currently in public beta — expect rough edges and evolving feature coverage.
GitHub only: Repository connection currently requires GitHub. Other VCS providers not yet supported.
AI reasoning caveat: Whitebox AI analysis can produce false positives. Every finding should be reviewed before remediation — the tool is an accelerator, not a replacement for security judgment.
Verdict
Kalibur is solving a real problem with a sharp angle — whitebox AI audit at pentester depth, delivered in 20 minutes for $25. The fix prompt integration is the sleeper feature that makes this genuinely useful for engineering teams, not just security specialists. Early beta, but the output quality and positioning are strong. One to watch in the AI security tooling space.