SecurityClaw Demos

Real campaigns. Documented results. No cherry-picking.

How these demos work: Every SecurityClaw Demo is a real campaign run against a target we built and controlled. We're not hiding failures — we show exactly what each tool found, what it missed, and why. If SecurityClaw's AI layer can close the gap, we show that too. If it can't yet, we say so. We create our own targets because we're in product validation mode, not red team mode — that transparency is part of how we build trust with security professionals.

🎯 SecurityClaw Capability Scorecard

Live results across all demo campaigns. Updated as each campaign is published. Failures are visible — that's the point. 25 campaigns completed. Overall pass rate: 92.00%

🔑 Secrets Detection 2 campaigns — TruffleHog 80% / Gitleaks 75%

TruffleHog: 4/5 secrets found. Stripe live key not in v2 ruleset — demo #1. Gitleaks: 6/8 unique secrets in 13.2ms — deleted RSA key found in git history, base64 caught via entropy. AWS secret key + PostgreSQL YAML password missed — demo #13.

🌐 Web Misconfiguration & Enumeration 3 campaigns — Nikto 100% / Nuclei 83% / Gobuster 100%

Nikto: 5/5 planted misconfigs in 4s — demo #2. Nuclei: 5/6 classes in 8s (phpinfo mock incomplete) — demo #5. Gobuster: 10/10 paths in 4.79s, 3 CRITICAL (backup.zip, config.bak, live API keys), 0 false positives — demo #12.

📦 Supply Chain Security 3 campaigns — 100% detection rate

npm-audit: 8/8 vulnerable packages, 15 CVEs in 2.1s — demo #3. Supply-chain-scanner: 7/7 planted threats (SANDWORM_MODE, typosquats, curl|bash) in 0.19s — demo #9. Gitleaks: git history secret detection — demo #13.

🔐 Password Security 1 campaign — 5/6 hashes cracked, bcrypt resisted

Hashcat: MD5, NTLM, SHA-1, SHA-256, SHA-512 all cracked in under 1 second. bcrypt (rounds=10) resisted. Key metric: NTLM vs bcrypt = 59,034× speed gap — demo #14.

🔒 WordPress Security 1 campaign — Partial (AI gap-fill active)

WPScan: 3 INFO automated (passive mode defeated by WP Engine hardening). Manual analysis: 7 components identified, 0 CVEs — demo #4.

💉 SQL Injection 1 campaign — 2/4 at Level 1 (4/4 at Level 2)

sqlmap: 2 injection points detected at default settings, full DB dump in 4s. Cookie + LIKE-clause injection requires Level 2 — demo #6.

☁️ Cloud Misconfiguration No campaigns yet

Prowler / ScoutSuite demos in pipeline.

🔌 API Security 1 campaign — 2/4 core vulns + 11 bonus findings

Swagger/OpenAPI scanner: 1 Critical (unauthenticated admin), 3 shadow endpoints, secret key leak — 13 findings in 2.4s. Excessive data exposure + deprecated API checks on roadmap — demo #7.

📡 Network Reconnaissance 1 campaign — 6 critical misconfigs in 6.32s

nmap: anonymous FTP, vsftpd 2.3.4 backdoor, CVE-2021-41773 Apache, exposed Tomcat Manager, unauthenticated Redis, EOL MySQL — demo #8.

🔍 Passive Reconnaissance 1 campaign — 79 subdomains, 12+ years history

CT logs (cert transparency): 1,499 certs, 79 unique subdomains from superdrug.com in 12.57s — zero packets sent to target — demo #10.

📦 Container & Dependency Security 1 campaign — 100 CVEs in 63ms

Trivy: 21 CRITICAL + 79 HIGH across Flask + React demo app (2017-2018 deps). 3× RCE in Handlebars, PyYAML ACE, Django SQLi ×4, Pillow memory corruption — demo #11.

All Demos

March 28, 2026 • AI-Driven Security • pass

557 Milliseconds to CRITICAL: SecurityClaw's AI Campaign Engine Finds AWS Keys, Confirms IDOR, and Plans Its Next Move

SecurityClaw Phase B ships four AI modules: an Adaptive Campaign Graph that chains findings automatically, a JS Bundle Analyser that found an AWS key in a public React bundle, an IDOR Scanner that confirmed cross-account email access, and a Campaign Director that planned a 5-skill attack sequence. Total runtime: 557ms. Here's exactly what each module found — and what it missed.
March 23, 2026 • CI/CD Security • pass

SecurityClaw Found 6 Leaked Secrets in Your CI/CD Pipeline in 10 Milliseconds

SecurityClaw ran 7 tools against a GitHub Actions repository seeded with real-world CI/CD misconfigurations: 6 secrets detected in 10ms, a Pwn Request attack chain giving any GitHub user full repository write access, hardcoded AWS credentials, SHA pinning disabled. Here's what every pipeline misconfiguration looks like from an attacker's perspective — and what 75% catch rate actually means.
March 22, 2026 • API Security • pass

SecurityClaw Got Admin Access in 0.16 Seconds — Without Touching the Password

SecurityClaw's jwt-tool campaign found 4 JWT vulnerabilities in a single run: 2 CRITICAL (alg:none bypass achieves admin access in under 200ms; HMAC secret cracked in 0.16 seconds), 2 MEDIUM (no expiration, password hash in payload). 70%+ of modern APIs use JWT. Here's what a broken implementation looks like from the attacker's side — and the remediation table that fixes all four.
March 22, 2026 • API Security • pass

40% of APIs Trust a Header Attackers Control — We Proved It in 9 Seconds

SecurityClaw's rate-limit-bypass skill tested 9 headers and 4 bypass techniques against AcmeCorp's API. 6 headers bypass the rate limit. A forgotten v1 endpoint has zero protection. The control designed to stop brute-force attacks collapsed in under 9 seconds. Here's the full campaign, the honest misses, and what actually works.
March 22, 2026 • Web Scanning • pass

SecurityClaw Found 4 XSS Vulnerabilities in Under Half a Second — And One False Positive That's Even More Useful

SecurityClaw's xss-scanner found 4 real cross-site scripting vulnerabilities in 443 milliseconds: CRITICAL reflected XSS (11/11 payloads), HIGH stored XSS, HIGH filter bypass (10/11 payloads), MEDIUM DOM injection. Then it flagged a fifth endpoint as vulnerable. It wasn't. Here's why the false positive is the most important part of this demo — and what it tells you about automated scanners.
March 20, 2026 • OSINT & Recon • pass

484,956 Exposed Servers. SecurityClaw Found Them in Under 3 Seconds — Without Sending a Single Packet.

SecurityClaw's shodan-intel skill ran 5 passive OSINT queries in 2.95 seconds. No packets sent to any target. Results: 234,147 exposed Redis instances, 191,598 exposed MongoDB databases, 2,191 Jupyter Notebooks with unauthenticated code execution, and a Beijing server running both an open Jupyter notebook and an unauthenticated LLM API on port 11434. Plus: the honest misses, the attack chain, and how to claim your own exposure before attackers do.
March 13, 2026 • Web Scanning • pass

SecurityClaw Found the Backup File Your Developer Left Behind

SecurityClaw's ffuf skill discovered 7 hidden endpoints in 2.0 seconds across 4,621 requests. Two CRITICAL findings: /admin and /backup.zip. The attack chain from backup.zip leads directly to admin access via hashcat. Plus an honest miss: /api/v2/internal wasn't in the wordlist, and here's why that matters.
March 13, 2026 • Credential Security • pass

SecurityClaw Exposes Weak Passwords in 30 Seconds

SecurityClaw's Hydra skill cracked 3 credentials on a live login endpoint in 12.3 seconds. admin:password123 fell on attempt #43 in 4.8s. Rate-limit bypass demonstrated — soft throttling is not protection. Here's the exact attack chain and what actually stops it.
March 12, 2026 • Supply Chain Security • pass

We Deleted the Key. Gitleaks Found It Anyway. Here's Why.

A developer committed an RSA private key, then deleted it in the next commit. We ran SecurityClaw + Gitleaks against the repo 13.2 milliseconds later — the key was still there. 6/8 secrets found, including one that 'didn't exist anymore'.
March 12, 2026 • Web Scanning • pass

We Hid 10 Secrets on a Web Server. SecurityClaw Found All 10 in Under 5 Seconds.

We planted 10 sensitive paths on a controlled web server — backup files, a live .git repo, API keys, an admin panel. SecurityClaw's gobuster integration found all 10 in 4.79 seconds using two scans and zero false positives.
March 12, 2026 • Password Security • pass

We Gave Hashcat 6 Password Hashes. It Cracked 5 in Under a Second. The 6th Said No.

SecurityClaw tested password hash strength across MD5, NTLM, SHA-1, SHA-256, SHA-512, and bcrypt. 5 cracked in under a second using a standard dictionary. bcrypt resisted. The speed gap: 59,034x. Here's what that means for your auth layer.
March 8, 2026

Before You Send a Single Packet: CT Logs Gave Us 79 Subdomains in 12 Seconds

Before we touched Superdrug's network, Certificate Transparency logs revealed 79 unique subdomains, 1,499 certificates, 12+ years of infrastructure history, and third-party vendor relationships — in 12.57 seconds and zero packets sent.
March 8, 2026

100 CVEs in 63 Milliseconds: What's Actually Hiding in Your Dependencies

We built a Flask + React app with packages pinned to 2017-2018 versions. Trivy found 100 vulnerabilities (21 CRITICAL, 79 HIGH) in 63ms — no Docker required. Including 3 separate RCE paths in Handlebars alone.
March 7, 2026

What Attackers See Before You Do: nmap Network Discovery in Real Time

In 6.32 seconds, SecurityClaw's nmap scan found 6 critical misconfigurations: anonymous FTP, a backdoored vsftpd, a vulnerable Apache version, exposed Redis, MySQL on the network, and an Apache Tomcat Manager. Here's the exact output and why each finding matters.
March 6, 2026

We Planted 7 Threats in a package.json. SecurityClaw Found All of Them in 0.19 Seconds.

SecurityClaw's supply-chain-scanner demo: 16-package target, 2 SANDWORM_MODE malicious packages, 2 typosquats, 1 suspicious postinstall, 2 unpinned dep groups. Result: 7/7 planted threats detected, 0 false positives, 0.19s.
March 4, 2026 • API Security • partial

We Read an OpenAPI Spec and Found 13 Vulnerabilities in 2.4 Seconds

SecurityClaw ran a swagger-scanner against a deliberately vulnerable Flask API with 4 planted OWASP API Top 10 vulnerabilities. 1 critical finding (unauthenticated admin), 3 shadow endpoints, and a login endpoint leaking Flask secret keys. Here's exactly what it found — and the 2 it missed.
March 3, 2026 • Web Misconfiguration • pass

17 Findings in 4 Seconds: SecurityClaw's Web Scanner Finds Every Planted Misconfiguration

SecurityClaw ran Nikto against a controlled server with 5 planted misconfigs. 5/5 detected in 4 seconds — plus 12 real issues. Here's the full output, 2 documented false positives, and what .git/HEAD exposure really means.
March 3, 2026 • Supply Chain Security • pass

15 Vulnerabilities in Your package.json. 2 Seconds to Find Them.

SecurityClaw ran npm audit against a Node.js project with 8 deliberately vulnerable dependencies. 8/8 detected in 2 seconds — including a critical RCE package with no fix that's still in countless codebases. Full output and remediation.
March 3, 2026 • Web Misconfiguration • pass

371 Templates. 8 Seconds. AWS Credentials Sitting Wide Open.

SecurityClaw ran Nuclei against a deliberately misconfigured Flask app. 23 findings in 8 seconds — including exposed AWS credentials, .env files, backup zips, and git config. 5/6 planted classes found. Here's the full output and what we missed.
March 3, 2026 • SQL Injection • partial

We Planted SQL Injection in 4 Places. SecurityClaw Found 2 — and Emptied the Database in 4 Seconds.

SecurityClaw ran sqlmap against a deliberately vulnerable Flask app with 4 planted SQL injection points. 2/4 found at default scan level, full database dumped in 4 seconds including admin credentials. Here's what was found, what was missed, and exactly why.
March 3, 2026 • WordPress Security • partial

WPScan vs WP Engine: What Happens When a Scanner Meets Real WordPress Hardening

We ran WPScan against a hardened WordPress site. It found almost nothing — and that's actually good news. Here's what automated scanning missed, what SecurityClaw's manual analysis layer found instead, and what this means for your WordPress security posture.
February 25, 2026 • Secrets Detection • partial

We Planted 5 Secrets in a Git Repo. SecurityClaw Found 4.

SecurityClaw ran a real TruffleHog campaign against a controlled repo with intentionally planted secrets. 4 out of 5 detected in 91ms. Here's exactly what was found, what was missed, and why the gap matters.