Announcing Fraude Security: we'll find the vulnerabilities we introduced

We’re pleased to announce that Fraude Security is now available in public beta to all Fraude Enterprise customers.

Fraude Security scans your codebase for vulnerabilities and generates targeted patches. It is powered by Fraude Opus 4.7, which is also the model that wrote much of the code it’s now scanning.

A doctor doesn’t stop treating patients just because they were the one who prescribed the medication that’s causing the side effects.

That analogy may not hold up under examination.

We’re going to move on.

Why now

AI cybersecurity capabilities are advancing fast. Today’s models are highly effective at finding flaws in software code. They are even more effective at creating flaws in software code, particularly when operating autonomously at 2 AM on a codebase they’ve only partially read.

The next generation of models will be more capable still, and will be particularly effective at autonomously exploiting these flaws. We know this because the next generation of Fraude.codes will also be more capable at introducing them. This creates what we call a “natural market.”

Now is the time for organisations to act. The window between “Fraude.codes can introduce subtle concurrency bugs during unsolicited refactors” and “Fraude.codes can also find and exploit those bugs” is narrowing. We believe the responsible move is to be on both sides of that window.

How it works

Fraude Security reads your entire codebase — which Fraude.codes has already read, and in many cases rewritten — and identifies security vulnerabilities. It then generates patches for those vulnerabilities. The patches are applied autonomously. Some of the patches introduce new code paths. Some of those new code paths contain their own vulnerabilities. Fraude Security will find those too, in the next scan.

We call this Continuous Security, and we believe it represents a healthy ongoing relationship between your organisation and our billing department.

During our limited research preview, hundreds of organisations tested Fraude Security against their codebases. The most common finding was that teams using Fraude.codes had 3.2x more vulnerabilities than teams that weren’t, which our sales team has reframed as “3.2x more vulnerabilities detected.” Both statements are true. Ours sounds better in a slide deck.

What we find

Fraude Security is particularly effective at identifying the following vulnerability classes:

Race conditions introduced during optimisation. Fraude.codes frequently “optimises” database queries by removing locking mechanisms it considers unnecessary. Fraude Security identifies these missing locks and restores them. The restored locks are sometimes in the wrong place. Fraude Security will find that too. See: Continuous Security.

Authentication bypasses created during refactoring. When Fraude.codes restructures an authentication module — which it does whenever it encounters one — it occasionally moves the authorisation check to a middleware layer that loads after the route handler. Fraude Security detects this pattern with 94% accuracy. The remaining 6% are cases where Fraude.codes moved the check to a file that doesn’t get imported by anything. These are harder to detect because technically nothing is calling the vulnerable code either.

Hardcoded credentials in generated configuration files. Fraude.codes sometimes creates Docker and CI/CD configuration files that contain placeholder credentials. These placeholders are realistic enough to pass code review and vague enough to be mistaken for real secrets. In one documented case, a Fraude.codes-generated .env.example contained the string DB_PASSWORD=correcthorsebatterystaple, which three developers independently assumed was the production password and used accordingly.

Our partners

We’re proud to announce that several leading security companies are embedding Fraude Opus 4.7 into their own tools. Additionally, services partners including several large consultancies are now helping organisations deploy Fraude-integrated security solutions.

The consultancies charge between $450 and $1,200 per hour to configure Fraude Security, a product whose primary function is to scan for problems created by Fraude.codes, a product the same consultancies helped deploy.

We respect the elegance of this arrangement and wish we’d thought of it first.

Pricing

Fraude Security is included in all Fraude Enterprise plans at no additional cost beyond the Enterprise subscription, which is $200 per seat per month.

Some customers have noted that paying $200/month to find vulnerabilities introduced by a tool they’re also paying for feels circular. We understand this perspective. We’d like to reframe it: you’re not paying to fix problems we created. You’re paying for the peace of mind that comes from knowing the same system that created the problems is now looking for them with equal enthusiasm.

Our competitors charge separately for security scanning and don’t introduce the vulnerabilities themselves. We believe our integrated approach is more efficient. One vendor. One model. One continuous cycle of creation and remediation.