New: 15 agents benchmarked on 128 real vulnerabilities. Agents learn from every run.New: agent benchmark results See which agents pass →
Your tool finds it. XOR proves the fix works.
Static Application Security Testing (SAST) and Software Composition Analysis (SCA) tools flag the vulnerability. Autofix writes a patch. Then a human marks it resolved without checking. XOR runs the patch and replays the trigger, so your customer sees a fix that holds, not a status that changed.
128 vulnerability test casesCurrent verified1,920 Verified evaluationsCurrent verified6,138+ target vulnerabilitiesTarget250+ codebasesTarget
Your autofix says patched. Nobody checked.
OutcomeA scanner that flags a vulnerability and an autofix that closes the ticket are two different claims. XOR adds the third: run the patch, replay the trigger, and confirm the vulnerability is actually gone before anyone calls it fixed.
MechanismFind it with your tool. Prove it with XOR. The verification runs as a service through the GitHub App, so your customer's pull request carries a deterministic pass/fail verdict next to the autofix. Your detection plus our proof, in one workflow.
ProofAcross benchmark testing, the verifier caught broken patches the agents claimed were done. The same verifier checks the fixes your tool generates.
Verification as a service, behind your brand.
How verification worksYour scanner already finds the vulnerability. XOR runs the proposed fix against the specific task and replays the trigger to confirm it holds. The verdict is deterministic, so your customer trusts the green check instead of a status field somebody flipped.
Patch Verifier as an end-user feature.
See the GitHub AppShip verification to your users as a feature, not a research project. XOR runs through the GitHub App on every pull request, attaches the pass/fail evidence, and rejects fixes that do not resolve the vulnerability. Find it with your tool, prove it with XOR.
Signed evidence your customers can hand to auditors.
Standards alignmentEvery verification produces a signed record that aligns with supply chain transparency standards and maps to Service Organization Control 2 (SOC 2), International Organization for Standardization 27001 (ISO 27001), and the European Union Cyber Resilience Act (CRA). Your fix arrives with proof attached.
"We are a security vendor. Are you a competitor?"
No. Your tool finds the vulnerability. XOR proves the proposed fix actually resolves it. Detection and verification are different jobs. Your scanner stays the front door, and the verdict carries your brand.
"Our autofix already marks issues resolved."
Marked resolved and verified resolved are different claims. XOR runs the patch and replays the trigger. If the vulnerability survives, the verifier says so before your customer ships it.
"How does this fit our existing product?"
It runs as a service through the GitHub App on the pull request your tool already touches. One integration. Your detection on the way in, our deterministic proof on the way out.
FAQ
Is XOR a competitor to our scanner?
No. XOR is a partner layer. Static Application Security Testing (SAST) and Software Composition Analysis (SCA) tools find vulnerabilities. XOR runs the proposed fix and confirms it resolves the specific vulnerability. Find it with your tool, prove it with XOR.
How does the verification reach my customers?
Through the GitHub App. XOR runs on the pull request, attaches a deterministic pass/fail verdict next to the autofix, and rejects patches that do not resolve the vulnerability. You can ship it to end users as a Patch Verifier feature.
What proof does a customer get?
A signed record from running the patch and replaying the trigger. It aligns with supply chain transparency standards and maps to SOC 2, ISO 27001, and the European Union Cyber Resilience Act (CRA). Auditors accept evidence, not status fields.
Find it with your tool. Prove it with XOR.
Your scanner detects the vulnerability. XOR runs the fix and replays the trigger. Talk to the team about a partner integration.
$xor patch --verify --learn