Security for Every Stage of AI Development

AI coding tools ship vulnerabilities as fast as they ship features. VettIQ finds them before production — in under 2 minutes, across 6 security stages, with verified fixes.

VettIQ is an AI code security platform that scans AI-generated code for vulnerabilities and vets MCP servers before they run inside AI agent sandboxes.

Secure Your CodeFree BlueprintsBrowse MCP Directory

Works with Cursor, Claude Code, Windsurf, Manus, Bolt, and Lovable.

2,328+ MCP Servers. Risk-Scored. Updated Every 6 Hours.

Every public MCP server on GitHub — scanned by Snyk, Cisco Kenna, Semgrep, and VirusTotal. Search before you connect anything to your agent.

Search the Directory
FREE

Blueprints

Security Rules for AI Coding Tools

Drop a rules file into your project and your AI coding tool enforces security patterns automatically. Prevent the 9 most common vulnerabilities before they are written.

Blueprints are stack-specific security rules files that plug directly into AI coding assistants like Cursor, Claude Code, and Windsurf. Each blueprint encodes the OWASP Top 10 mitigations for a given stack — Next.js + Supabase, Python + FastAPI, and more — so your AI assistant writes secure code by default instead of generating vulnerabilities you have to find later. They are open source, require no account, and install with a single copy-paste command.

Works with Cursor, Claude Code, Windsurf
One-command install
Open source, free forever
Get a Blueprint

Code Security

Multi-LLM Vulnerability Scanner

Catch vulnerabilities that Cursor, Copilot, and AI-generated code introduce — before they ship. A five-stage pipeline scans every file through detection, deep analysis, adversarial checking, fix generation, and verification.

Built for developers and security teams who ship AI-generated code to production. Unlike traditional SAST tools that pattern-match against known CVEs, VettIQ uses multiple LLMs in sequence — each model independently analyzes your code, and only findings that reach 60% consensus across models get reported. This eliminates the false-positive noise that makes most security scanners unusable. The pipeline also generates verified fix suggestions so you can remediate in seconds, not hours.

Code Pipeline
99.7% OWASP Top 10 detection
Multi-LLM consensus pipeline
<2s per file
Explore Code Security

AI Agent Security

Vet Every Skill Before It Runs

NemoClaw secures the runtime. VettIQ secures the supply chain. Vet every MCP server and skill before it runs inside your agent's sandbox.

AI agents like Claude Code, Manus, and custom LangChain builds extend their capabilities by connecting to MCP servers — third-party code that gets full access to your agent's execution environment. Most teams install these servers without any security review. VettIQ's MCP directory scans every public MCP server on GitHub through four independent security scanners (Snyk, Cisco Kenna, Semgrep, VirusTotal) and assigns a weighted risk score from 0 to 100, so you know exactly what you're connecting before it touches your sandbox.

MCP Pipeline
4-scanner vetting pipeline
2,273+ MCP servers scanned & scored
Works with NemoClaw, OpenClaw & custom agents
Browse MCP Directory

How VettIQ Works

Code Security Pipeline

When you submit code for scanning, VettIQ runs it through a five-stage sequential pipeline. Each stage uses a different LLM to analyze your code independently, so no single model's blind spots can cause a missed vulnerability.

  1. 1

    Detection

    The first model scans for OWASP Top 10 vulnerabilities, hardcoded credentials, injection flaws, and insecure dependencies. It produces an initial list of candidate findings with severity ratings.

  2. 2

    Deep Analysis

    A second model examines each candidate finding in context — analyzing data flow, authentication boundaries, and business logic to determine whether the vulnerability is reachable and exploitable.

  3. 3

    Adversarial Review

    A third model actively tries to disprove each finding. It looks for mitigating controls, framework-level protections, and environmental factors that might make a reported vulnerability a false positive.

  4. 4

    Fix Generation

    For every confirmed vulnerability, a fourth model generates a concrete fix — actual code you can apply, not a generic recommendation. Fixes are scoped to the minimum change needed to remediate the issue.

  5. 5

    Verification

    A final model verifies that the proposed fix actually resolves the vulnerability without introducing regressions. Only findings that survive all five stages and reach 60% cross-model consensus are reported.

MCP Directory Pipeline

VettIQ continuously discovers and scans every public MCP server on GitHub. New servers are detected every six hours and immediately queued for analysis through a four-scanner vetting pipeline.

  1. 1

    Discovery

    An automated crawler indexes GitHub for repositories that implement the Model Context Protocol. New servers are added to the queue within six hours of publication.

  2. 2

    Dependency Scanning

    Snyk and Semgrep analyze the server's dependency tree and source code for known CVEs, insecure coding patterns, and supply-chain risks. Cisco Kenna provides exploit-prediction scoring.

  3. 3

    Threat Intelligence

    VirusTotal cross-references the repository against known malware signatures, and results are enriched with data from CISA KEV, GitHub Security Advisories, and the OSV database.

  4. 4

    Risk Scoring

    Scanner results are aggregated into a weighted risk score from 0 to 100. Each server receives a status — approved, guardrails recommended, or rejected — so you can make an informed decision before connecting it to your AI agent.

2,328+
MCP Servers
Scanned
4
Security Scanners
per Server
99.7%
OWASP Top 10
Detection Rate

“VettIQ caught a hardcoded service key in our Supabase integration that Cursor generated and our team missed entirely.”

— Beta tester, AI-first SaaS team

MCP Trust Directory

The MCP Ecosystem Has a Trust Problem

Thousands of MCP servers on GitHub. No security standards. No vetting process. Developers are adding untrusted code directly into their AI coding workflows.

VettIQ scans every public MCP server automatically — Snyk, Cisco Kenna, Semgrep, and VirusTotal — and publishes the results so you can trust what you install.

Browse the MCP Directory

4 Scanners

Snyk, Cisco Kenna, Semgrep, and VirusTotal on every server

Risk Scored

Weighted 0–100 risk score with approved, guardrails, or rejected status

Threat Intel

Cross-referenced against CISA KEV, GitHub Advisories, and OSV

Always Current

Discovery runs every 6 hours — new MCP servers scanned automatically

AI writes vulnerable code

68% of codebases contain vulnerabilities. VettIQ Code Security catches them before they ship.

AI agents run without guardrails

AI agents install third-party MCP servers without vetting. VettIQ scans every one before it enters your sandbox.

One platform, full coverage

Secure your development and your deployments from a single dashboard.

Powered by Snyk, Semgrep, and VirusTotal scanning engines

Multi-LLM consensus pipeline with 6-stage analysis

The Cost of Shipping Unscanned AI Code

$3.31M
Median cost of a small business data breach
(IBM 2024)
6–100x
More expensive to fix in production than pre-deploy
(NIST)
45–90 min
Manual security review per file. VettIQ: under 2 min.

AI coding tools ship features fast. They also skip security fundamentals consistently — missing database access controls, credentials in client code, no rate limiting on auth endpoints. These aren't random mistakes. They're the same nine patterns, every codebase, every tool. VettIQ finds them before they reach production.

Building with AI coding tools?

Catch the vulnerabilities Cursor and Claude Code introduce

Explore Code Security

Deploying AI agents with MCP?

Vet every server before it runs inside your agent sandbox

Browse MCP Directory
Use CasesVettIQ vs Traditional SASTBlog