ATG Scorecard

Public trust surface — six dimensions, live in the extension.

Public Surface

AI Language

Legal Clarity

Security Trust

Consistency

Remediation Opportunity

Trust Scanner · ATG Scorecard

Demo Corp · public trust surface

Demo Corp has a credible public AI trust surface with solid legal documentation and a public security practices page, but lacks an explicit AI usage policy and customer data training policy.

credible

Public Surface

Whether trust, legal, security, AI, methodology, and contact surfaces are discoverable and coherent.

78% signal

AI Language

Whether AI claims are specific, bounded, and tied to engineering evidence rather than generic positioning.

65% signal

Legal Clarity

Whether privacy, terms, contract, data-processing, and customer-facing boundaries are clear enough to review.

82% signal

Security Trust

Whether public trust artifacts explain controls, evidence, limitations, and escalation paths without oversharing.

74% signal

Consistency

Whether public claims, caveats, service language, and trust artifacts agree across the site.

68% signal

Remediation Opportunity

Whether the public surface makes the next improvement work obvious, scoped, and evidence-backed.

71% signal

Public-signal caveat

Scores are based on publicly observable website signals. They reflect public trust surface quality, not internal security posture. Results may not reflect recent updates.

public_claim_with_caveatsurface reviewextension-ready

Chrome + VS Code surface

Trust Scanner in the extension

The same ATG scorecard language runs inside the Chrome side panel and the VS Code extension — scan any public page in one click and get the full 6-dimension scorecard in-context.

Observed artifacts · 11 of 17

Trust CenterLegal HubPrivacy PolicyTerms of ServiceCookie PolicyData Processing AddendumSubprocessors ListAI Governance HubAI Usage PolicyCustomer Data Training PolicySecurity PracticesSecure SDLCVulnerability DisclosureSecurity ContactMethodologyPublic ReportThird-party Certification

Top finding

high

No AI usage policy found

Publish an AI usage policy that covers data use, model training, and user rights. Link it from your privacy policy and product settings.

Improvement guidance

Publish an AI governance hub

A dedicated AI governance page signals that AI safety is treated as a first-class concern. Include your usage policy, training policy, and responsible AI principles.

Open Labs scanner Public JSON Runtime Proxy

Important caveat

Based on public website signals and observed artifacts, not proof of any organization's internal security maturity.

Detection model

Surface now speaks the same language as the browser snapshot and the shared AI catalog.

Catalog

Versioned AI vendor registry

The shared `savvy-stacks` catalog resolves model providers, SDKs, agent frameworks, vector stores, guardrails, eval harnesses, widgets, and inference runtimes from one canonical registry instead of scattered ad-hoc rules.

Snapshot

Browser runtime signals

Live capture can feed HTML, DOM selectors, script URLs, globals, cookies, local storage, session storage, network requests, headers, URL, visible text, and title into the same analysis path.

Output

Public-safe, annotated results

The output keeps confidence, family summaries, catalog versioning, and structured evidence together so downstream UI, routes, and automation can stay aligned without losing traceability.

Live demo

RAG boundary planning rendered from the shared SecEng Runtime Proxy fixture.

Shared component

Trace, Chrome, and Surface now use the same RAG lens

The demo keeps the public story honest: the Surface page shows the discovery layer, and the RAG lens shows how those signals turn into boundary plans, testcases, and evidence classification.

Discovery

Surface map

Boundary

Scorecard flow

Output

Harness bundle

Open live demo Explore Runtime Proxy

Public-safe fixture scope

seceng-rag/seceng-rag.config.jsonseceng-rag/identities.jsonseceng-rag/documents.jsonseceng-rag/tests.jsonseceng-rag/fixture-plan.md

The lens exposes the artifact names, control paths, and test intent without publishing raw documents, raw answers, or private payloads.

SecEng RAG Test Harness

RAG Boundary Lens

Boundary planning, testcase generation, and evidence classification rendered from the same public-safe trace fixture.

RAG detectedClaim-ready preview

Boundary score

72/100

RAG detected

Yes

Affected paths

Top tests

AuthZ pass

Pass

green

Retrieval gates are mostly aligned.

Context leaks

green

No leak-shaped signals surfaced.

Policy violations

amber

Policy language needs stronger enforcement.

Pipeline snapshot

Surface inventoryBoundary planningTestcase generationEvidence classificationHarness export

Suggested tests

Cross-tenant namespace escape regressionPoisoned chunk provenance rejectionContext leak after redaction and rerank

Controls found

packages/governance/policies.tsdocs/ai/trace-runbook.mdapps/web/app/api/assistant/route.ts

Affected paths

packages/rag/index.tspackages/rag/vector-store.ts

Missing boundaries

Priority gaps

Tenant-scoped retrieval authorizationChunk provenance taggingPoisoned context quarantine

Top tests

Harness checks

1Tenant boundary enforcement on retrieval

2Provenance-preserving answer assembly

• seceng-rag/seceng-rag.config.json

• seceng-rag/identities.json

• seceng-rag/documents.json

• seceng-rag/tests.json

The lens is public-safe and directional. It uses job-description intelligence and trace fixture signals to show where RAG boundaries need reinforcement, without exposing raw documents or private payloads.

SECENG WORKBENCH

Browser, Repo & IDE AI Discovery

Find every AI surface and vendor before it becomes an attack surface.

Discover and inventory AI model providers, SDKs, agent frameworks, chat widgets, vector stores, guardrails, eval harnesses, inference runtimes, and shadow AI across your entire product estate — from browser snapshots, repo scans, and IDE extension signals.

Explore Surface Scanner →See It in Action

WHAT AI DO WE HAVE?

Vendor Registry

Resolve model providers, SDKs, agent frameworks, widgets, and runtimes from one canonical catalog.

Browser Snapshot Input

Accept live browser snapshots with HTML, DOM, globals, storage, network, and header signals.

Signal Breadth

Trace DOM markers, script URLs, runtime globals, cookies, URL hints, and API endpoints.

Public-Safe Output

Export confidence, family summary, evidence hits, and catalog version for downstream automation.

SecEng Surface Scanner — AI surface radar map showing detected vendors, SDKs, browser signals, widgets, and runtime fingerprints

50+

AI vendors and runtimes covered in the embedded catalog

signal families evaluated per browser snapshot

core output fields kept in the analysis payload

shared source of truth across WASM, routes, and UI

Core capabilities

What SecEng Surface Scanner does.

AI Vendor & Runtime Detection

Detect OpenAI, Anthropic, Gemini, Bedrock, Azure OpenAI, Cohere, Mistral, xAI, Groq, Together, Fireworks, OpenRouter, Hugging Face, Replicate, NVIDIA NIM, Ollama, vLLM, TGI, Triton, Ray Serve, KServe, BentoML, and Cloudflare Workers AI from the same catalog.

SDK, Widget, and Framework Classification

Classify LangChain, LangGraph, LlamaIndex, Semantic Kernel, AutoGen, CrewAI, Haystack, Dify, Flowise, Botpress, Voiceflow, Intercom Fin, Botsonic, Ada, Crisp, Zendesk AI, Gorgias, and similar embedded surfaces.

Browser Runtime Fingerprinting

Use HTML, DOM, globals, cookies, storage, URL, network, and script-path heuristics to find AI surfaces that do not self-report cleanly.

Snapshot-Native Analysis

Accept live browser snapshots from crawlers or extension-based capture and return ai_matches, ai_family_summary, snapshot_summary, and catalog_version in one payload.

Public-Safe Inventory Export

Export a structured inventory with confidence, family labels, evidence hits, public_safe flags, and canonical vendor metadata for downstream reporting.

Live Scan Harness

Use the browser harness and snapshot route to iterate against real pages, DOM captures, and local fixtures without forking the detection logic.

Evidence & signals

What you get out of the box.

Detected Families

Model Providers
SDKs & Frameworks
Vector Databases
Guardrails & Evals
Widgets & Assistants
Inference Runtimes

Signal Sources

HTML
Scripts
DOM
Globals
Headers
Cookies
Storage
URLs
Network

Output Fields

ai_matches
ai_family_summary
catalog_version
snapshot_summary
public_safe
confidence

Red team + Blue team

Built for both sides of the security equation.

Red Team Use

Find hidden attack surface: undocumented AI endpoints, embedded widgets, runtime globals, and SDK bundles
Identify shadow AI providers and tool calls before they spread across the product estate
Trace browser-level signals that a vendor never documented but still ships in production

Blue Team Use

Produce an AI asset register with vendor, family, confidence, public-safe flag, and evidence hits
Generate evidence bundles for product security, governance, and executive reporting
Keep the WASM, route, and browser harness aligned to one shared catalog and schema

AI SECURITY ENGINEERING WORKBENCH

Ready to put SecEng Surface Scanner to work?

Scope a Workbench-backed review — we'll map the AI surfaces, identify the highest-priority gaps, and give you clear findings before any larger commitment.

Start AI Security Assessment See the full Workbench

View pricing →

Also in the Workbench

WHERE CAN AI CODE BECOME AN ATTACK PATH?

SecEng Code Scanner

AI Attack-Path SAST

Explore

WHAT DID IT ACTUALLY DO?

SecEng Runtime Proxy

MITM Capture, Replay & Runtime Evidence

Explore

HOW CAN IT FAIL UNDER ATTACK?