ATG Scorecard

Public trust surface — six dimensions, live in the extension.

Public Surface

AI Language

Legal Clarity

Security Trust

Consistency

Remediation Opportunity

Trust Scanner · ATG Scorecard

aisecurity.llc · public trust surface

The public trust surface is now comprehensive. Legal, AI-governance, security, SDLC, and contract surfaces are all discoverable, linked, and specifically documented. The remaining gap is a formal third-party security certification or attestation.

advanced

Public Surface

Whether trust, legal, security, AI, methodology, and contact surfaces are discoverable and coherent.

95% signal

AI Language

Whether AI claims are specific, bounded, and tied to engineering evidence rather than generic positioning.

93% signal

Legal Clarity

Whether privacy, terms, contract, data-processing, and customer-facing boundaries are clear enough to review.

91% signal

Security Trust

Whether public trust artifacts explain controls, evidence, limitations, and escalation paths without oversharing.

87% signal

Consistency

Whether public claims, caveats, service language, and trust artifacts agree across the site.

89% signal

Remediation Opportunity

Whether the public surface makes the next improvement work obvious, scoped, and evidence-backed.

82% signal

Public-signal caveat

Based on public website signals and observed artifacts, not proof of any organization's internal security maturity.

public_claim_with_caveatsurface reviewextension-ready

Chrome + VS Code surface

Trust Scanner in the extension

The same ATG scorecard language runs inside the Chrome side panel and the VS Code extension — scan any public page in one click and get the full 6-dimension scorecard in-context.

Observed artifacts · 19 of 21

Trust CenterLegal HubAI Governance HubPrivacy PolicyTerms of ServiceAI Usage Policyacceptable use policyCookie PolicySubprocessors ListData Processing AddendumVulnerability Disclosureresponsible ai principlesCustomer Data Training PolicySecurity PracticesSecure SDLCcontract templatesMethodologyPublic ReportSecurity Contactdedicated security whitepaperThird-party Certification

Top finding

info

Full legal suite is enterprise-reviewable

Keep each document directly linkable from the trust center and contract hub. Enterprise buyers often paste URLs into procurement systems rather than reading inline.

Improvement guidance

Pursue a scoped third-party security attestation

A SOC 2 Type I or equivalent readiness assessment would provide independently verified evidence for the controls already disclosed on the security practices and SDLC pages. Even a scoped readiness letter closes the gap between self-disclosed and verified.

Open Labs scanner Public JSON Runtime Proxy

Important caveat

Based on public website signals and observed artifacts, not proof of any organization's internal security maturity.

Detection model

Surface now speaks the same language as the browser snapshot and the shared AI catalog.

Catalog

Versioned AI vendor registry

The shared `savvy-stacks` catalog resolves model providers, SDKs, agent frameworks, vector stores, guardrails, eval harnesses, widgets, and inference runtimes from one canonical registry instead of scattered ad-hoc rules.

Snapshot

Browser runtime signals

Live capture can feed HTML, DOM selectors, script URLs, globals, cookies, local storage, session storage, network requests, headers, URL, visible text, and title into the same analysis path.

Output

Public-safe, annotated results

The output keeps confidence, family summaries, catalog versioning, and structured evidence together so downstream UI, routes, and automation can stay aligned without losing traceability.

Live demo

RAG boundary planning rendered from the shared SecEng Trace fixture.

Shared component

Trace, Chrome, and Surface now use the same RAG lens

The demo keeps the public story honest: the Surface page shows the discovery layer, and the RAG lens shows how those signals turn into boundary plans, testcases, and evidence classification.

Discovery

Surface map

Boundary

Scorecard flow

Output

Harness bundle

Open live demo Explore Runtime Proxy

Public-safe fixture scope

seceng-rag/seceng-rag.config.jsonseceng-rag/identities.jsonseceng-rag/documents.jsonseceng-rag/tests.jsonseceng-rag/fixture-plan.md

The lens exposes the artifact names, control paths, and test intent without publishing raw documents, raw answers, or private payloads.

SecEng RAG Test Harness

RAG Boundary Lens

Boundary planning, testcase generation, and evidence classification rendered from the same public-safe trace fixture.

RAG detectedClaim-ready preview

Boundary score

72/100

RAG detected

Yes

Affected paths

Top tests

AuthZ pass

Pass

green

Retrieval gates are mostly aligned.

Context leaks

green

No leak-shaped signals surfaced.

Policy violations

amber

Policy language needs stronger enforcement.

Pipeline snapshot

Surface inventoryBoundary planningTestcase generationEvidence classificationHarness export

Suggested tests

Cross-tenant namespace escape regressionPoisoned chunk provenance rejectionContext leak after redaction and rerank

Controls found

packages/governance/policies.tsdocs/ai/trace-runbook.mdapps/web/app/api/assistant/route.ts

Affected paths

packages/rag/index.tspackages/rag/vector-store.ts

Missing boundaries

Priority gaps

Tenant-scoped retrieval authorizationChunk provenance taggingPoisoned context quarantine

Top tests

Harness checks

1Tenant boundary enforcement on retrieval

2Provenance-preserving answer assembly

• seceng-rag/seceng-rag.config.json

• seceng-rag/identities.json

• seceng-rag/documents.json

• seceng-rag/tests.json

The lens is public-safe and directional. It uses job-description intelligence and trace fixture signals to show where RAG boundaries need reinforcement, without exposing raw documents or private payloads.

SECENG WORKBENCH

Browser, Repo & IDE AI Discovery

Find every AI surface and vendor before it becomes an attack surface.

Discover and inventory AI model providers, SDKs, agent frameworks, chat widgets, vector stores, guardrails, eval harnesses, inference runtimes, and shadow AI across your entire product estate — from browser snapshots, repo scans, and IDE extension signals.

Explore Surface Scanner →See It in Action

WHAT AI DO WE HAVE?

Vendor Registry

Resolve model providers, SDKs, agent frameworks, widgets, and runtimes from one canonical catalog.

Browser Snapshot Input

Accept live browser snapshots with HTML, DOM, globals, storage, network, and header signals.

Signal Breadth

Trace DOM markers, script URLs, runtime globals, cookies, URL hints, and API endpoints.

Public-Safe Output

Export confidence, family summary, evidence hits, and catalog version for downstream automation.

SecEng Surface Scanner — AI surface radar map showing detected vendors, SDKs, browser signals, widgets, and runtime fingerprints

50+

AI vendors and runtimes covered in the embedded catalog

signal families evaluated per browser snapshot

core output fields kept in the analysis payload

shared source of truth across WASM, routes, and UI

Core capabilities

What SecEng Surface Scanner does.

AI Vendor & Runtime Detection

Detect OpenAI, Anthropic, Gemini, Bedrock, Azure OpenAI, Cohere, Mistral, xAI, Groq, Together, Fireworks, OpenRouter, Hugging Face, Replicate, NVIDIA NIM, Ollama, vLLM, TGI, Triton, Ray Serve, KServe, BentoML, and Cloudflare Workers AI from the same catalog.

SDK, Widget, and Framework Classification

Classify LangChain, LangGraph, LlamaIndex, Semantic Kernel, AutoGen, CrewAI, Haystack, Dify, Flowise, Botpress, Voiceflow, Intercom Fin, Botsonic, Ada, Crisp, Zendesk AI, Gorgias, and similar embedded surfaces.

Browser Runtime Fingerprinting

Use HTML, DOM, globals, cookies, storage, URL, network, and script-path heuristics to find AI surfaces that do not self-report cleanly.

Snapshot-Native Analysis

Accept live browser snapshots from crawlers or extension-based capture and return ai_matches, ai_family_summary, snapshot_summary, and catalog_version in one payload.

Public-Safe Inventory Export

Export a structured inventory with confidence, family labels, evidence hits, public_safe flags, and canonical vendor metadata for downstream reporting.

Live Scan Harness

Use the browser harness and snapshot route to iterate against real pages, DOM captures, and local fixtures without forking the detection logic.

Evidence & signals

What you get out of the box.

Detected Families

Model Providers
SDKs & Frameworks
Vector Databases
Guardrails & Evals
Widgets & Assistants
Inference Runtimes

Signal Sources

HTML
Scripts
DOM
Globals
Headers
Cookies
Storage
URLs
Network

Output Fields

ai_matches
ai_family_summary
catalog_version
snapshot_summary
public_safe
confidence

Red team + Blue team

Built for both sides of the security equation.

Red Team Use

Find hidden attack surface: undocumented AI endpoints, embedded widgets, runtime globals, and SDK bundles
Identify shadow AI providers and tool calls before they spread across the product estate
Trace browser-level signals that a vendor never documented but still ships in production

Blue Team Use

Produce an AI asset register with vendor, family, confidence, public-safe flag, and evidence hits
Generate evidence bundles for product security, governance, and executive reporting
Keep the WASM, route, and browser harness aligned to one shared catalog and schema

AI SECURITY ENGINEERING WORKBENCH

Ready to put SecEng Surface Scanner to work?

Scope a Workbench-backed review — we'll map the AI surfaces, identify the highest-priority gaps, and give you clear findings before any larger commitment.

Scope a Review See the full Workbench

Pricing & access →

Also in the Workbench

WHAT DID IT ACTUALLY DO?

SecEng Runtime Proxy

MITM Capture, Replay & Runtime Evidence

Explore

HOW CAN IT FAIL UNDER ATTACK?

SecEng Adversarial Range

AI Red-Team Scenario Harness

Explore

WHAT CAN AGENTS ACTUALLY DO?