Verified, submission-ready vulnerability reports. Not noise. Not false positives. Real exploits, confirmed in a browser, ready for HackerOne.
Arbiter was used in January 2026 to discover security issues in Vercel's open source projects. All findings were ethically disclosed via responsible disclosure. No fabricated testimonials — just results.
Vulnerability discovered in Vercel's AI SDK, the most widely-used library for building AI applications with JavaScript. Responsibly disclosed and awaiting vendor response.
Responsibly DisclosedSecurity issue identified in Turborepo, Vercel's high-performance build system used by thousands of production codebases. Ethically reported and pending review.
Responsibly Disclosed100% detection rate across all 85 test endpoints in Google's XSS Firing Range — the industry standard benchmark for vulnerability detection accuracy.
85/85 VerifiedTraditional fuzzing: enumerate every possible request, test, filter false positives. Arbiter: infer constraints, model valid state, search only for violations, verify in a real browser.
Import traffic from HAR files, Burp XML exports, or Arbiter's built-in proxy. Handles authenticated sessions and TLS.
Build a state graph from observed behaviour. Infer authorization rules, ordering constraints, rate limits, and CSRF flows automatically.
Run 30+ detectors that search for constraint violations — not just pattern matches. Every finding is verified in headless Chrome with screenshot evidence.
Generate submission-ready reports for HackerOne, Bugcrowd, or Intigriti. Includes PoC code, evidence screenshots, and CVSS scoring.
Burp is manual. Nuclei matches signatures. ZAP is noisy. Arbiter infers constraints and reasons about logic.
| Capability | Burp Suite Pro | Nuclei | OWASP ZAP | Arbiter |
|---|---|---|---|---|
| Constraint inference from traffic | ||||
| State graph construction | ||||
| Real browser verification | Headless only | Basic | Full Chrome + Evidence | |
| Race condition exploitation | Manual via Turbo Intruder | H/2 single-packet, <100µs | ||
| AI agent integration (MCP) | 82 MCP tools | |||
| Bug bounty report generation | Basic markdown | HackerOne, Bugcrowd, Intigriti | ||
| WAF detection & bypass | Extensions | Templates | Fingerprint + AI mutation | |
| Vulnerability detectors | Scanner + extensions | 6,000+ templates | Active + passive | 30+ constraint-aware |
| Performance | JVM-based | Go | JVM-based | Rust, zero-GC |
| Price | $449/yr | Free (OSS) | Free (OSS) | Free tier + Pro |
Nuclei excels at known CVE scanning with its massive template library. Burp's manual testing workflow is mature. Arbiter's advantage is logic-aware discovery and verification — it's complementary, not a wholesale replacement for every use case.
This isn't a wrapper around existing tools. It's 231,000 lines of Rust built from scratch.
Each capability is built to find the vulnerability classes that pay the highest bounties.
Implements James Kettle's "Smashing the State Machine" research from PortSwigger. All HTTP/2 requests are packed into a single TCP segment, achieving sub-100 microsecond timing precision. This eliminates network jitter and exposes race conditions that other tools miss entirely.
Detects double-spend, limit bypass, TOCTOU, and coupon abuse vulnerabilities. Automatic shared-resource analysis identifies race-prone endpoints.
Arbiter is an MCP server. Connect it to Claude, and the AI can orchestrate full security assessments autonomously — from traffic import to verified report. This isn't a chatbot wrapper. It's 82 tools the AI reasons with.
Every XSS, every injection, every bypass is confirmed in a real headless Chrome instance before it reaches your report. DOM snapshots, console logs, network traces, and screenshots are captured as evidence.
Identifies WAF vendors (Cloudflare, Akamai, AWS WAF, etc.), profiles blocking behaviour, and generates bypass payloads. The Polychrome AI module (coming Q2 2026) will add SLM-powered mutation for novel evasion.
XSS, SQLi, IDOR, SSRF, CSRF, command injection, path traversal, CORS misconfig, JWT flaws, WebSocket hijacking, GraphQL abuse, HTTP smuggling, cache poisoning, XS-Leaks, NoSQL injection, DOM clobbering, DNS rebinding, OAuth/OIDC flaws, and more.
Generates platform-specific reports for HackerOne, Bugcrowd, and Intigriti. Includes reproduction steps, PoC code (curl, Python, JavaScript, raw HTTP), CVSS scoring, and remediation guidance.
Join the waitlist to get early access when we open the beta. No spam. One email when it's ready.
Questions? Interested in collaborating?
arbiter.security.tool@gmail.com