The IDE extension that saw every attack on your app.
Fix pulls Assess findings into VS Code with the full pentest-agent log — hundreds of thousands of attack attempts, payloads, and reasoning traces from your engagement. That context is why its patches are sharper than Copilot, Cursor, or Claude Code on a finding summary.
Why Fix produces sharper patches than Copilot on a finding summary
Every Assess engagement generates a pentest-agent log: the exact requests the AI tried, the responses it got back, the paths it pivoted through, the hypotheses it tested and discarded. Fix loads that log as code-context when it drafts the patch. Nothing else does this.
"SQL injection on /api/users?id — use parameterized queries."Produces a textbook fix for the class of vulnerability. Doesn't know which other routes share this helper, whether the ORM already has an escape hook, or what the attacker actually did to get here.
Produces a patch that matches your code's actual shape: uses the ORM helper you already import three files over, catches the adjacent routes that share the same query builder, and respects your existing validation layer.
How Fix actually works
Four steps. Then a candidate PR sitting in your review queue.
Install the IDE extension
VS Code live. Visual Studio in beta. Drop-in install — the extension authenticates against your ShieldProbe tenant and pulls your Assess findings into the editor.
Findings materialize at the right file and line
Each finding opens in the IDE with the exact file, line, and payload that proved it. Reproducible evidence sits next to the code, not buried in a PDF in Jira.
In-code research with full agent context
The AI drafts a patch using the pentest-agent log as context. It traces callers and callees, checks your existing imports and helpers, and writes code that fits your style.
One-click candidate PR
The patch opens as a PR in your repo. Your CI runs. Your reviewers review. Your tests gate. Nothing is bypassed, nothing is auto-merged — the PR is just there, ready for humans.
Fix does what Copilot can't: patches a logic flaw from the attack transcript
The banking-app negative-number withdraw (the same finding Defend neutralizes at runtime). Here's the permanent code fix Fix drafts — and why it could only produce it with the pentest-agent log.
- The exact POST the agent sent:
{ amount: -50000 } - The server's response:
200 OK, balance increased - Four adjacent endpoints (
/transfer,/refund,/credit,/adjust) that share the same sign-trusting handler - Your existing
validateAmount()helper inlib/validators.ts
// controllers/transactions.ts — candidate patch
// Generated by ShieldProbe Fix · references 4 adjacent routes
import { validateAmount } from '@/lib/validators';
export async function withdraw(req, res) {
const { account, amount } = req.body;
+ const parsed = validateAmount(amount, { min: 0.01, max: LIMITS.withdraw });
+ if (!parsed.ok) return res.status(400).json({ error: parsed.reason });
- if (balance < amount) return res.status(402).send();
+ if (balance < parsed.value) return res.status(402).send();
// ... existing logic, now safe against negative/oversized amounts
}
// Fix also drafts companion patches for:
// controllers/transfer.ts, refund.ts, credit.ts, adjust.tsReuses your helper. Catches every sibling route that shares the flaw. Preserves your existing 402 response shape. A generic assistant pointed at a finding summary would only patch the one file — and might even reinvent the validator.
What Fix will not do
Trust-by-design. Here's what we refuse, on purpose.
Never auto-merges
Every patch is a candidate PR. Your reviewers, your CI, your test suite, your merge rules — untouched.
Doesn't bypass your review process
Fix opens PRs the same way a human engineer does. Required approvers, branch protection, signed commits — all respected.
Doesn't touch secrets or infra
No credential generation, no infrastructure-as-code rewrites, no cloud API calls. Application code only.
Doesn't ship client data to third parties
The reasoning engine runs on ManticoreAI infrastructure. We don't send your code to OpenAI or Anthropic to draft patches.
IDE and language coverage
Honest today vs. roadmap. No surprises.
IDE support
Language coverage
Source-control hooks
The remediation workflow, before and after
The cost of finding a vulnerability is only the first cost. Remediation is where timelines actually break.
Without Fix
Security receives the pentest report (PDF)
Security triages, writes Jira tickets
Developer reads ticket; searches for the file, the call path, the context
Developer interprets the vulnerability from prose
Developer writes fix from scratch; misses adjacent routes
Requests retest; waits for schedule
With Fix
Developer opens VS Code; findings are at the line with full attack transcript
Reviews the candidate patch — informed by every request the agent ran
One-click PR; adjacent-route patches included by default
CI runs; reviewers approve; merge; Assess deterministic replay auto-verifies