brink.
product preview

Four screens, one page.
Real components, frozen fixture.

Each card below is the actual UI from the dashboard, hooked up to a static fixture and rendered inline. Enough to decide whether the product is the shape you wanted.

01 · findings inboxstatic

The only inbox you read.

Confirmed exploits, severity-sorted, no CVE noise. Each row is a reproducible PoC with an open PR attached.

severityidfindingage
criticalBRK-2417IDOR + api-key exfil on /v1/users/{id}14m
highBRK-2416Stored XSS in markdown renderer → admin viewport2h
highBRK-2415JWT replay across tenants (kid rotation gap)6h
mediumBRK-2414SSRF via webhook validator → metadata svc11h
infoBRK-2413Timing oracle on /reset-password (weak)1d
02 · one findingstatic

Reproducible, owned, labeled.

The narrative the agent wrote, the curl you can paste, the captured response. No theory.

criticalBRK-2417·cvss 9.1 / Criticalopen

Cross-tenant IDOR exposes api_keys on /v1/users/{id}/api_keys

routeGET /v1/users/{id}/api_keysrepoacme/api-gatewayagentbrink-agent · recon-04found14 min after deploy of api-gateway@7c4a91d
repro · captured by validatorcurl -sS https://api.acme.dev/v1/users/2050/api_keys \
  -H "Authorization: Bearer $TENANT_A_TOKEN" \
  | jq '.api_keys[0]'

I started where every junior attacker should: pulling my own profile. GET /v1/users/me returned a clean 200 with a stable user_id of 2049. I flipped through routes that took {id} in the path, looking for one that forgot to compare path-user to session-user.

03 · live opsstatic

Watch the fleet work.

Real-time hypotheses, probes, and confirms. The ticker below is updating in your browser, right now.

412
attempts / min
17
hypotheses live
12
confirms today
04 · coveragestatic

What we touched, what we skipped.

The receipt — every route, every method, with hot / covered / cold heat. The 14,820 things that didn't reproduce are the value.

routemethodsconfstatus
/v1/users/{id}/api_keysGET,POST,DEL2hot
/v1/orgs/{id}/membersGET,POST,DEL1hot
/v1/billing/invoicesGET1covered
/v1/sessionsPOST,DEL1covered
/v1/webhooksGET,POST0covered
/v1/internal/debugGET0cold
the gap
These previews run on a frozen fixture. The real product writes to your inbox the minute the first hypothesis confirms — usually inside 14 minutes of staging being connected.