Skip to main content
Surfbot
v0.6 · SOC 2
Live · CVE-2026-4181 · Apache Struts RCE

The AI blue team agent for defenders facing automated AI attacks.

Surfbot is an autonomous cloud platform — with lightweight agents inside your perimeter — that detects, triages, and contains zero-day exposure across your external attack surface before the next pager goes off.

Cloud + local agentsSOC 2 · ISO 27001Open-source coreEU-hosted · GDPR
surfbot · respond — zsh — 142×38live
Works with the tools you already run
The problem

Attackers automated. Defenders didn't.

Adversaries weaponize a CVE within hours of disclosure. Your SOC reads alerts in a queue, opens tickets, schedules patches — while exploit chains run on autopilot.

Mean time to exploit
0.0h
From CVE disclosure to active exploitation in the wild
source · Mandiant M-Trends 2025
Mean time to patch
0d
Median time mid-market security teams take to remediate critical CVEs
source · Verizon DBIR 2025
Alert fatigue
0+
Daily security alerts a 200-person SOC drops on the floor every week
source · IDC Security Operations Survey
“The last 0-day cost us a full weekend. By the time we knew if we were affected, the exploit was already in three customer reports.”— CISO · Series-D fintech · 2,400 hosts
What is Surfbot

An agent, not a scanner.

Discovery, triage, response, audit — one cloud platform, one brain. Lightweight agents live where your assets live, the cloud reasons about what matters, and the loop closes without waiting for a human to read the email.

Continuous monitoring with a brain.

Surfbot doesn't dump 11,000 alerts in your queue. It correlates exposure, exploitability, and blast radius — then surfaces the four things that matter today.

SEVFINDINGTARGETWHEN
CRITStruts RCE · CVE-2026-4181billing-prod4m ago
CRITExposed Redis · no authcache-eu-122m ago
HIGHOutdated nginx · CVE-2024-7347www.acme.io1h ago
MEDMissing HSTSapi.acme.io2h ago

Cloud platform, agents inside your perimeter.

SaaS control plane in the EU. Lightweight agents on the assets that need them — internal hosts, K8s clusters, CI runners. Sensitive telemetry stays where it should.

0

Assets correlated in 14 seconds

across every scanner you already run

Autonomy you control.

Three tiers: observe · approve · execute. The agent reasons. You decide how much rope it gets.

Open-source core.

Read the code. Run it offline. Build on top. The cloud platform sits on top, never under.

How it works

Four phases. One agent. Zero handoffs.

Surfbot collapses the SOAR-and-six-other-tools loop into a single autonomous run. Detection without execution is a backlog. Surfbot ships both.

01

Detect

Bring your scanners — Acunetix, Nessus, Tenable, Qualys, Burp — or use the open-source core. Surfbot ingests, dedups, normalizes. New asset appears, scan triggers itself.

surfbot connect acunetix
02

Reason

AI core scores each finding by exposure, exploitability, blast radius. Dedup across scans.

phase: triage
03

Respond

Generates remediation: Ansible, Cloudflare WAF, GitHub PR, Slack war room. Approval-gated.

phase: respond
04

Verify

Re-scans the affected hosts. Confirms the fix held. Audit log → compliance evidence.

phase: verify
Live preview

A console your CISO will actually open.

No 11,000-row alert backlog. Surfbot's console is what's exposed, what's exploitable, what's been contained — in that order.

streaming · acme-prod tenant
last sync · 2s ago
surfbot.acme.io / dashboard

acme-prod · external attack surface

tenant · t_a1b3c5 · agent v0.6.2
Assets
1,271
+12 / 24h
Critical · open
2
-3 / 24h
Fixed · 7d
84
+7 / 24h
MTTR
4.2m
-99% YoY
SeverityFindingTargetStatusAge
CRITICALApache Struts RCE · CVE-2026-4181billing-prod.acme.iofixed4m
CRITICALExposed Redis · no authcache-eu-1.acme.iotriage22m
HIGHOutdated nginx · CVE-2024-7347www.acme.ioopen1h
HIGHPublic S3 bucket · sensitive datauploads-acme.s3fixed3h
MEDIUMMissing HSTS headerapi.acme.ioopen5h
LOWTLS 1.0 supportedlegacy.acme.ioopen6h
Differentiators

Surfbot vs. the toolchain you already pay for.

Vulnerability scanners detect. SOAR platforms script. ASM tools alert. Surfbot is the agent in between — the one that actually closes the loop.

Capability
Surfbot
Legacy ASM
SOAR
Continuous external discovery
AI triage with exploit chain reasoning
Autonomous remediation (approval-gated)
Cloud platform + agents inside your perimeter
Open-source core
Zero-day response in minutes, not days
For who

Built for the two people who carry the pager.

CISO · Security leadership

Stop apologizing in board meetings.

Quantified exposure, MTTR you can put on a slide, audit trail your auditor signs off. SOC 2 / ISO 27001 evidence is a button.

  • EU-hosted cloud · GDPR · SOC 2 Type II
  • Defensible MTTR — minutes, not weeks
  • Auto-generated audit log per scan, finding, fix
  • Maps controls to SOC 2, ISO 27001, NIS2, PCI DSS
SecOps · Red & blue teams

The same shell you already live in.

CLI-first. Reusable scan profiles. Yamlable autonomy. Hooks into the Ansible, Cloudflare and GitHub you already run. Nothing to babysit.

  • Lightweight agents — Docker, systemd, K8s, CI runners
  • Connectors for Acunetix, Nessus, Tenable, Qualys, Burp · plus open-source core
  • Cloud control plane handles correlation, scoring, history
  • Webhooks to Slack, Jira, GitHub, Cloudflare, Ansible
For security leaders

Start your free trial.

Spin up a Surfbot tenant in minutes. Connect your scanners, drop an agent on one asset, see real findings before the call ends.

14 days free· No credit card· SOC 2 · ISO 27001
For practitioners

See the engine behind the agent.

Open-source core. Reusable scan profiles. Honest output — don't trust marketing, trust the audit log.

$ curl -fsSL surfbot.io/scan | sh
# quick exposure check on your domain
v0.6.2· MIT-core· 4.2k ★