A virtual AppSec engineer for every dev team.

Across our previous roles, the same pattern kept showing up. Security would land at the worst possible moments: a customer security review the week before a deal closed, an audit that surfaced misconfigurations dating back months, a prospect who wanted a recent pentest report nobody had to show them. We ordered a pentest once a year. Spending headcount on a full-time security engineer to interpret a dashboard of CVEs every morning wasn't the right trade-off, when the same time could go into shipping. We sat in the gap between the once-a-year pentest and the full-time security team, and nothing in the market was built for it.

The existing tools were either built for large enterprise security organisations we didn't have, or so noisy that triaging output became a part-time job. We wanted something that ran continuously against our live applications, produced findings ranked by actual impact rather than raw CVSS score, recommended remediation steps specific to our stack, and exported as an audit-ready PDF we could hand a customer without re-formatting it. Barrion is what came out of that brief.

The product has three surfaces: passive external continuous monitoring, GitHub codebase scanning, and AI penetration testing. They're intentionally separate because they answer different questions. Barrion's external continuous monitoring runs production-safe, read-only scans on a schedule you pick. It observes what your application already exposes: TLS handshake details, HTTP security headers, cookie attributes, CORS policy, DNS records, email authentication (SPF, DKIM, DMARC, DNSSEC, CAA), network surface (open ports, subdomain takeover candidates, server information disclosure), and JavaScript dependencies for known CVEs in shipped libraries. It never submits forms, never brute-forces endpoints, never touches state-changing routes. The entire monitoring product is safe to run against live production without coordination.

Codebase scanning connects to your GitHub repositories and runs static analysis on each push. It flags hard-coded secrets, insecure crypto, SQL string concatenation, XSS sinks without escaping, and other code-level patterns that ship straight to production if nobody catches them in review. Each finding includes the exact file, line, and a suggested fix; Business accounts also get AI-enhanced triage and automated remediation PRs you can review and merge.

AI pentesting is the active engagement. When you scope a pentest with us, the AI sends crafted requests against your application and APIs, chains them across multiple steps, and confirms genuine exploitability with reproducible proof. It probes for SQL injection, cross-site scripting, broken access control, insecure direct object references, server-side request forgery, broken authentication, and business-logic abuse patterns. Pentests are rate-limited and non-destructive, confirmation comes from the response signature, not from writing data or affecting availability. Every finding ships with the exact request, response, and exploit chain so your engineering team can verify and remediate without re-running the test.

Most security tools default to one of two schedules: never (a human-triggered pentest once a year) or constant (a stream of CVE alerts that becomes background noise within a week). Neither is useful. The schedule that works is the one that maps to your release rhythm: if you ship daily, you want scans daily so a regression introduced today is caught today. New vulnerabilities also surface in third-party libraries continuously, so even slower-shipping teams benefit from a weekly-or-better schedule. The Essential plan supports weekly or slower schedules. The Business plan adds daily scans and multi-domain coverage. Both options are well-aligned with SOC 2, ISO 27001, PCI DSS, and NIS2 ongoing-monitoring expectations.

Codebase scanning works differently: it can trigger on every push or PR to a connected GitHub repository, so findings show up before the change ships rather than after. Business accounts can wire scans into CI/CD as a status check on the PR, gating merges on new critical findings so risky code never lands in main.

Between scheduled scans, manual scans are also available on demand.