About OWASP AGHAST

An OWASP project for codebase-specific, AI-augmented security testing.

What OWASP AGHAST is

OWASP AGHASTAI-Guided Hybrid Application Static Testing — is an open-source framework for orchestrating custom security checks against your codebase. It combines traditional static rule-based discovery with AI-powered analysis to find security issues that are specific to your code and your organization, not just the generic vulnerability patterns that off-the-shelf scanners detect.

Why it exists

Most application security tools focus on classes of bugs everyone shares — SQL injection, XSS, hard-coded secrets. They are good at that. They are not good at answering questions like:

  • Has our custom authorization mechanism been implemented consistently across the codebase?
  • Has our business-specific input validation been applied wherever this particular field is processed?
  • Are these API endpoints returning more data than they should, given our internal data-classification rules?

These are questions that require context about how things should work in your organization. OWASP AGHAST gives security teams a way to encode that context as checks — and then run those checks at CI scale.

OWASP project

OWASP AGHAST is developed in the open as an OWASP project: the framework is open source, and example checks and the surrounding methodology are shared with the wider open-source security community. The custom checks you write for your own codebase stay yours.

Maintainers and supporters

OWASP AGHAST is led by:

Bounce Security, the original contributor, continues as a maintaining supporter.

Copyright © 2026 OWASP Foundation. Originally contributed by Bounce Consulting Ltd.

Licensing

Code of Conduct

This project follows the OWASP Code of Conduct. Please report violations through the channels listed there.

Contact