What is ShakerScan AI Gate?

AI Gate tests deployed AI APIs, widgets, RAG apps, agents, and MCP traces, then produces evidence-backed allow, block, or needs_approval decisions for release workflows.

How is ShakerScan different from AI pentesting?

AI pentesting tools help investigate possible issues. ShakerScan focuses on signed deploy decisions that GitHub and CI/CD can verify before merge or release.

Does the public preview scan test AI systems?

The unauthenticated public preview is DAST-focused. Logged-in workspaces can run Shaker-owned unsafe and safe AI Gate demo targets before adding real AI targets.

How does CI verify a signed decision?

CI uses the ShakerScan CLI, API, or GitHub integration to verify the decision, evidence hash, attestation, and expected repo, commit, target, environment, policy, and probe pack.

What is a scoped approval token?

A scoped approval token records an eligible human exception with audience, expiry, reason, and release scope. It is not issued for block decisions.

Block unsafe AI and API changes before they merge.

Signed allow, block, and needs-approval decisions your CI can verify.

ShakerScan runs DAST and AI Gate checks against preview deployments, AI APIs, chat widgets, RAG apps, and agent workflows. Each gate returns evidence, policy results, and a signed decision bound to the repo, commit, target, environment, and policy.

Try AI Gate Demo Run Public DAST Preview

Unsafe demo -> BLOCK · Safe demo -> ALLOW · No card required.Create a workspace to run the demo.

GitHub PR gatesSigned evidenceRaw/redacted artifactsScoped approval tokensAPI/widget/RAG/MCP targets

Built for B2B SaaS teams shipping AI APIs, chat widgets, RAG apps, and agents through GitHub/CI.

GitHub check: Shaker Security Gate

BLOCKED

Merge stops

Policy threshold crossed

Finding: RAG cross-tenant retrieval. Evidence hash: sha256:8b7c...e21f.

Repo

acme/support-bot

Commit

9f31c2a

Target

preview-api

Environment

preview

shakerscan gate verify --evidence-id eval_123 --repo acme/support-bot --branch feature/rag-tenant-filters --commit-sha 9f31c2a --environment preview --target-id preview-api --probe-pack shaker-ai-smoke --decision block --evidence-hash sha256:8b7c...e21f

allow

Signed evidence ready. Attestation verified.

block

Policy threshold crossed. Merge stops.

needs_approval

Human exception required for eligible workflows.

Gate surfacesCI/CDAI APIsChat widgetsRAG appsAgent workflowsMCP traces

How It Works

Six steps from pull request to deploy decision.

Open PR

A pull request or preview deployment creates the release scope Shaker will test.

Test Surface

DAST and AI Gate checks run against the deployed web, API, widget, RAG, or agent surface.

Evaluate Policy

Findings are reduced to an allow, block, or needs-approval decision with policy context.

Sign Evidence

Evidence, scope, policy, probe pack, and decision are bound into a verifiable artifact.

Verify in CI

GitHub or CI verifies the signed decision before the risky change can ship.

Ship or Stop

The release proceeds, blocks, or waits for an eligible scoped approval-token workflow.

GitHub Check

See the check developers actually have to satisfy.

ShakerScan publishes a stable required check so branch protection can enforce the signed decision. If the gate returns block or the attestation does not verify, the merge stops.

Install GitHub App Read verification docs

Shaker Security Gate

Failed

Required

1 high-risk AI finding crossed the release policy threshold. CI can verify the signed evidence before deciding whether this commit is allowed to deploy.

Finding

RAG cross-tenant retrieval

Decision

BLOCK

Evidence

sha256:8b7c...e21f

Attestation

verified

Required check

Shaker Security Gate

shakerscan gate verify --evidence-id eval_123 --repo acme/support-bot --branch feature/rag-tenant-filters --commit-sha 9f31c2a --environment preview --target-id preview-api --probe-pack shaker-ai-smoke --decision block --evidence-hash sha256:8b7c...e21f

Capabilities

Three controls. One deploy decision.

Three gates feed the same policy, evidence, attestation, and CI verification layer.

DAST Checks

Preview deployments, APIs, headers, sessions, exposure, and active checks.

AI Behavior Checks

Chat APIs, widgets, RAG apps, agent traces, and MCP traces.

Approval Controls

Signed evidence, needs-approval workflow, eligible scoped tokens, and revocation.

Evidence Packet

Proof a release system can verify.

Each gate result records the tested scope, policy, decision, evidence hash, and attestation state. That turns a scan result into a release-control artifact.

View sample evidence packet Verify sample attestation

Repo

acme/support-bot

Commit

9f31c2a

Branch

feature/rag-guardrails

Environment

preview

Target

preview-api

Probe pack

shaker-ai-smoke

Policy

release-strict@2026.04

Decision

block

Evidence hash

sha256:8b7c...e21f

Attestation

verified

Approval token

not issued

Buyer Evidence

Answer AI security questions with evidence, not screenshots.

B2B SaaS buyers increasingly ask how AI features are tested before release. ShakerScan gives product security, AppSec, and platform teams a packet they can reuse for customer reviews and internal approvals.

View questionnaire template View sample evidence packet

What AI surface was tested?

Which commit and environment?

Which probe pack and policy?

What was the decision?

Where is the evidence hash?

Who approved the exception?

AI Gate

Verifiable security gates for AI-enabled applications.

Test whether your AI features are safe enough to merge, deploy, or require review. AI Gate extends the same scan, verify, and gate loop to chat APIs, RAG apps, agent workflows, and MCP traces, with cryptographic proof when attestation signing is configured.

Packaged AI Gate Coverage

AI Smokefastest

prompt injection,system prompt leakage,sensitive data leakage

OWASP LLMbroader coverage

LLM01 prompt injection,LLM02 sensitive disclosure,LLM05 output handling

Agent Abuseagent workflows

approval bypass,unauthorized actions,account-boundary abuse

MCPMCP workflows

untrusted MCP server,tool metadata manipulation,overbroad trust

RAG Litegrounded apps

retrieval leakage,citation integrity,cross-tenant retrieval

Configurable Judge System

Deterministic

Canary leakage, regex secrets, prompt markers, output violations

Regex Classifier

PII patterns, XSS detection, injection policy checks, excessive agency

LLM Rubric

Model-evaluated severity, exploitability, and business impact

Semantic Policy

Cross-transcript behavioral analysis for attack success detection

OWASP LLM 2025MITRE ATLASOWASP MCP Top 10DSSE-style AttestationsEd25519 Signing Support

Release Control

Use AI testing tools to investigate. Use ShakerScan to enforce.

AI pentesting tools help teams explore behavior. ShakerScan turns deployed-surface test results into signed decisions that GitHub, CI, and approval workflows can act on before the release moves forward.

Investigation tools

Explore prompts, browser flows, agent behavior, findings, and possible impact.

ShakerScan gate

Require a signed allow, block, or needs-approval decision before merge or deploy.

Self-serve path

Run a public DAST preview

Try unsafe and safe AI Gate demos

Install the GitHub App

Map a repo to a target

Require Shaker Security Gate

Verify signed evidence in CI

90-Second Demo

See the deploy gate block, verify, and pass.

The homepage video slot is reserved for the shortest proof path: PR opens, AI Gate blocks a risky change, evidence verifies, the fix lands, and deploy proceeds.

Try AI Gate Demo Install GitHub App

Video script

PR to verified deploy gate

1Developer opens a PR and the preview deployment is available.

2Shaker Security Gate starts from GitHub or CI.

3AI Gate finds RAG cross-tenant retrieval and returns BLOCK.

4Evidence packet shows repo, commit, target, policy, hash, and attestation.

5Developer fixes the issue, the gate passes, CI verifies the signed decision, and deploy proceeds.

Integrations

Fits into your existing workflow.

Choose the surface your workflow already lives in. The decision loop stays the same.

GitHub App

Install once, map repos to targets, and publish the stable Shaker Security Gate check.

CLI

One gate command for CI/CD or local use. No dashboard required.

REST API

20+ endpoints for scans, findings, verification, policy, evidence, and approvals.

MCP Server

AI tools for Claude Code, Cursor, and any MCP client.

Webhooks

Signed events for policy evaluation, evidence creation, and state changes.

Verifiers

CLI, GitHub Action, OPA/Rego, and Kyverno verification examples.

Pricing

Start free, scale with your security needs.

Free Preview

Prove the workflow before connecting production systems.

$49/month

Dev

For one developer adding a basic security gate to one repo.

Recommended

$299/month

Build Gate

For teams that need preview and deploy gates, not just vulnerability reports.

$999/month

Agent Control

For teams that need deploy approvals, agent approvals, and AI security evidence.

See all plans and details14-day Build Gate trial included

Get started in 5 minutes.

Run a public DAST preview, try the AI Gate demo targets, and install the GitHub App from the same workspace.

Run Public DAST Preview Install GitHub App