Features
Four pillars. One loop.
Everything Keelr does rolls up into one of four pillars. Pillars 1-3 run standalone; pillar 4 activates when Keelr runs alongside Panthero as the Loop bundle.
Pillar 1
Adversarial simulation.
Continuous, authorised attack simulation across your attack surface. The Offensive Agent picks the engagement, the technique, the timing.
External surface discovery
Subdomain enumeration, port and service fingerprinting, certificate inventory, DNS hygiene checks. The attacker's view of your perimeter, refreshed on the Mission's cadence.
Misconfiguration detection
TLS configuration, security headers, cookie flags, CORS, open admin surfaces, default credentials. Read-only checks that prove how an attacker would enumerate the easy wins.
Secrets exposure (narrow)
Public sources only: exposed .git/, .env, JS bundle secrets, robots.txt leaks. Broader paste-site and public-repo crawling is an Enterprise-tier add-on, scoped per contract.
Manual-trigger first, continuous later
Today: you launch engagements from the portal, we run them. Continuous propensity-driven cadence activates when the Agent layer ships in a later release on top of the same scope-consent layer you are using now.
Pillar 2
Authorisation posture.
The non-negotiable. Pillar 1 cannot run without pillar 2 - ever.
Scope-bound consent
You declare the scope: named domains, IP ranges, asset groups. Nothing outside that declaration is touchable.
Time-boxed + signed
Every authorisation is valid for a declared window, renewable, never indefinite. Cryptographically signed with your credentials, tied to your account.
Instant revocation
Revoke from the portal with one click. Every in-flight engagement stops. No grace window, no partial drain.
Append-only audit log
Every authorisation event, every engagement attempt, every revocation is recorded immutably. Exportable on demand for your forensic or regulatory review.
Attempted-outside-scope fails closed
If an engagement tries to touch anything outside the active scope (bug, misconfiguration, anything), it is rejected before a packet leaves our infrastructure, and the attempt is recorded. This is the architectural line between Keelr and an attacker tool.
Pillar 3
Finding intelligence.
What Keelr discovers, stored and organised for the life of the Mission and beyond.
Shared 0-100 severity scale
Low Risk / Suspicious / Highly Suspicious / Risk / High Risk. Same five-bucket scale Panthero uses on the defensive side - so a finding and its fix speak the same language.
Exploitability, not just static match
Every finding is labelled validated (we proved it exploits, non-destructively) or theoretical (pattern match only). You know which findings deserve priority.
Deduplication across scans
The same finding across multiple engagements is a single record with a full history. Your findings list stays the size of the actual problem, not the count of scans.
Code Artifact per finding
Every validated finding ships with the Code Artifact that proved it - inspectable, auditable, re-runnable. The same artifact becomes the regression test after the fix is confirmed.
Pillar 4
Proves Panthero.
The loop wiring. Activates when you buy the Loop bundle (Keelr + Panthero together).
Finding export to the spine
Every Keelr finding flows to the Loop orchestration spine over HMAC-authenticated API. Panthero's Defensive Agent picks it up, stages compensating defence, drafts the remediation.
Re-attack on demand
When Panthero deploys a fix, the spine issues a re-attack request. Keelr reruns the exact exploit path from the originating artifact. The fix is either confirmed or rejected - on evidence, not claim.
Artifacts become regression tests
Confirmed fixes retire the artifact from live probe to regression test. It keeps checking the same asset quietly. A regression is caught the moment it ships - not the moment a breach is discovered.
Unified Loop portal view
Loop customers see Missions, findings, remediations, compensating controls, and re-attack outcomes in one end-to-end view across both platforms.
Technical posture
The things we will never negotiate on.
Non-destructive by default
The engagement envelope is designed to avoid availability impact. No denial-of-service, no persistence, no cross-scope chaining. Destructive classes exist only under separate written agreement.
EU-sovereign reasoning
Every component - Agent reasoning, sandbox execution, data storage - runs on EU-hosted infrastructure. Post-Schrems II posture that stays EU-sovereign no matter how large we grow.
Scope is the only answer
"Public-facing" does not imply consent. "Appears open" does not imply consent. The only test that matters is whether you authorised the target - and the authorisation layer refuses to let us forget.