The Odin Platform

Stop managing security. Start automating it.

Odin gives your team a unified view of every threat, but the real magic is Mjolnir. Our autonomous pentest engine that reads your source code, maps your attack surface, generates test cases, and executes them autonomously.

Mjolnir: Autonomous Pentesting

Autonomous pentesting that lands real exploits

Mjolnir reads your source code to understand routes, auth flows, and business logic, then runs targeted exploits against your live app to prove what's actually exploitable.

How Mjolnir Works

From code to confirmed findings in five steps

Mjolnir handles the entire pentest lifecycle autonomously. You set up the run; it does the rest.

$ mjolnir analyse --repo borghq/app
Parsing source tree...
 
Routes: 214 · Auth flows: 8 · Middleware: 41
Dependencies scanned: 128 · 1 CVE found
Code analysis complete

Code Analysis

Mjolnir reads your source code using agents to understand routes, authentication flows, middleware, and business logic. It also scans dependencies for known vulnerabilities.

Huginn: Continuous Asset Discovery

Know your attack surface before attackers do

Huginn automatically finds and monitors your external attack surface around the clock. Nothing slips through unnoticed.

ALB: api-lb-prod

ec2-52.14.90.7

odin.borghq.io

api.borgmail...

staging.borg...

104.21.55.3

s3://borg-backups

internal-admin.borg...

10.0.1.14

docs.borghq.io

Cloudflare

Cloudflare

52.14.82.1

RDP :3389

SSH :22

borghq.io

Legend
Huginn
Search assets...
FILTER:AllHas findingsReportedMitigatingFixed

Integrated Discovery

We connect to your cloud environments to gain visibility into assets which are not directly exposed to the internet.

This allows us in real time to discover internal assets which suddenly become external or which have been ClickOps'ed into production with security misconfigurations.

Integrated discovery works with all major cloud providers.

Passive Discovery

We discover your internet exposed assets such as subdomains, domains and IP addresses.

Using your assets as entry points we're able to discover vulnerabilities in your existing infrastructure on assets you weren't aware of.

We know what you have exposed to the internet, do you?

Gungnir: Continuous Code Security

Ship faster without shipping vulnerabilities

Mjolnir runs deep autonomous pentests across your full application. Gungnir brings the same security intelligence into every pull request, catching vulnerabilities before they merge.

Pull Request

9ef9a07ce0ee....

#291

OPEN

Add /v1/exports endpoint

hans-dev

25.05.2026

Gungnir Review

ANALYSING DIFF IN CONTEXT

Auth flow
Data handling
Authorisation
warning
Config

0 seconds · 0 files

PR feedback

Gungnir

Priority:

Critical
build · test · lint
gungnir · failing
warning
Merge blocked
  • Code-aware micropentest

    Not a SAST scanner. Gungnir understands auth flows, API routes, data handling, and how the diff interacts with the rest of the repo.

  • Where developers already work

    Inline PR comments with severity, confidence and a suggested fix. A GitHub check teams can set to block merges or stay informational.

  • Visible across the organisation

    Every review also lands in Odin, for you to analyze findings even deeper, and see Gungnir's reasoning for his suggestions.

Micropentests for every pull request

Gungnir runs automatically when a PR is opened or updated.

It checks whether the change introduces vulnerabilities, weakens existing security controls, exposes sensitive data, or modifies security-critical configuration. Findings are posted as inline PR comments:

  • Severity
  • Confidence
  • Explanation
  • Suggested remediation

Gungnir also creates a GitHub check, so teams can choose whether issues should block merges or remain informational.

Built for modern engineering teams

Security should happen where developers already work.

Gungnir gives engineers actionable feedback during code review, while giving security teams visibility inside Odin.

gungnir - pull request#291
// src/api/exports.ts
 
import { requireAuth } from ./middleware/auth”;
 
router.get(“/v1/exports/findings”, requireAuth, async (req, res) => {
 
const orgId = req.query.orgId;
const rows = await db.findings.findMany({ where: { orgId } });
res.json(rows);
 
});
Gungnir Review
Confidence:HighFindings:1 Critical1 Medium
Missing authorisation check on findings export

requireAuth protects the route, but requireOrgScope is missing: any authenticated user could read findings from any org.

- router.get(“_”, requireAuth, ...)+ router.get(“_”, requireAuth, requireOrgScope ...)
Review CompleteMerge blockedreviewed in 47s
InGitHub
  • Inline security comments on affected lines
  • PR-level security summary
  • GitHub check status
  • Optional merge blocking based on severity
InOdin
  • Central PR review history
  • Findings grouped by severity & confidence
  • Repository, author, and PR tracking
  • Visibility across engineering teams
Fullstack Security Coverage

Mjolnir vs Gungnir

Catch vulnerabilities in real-time before they reach production.

Mjolnir
Gungnir
Use case
Full autonomous pentest
Pull request security review
Trigger
Manual or scheduled
Every PR
Scope
Full application
PR diff + repository context
Testing style
Autonomous whitebox pentesting
Code-aware micropentest
Output
Verified findings in Odin
Inline PR comments, GitHub checks, Odin results
Best for
Deep continuous coverage
Catching issues before merge
Vulnerability Coverage

Deep coverage across every vulnerability class

Mjolnir builds targeted exploits across a broad range of vulnerability categories, targeting the flaws that matter most.

  • Authentication

    Login bypasses, weak credential policies, session fixation, token leakage, and insecure password reset flows.

    • [Session fixation]
    • [Token leakage]
    • [Password reset]
  • Authorization

    Privilege escalation (vertical and horizontal), broken access controls, IDOR, and missing function-level checks.

    • [IDOR]
    • [Priv escalation]
    • [BAC]
  • Injection

    SQL injection, NoSQL injection, command injection, SSTI, and other server-side injection vectors.

    • [SQLi]
    • [Cmd injection]
    • [SSTI]
  • Data Exposure

    Sensitive data in responses, overly permissive API fields, PII leaks, and missing data redaction.

    • [PII leaks]
    • [Redaction]
    • [API over-fetch]
  • SSRF

    Server-side request forgery targeting internal services, cloud metadata endpoints, and backend infrastructure

    • [SSRF]
    • [Cloud metadata]
    • [API over-fetch]
  • Cross-Site-Scripting

    Reflected, stored, and DOM-based XSS across all input vectors, including those gated behind authentication.

    • [Reflected XSS]
    • [Stored XSS]
    • [DOM XSS]
  • Business Logic

    Race conditions, workflow bypasses, and abuse of application-specific rules that static scanners cannot detect.

    • [Race conditions]
    • [Workflow bypass]
    • [Logic flaws]
  • Configuration

    Exposed secrets, misconfigured security headers, debug endpoints, and missing access controls on administrative functionality.

    • [Exposed secrets]
    • [Misconfig headers]
    • [Debug endpoints]
Findings Management

Track, triage, and remediate in one place

Every vulnerability lands in a single dashboard, severity-ranked with everything your engineering team needs to take action.

  • Complete Context

    1/4

    Every finding includes severity rating, affected asset, reproduction steps, suggested fix, and source, whether from Mjolnir or black-box testing.

  • Status Lifecycle

    2/4

    Reported → Mitigating → Ready for Retest → Fixed and Retested

  • Bulk Operations

    3/4

    Select multiple findings to update status or export as CSV in one action. Keyboard shortcuts for fast triage.

  • Flexible Export

    4/4

    Export to CSV, JSON, or Markdown, filtered by severity, status, or source. Share with stakeholders who don't have Odin access.

Integrations & Workflows

Built into the tools your team already uses

Push findings to your issue tracker, get alerts in Slack, and automate your security response, all without leaving Odin.

  • Linear

    Push findings with one click. Enable auto-ticketing so new vulnerabilities create issues automatically with full context attached.

  • Jira

    Findings sync with full context, title, severity, description, and suggested fix. Status updates flow both ways between Odin and Jira.

  • GitHub

    Create issues directly from findings and link them to the repositories where the fix needs to happen. Close the loop from finding to fix.

Want to see what Borg would find in your product?

If you have a web app, API, customer portal, auth system, billing flow, or fast-moving engineering team, Borg can help you find the bugs that normal scanners miss.