V1 Live Now

Security intelligence
for autonomous
code.

Smart contracts, agentic AI, and web backends introduce risk that traditional scanners were not built to measure. VORO scores findings across six threat dimensions using Bayesian probabilistic analysis and produces integrity-verified ThreatReports structured for auditor handoff, developer triage, and operator review.

Get startedInstall CLI · Free tier
Engine status strip

Evidence engine online and ready for review.

ArtifactVORO·SCAN v1

Evidence-first threat reporting organized into one integrity-verified ThreatReport.

StatusOperational

Bayesian scoring across six dimensions with structured review output for developers, auditors, and operators.

Capabilities
Evidence-first threat reporting
Bayesian probabilistic scoring
Air-gapped · offline-capable
ThreatReport · JSON · HTML · SARIF
ENGINEV1
STATUSOPERATIONAL
Coverage

Six risk surfaces. One structured review.

Every finding maps to a threat dimension before it reaches your team. Triage starts with context, not a flat list of alerts ranked by severity alone.

Fund Safety
Treasury exposure, reentrancy paths, and liquidity risk across protocol logic.
Access Control
Permission boundaries, privilege escalation, and authorization logic gaps.
External Risk
Oracle manipulation, flash-loan vectors, and risky external dependencies.
Code Integrity
Logic errors, unchecked returns, and unsafe assumptions in implementation paths.
Dependency Health
Supply-chain risk, outdated packages, and known dependency advisories.
Agent Autonomy
Tool permissions, execution boundaries, and other agent-specific risk surfaces.
Output

This is what your team receives.

One integrity-verified ThreatReport. Two review modes. The same structured artifact moves between developer triage, audit prep, and operator review without rewriting the packet for every audience.

Dashboard view
V
VORO Dashboard· PRO
SCAN ENGINE LIVE
github.com/protocol/vault-contracts
Critical
Reentrancy — cross-function
Vault.sol:142 · CWE-841
Confidence
92%
High
Unchecked external return
Router.sol:88 · SWC-104
Confidence
78%
Medium
Access control gap — admin fn
Token.sol:201 · OWASP SC-01
Confidence
64%
7 findings · 1 crit · 2 high · 4 mediumLock Report →
Structured report view
V
ThreatReport· VERIFIED
Mapped to CWE · OWASP · CVSS

Verdict

No significant vulnerabilities detected. OpenZeppelin Contracts is a well-audited, industry-standard library. Minor informational findings only.

Six Dimensions
score / 100
Fund Safety
18
Access Control
12
Code Integrity
45
Dependency Health
8
External Risk
22
Agent Autonomy
5
LOW
code integrity

Gas Optimization Opportunity in ERC20 approve

mapped in final report export
LOW
code integrity

Consider Using Custom Errors Over require Strings

mapped in final report export
Report integrity verified
Standards

Mapped to recognized security frameworks.

Findings cross-reference established taxonomies so your ThreatReport speaks the same language as your auditor, your compliance team, and the standards your customers already expect.

CWE

Common Weakness Enumeration

Cross-referenced

OWASP Top 10

Web vulnerability taxonomy

Cross-referenced

OWASP Smart Contract

Smart contract taxonomy

Cross-referenced

OWASP Agentic AI

Agent autonomy risk

Cross-referenced

SWC Registry

Ethereum weakness registry

Cross-referenced

CVSS

Severity scoring vectors

Cross-referenced
Who it's for

One artifact. Four workflows.

The same surface can support protocol teams, security engineers, agent builders, and auditors without pretending those users need identical workflows.

Web3 / DeFi Teams

Protocol audits start from scratch every time.

VORO produces the evidence artifact before the auditor even starts.

Security Auditors

Clients hand you a codebase, not a finding structure.

Start every engagement with a structured ThreatReport as your baseline evidence layer.

AI / Agent Developers

Standard security tools don't understand what autonomous agents can do.

The agent_autonomy dimension scores unscoped permissions and execution boundaries specifically for agentic code.

Security Engineers

Cloud scanners mean uploading sensitive code to someone else's infrastructure.

Air-gapped. Offline-capable. Nothing leaves your environment.

Language posture

Measured coverage. Honest boundaries.

VORO loads patterns for multiple languages. The landing page only claims coverage where benchmark-validated evidence exists.

Measured

Benchmark-validated now

Solidity, Python, and Go are the measured coverage set currently safe to present at the front door.

Tier 2

In bounded validation

Java, PHP, and C# remain in bounded validation rather than being flattened into the measured set early.

Additional

Pattern coverage beyond the measured set

JavaScript, TypeScript, Rust, Ruby, Motoko, C, C++, Kotlin, Swift, and Scala remain visible as broader pattern coverage, not equal benchmark maturity.

Trajectory

The scanner is the starting line.

VORO V1 ships the evidence engine: structured threat reporting with Bayesian scoring across six dimensions. The architecture behind it is designed for something larger.

Roadmap direction

Continuous posture scoring

Expand from one report into a broader risk surface that tracks how security posture changes across repositories over time.

Roadmap direction

Trust verification pipelines

Carry the evidence engine forward into stronger scan provenance and trust verification workflows as the current V1 controls widen.

Roadmap direction

Deeper agentic risk modeling

Push the agent_autonomy wedge further as OWASP Agentic AI taxonomy and customer workflows mature.

Read the roadmap
Get started

Two paths in. Same evidence engine.

Run the evidence engine locally or deploy the self-hosted Pro stack when your team needs browser and API review surfaces.

CLI · Free tier

Run the evidence engine locally.

Air-gapped scanning from your terminal. Offline-capable, evidence-first output, ready to plug into your existing review workflow.

$ pip install voro-scan
Install CLISee plans
Self-hosted · Pro

Deploy the full stack. Own the data.

Docker Compose deployment with browser and API scan submission, ThreatReport review, and export paths for auditor and developer handoff.

$ docker compose up
Deploy docsSee plans
Live V1

Submit code. Get your ThreatReport.

Three ways in: GitHub URL, contract address, or file upload.

Live scan

Self-hosted workflow with GitHub URL, contract, and upload entry paths.

Report integrity check runs before save and the browser flow stays focused on six-dimension review output.

Use the CLI for the fastest cold-start path or the browser flow when the team needs a shared review surface.

Docs

Install and run the local scanner.

Pricing

Review the Free and Pro paths.

Help

Read the current public guidance and next-step notes.

V
ThreatReport· LIVE V1
GitHub URL / contract / upload
Start a review

Submit a repository, deployed contract, or file package for review in the self-hosted web path.

Paste a public GitHub repository URL to analyze its smart contracts.

Self-hosted

Docker Compose on your infrastructure.

Lock-verified

Report lock check runs before save.

Pro workflow

Browser review with six-dimension reports.