CyberMoose — OWASP Security Scanner
AI-powered OWASP security scanning for VS Code. Run a single scan and get a consultant-quality security report covering OWASP Top 10 2025, LLM Top 10 2025, and API Security Top 10 2023 — without leaving your editor.
What it does
CyberMoose orchestrates industry-standard security tools against your workspace in the cloud, maps every finding to the correct OWASP category, then uses Claude AI to generate a structured security report with remediation guidance, attack-chain analysis, and a retest workflow.
| Scanner |
What it covers |
| Semgrep |
Static analysis — injection, secrets, auth flaws, XSS, custom rules |
| Trivy |
Dependency CVEs, IaC misconfigurations, container image vulnerabilities |
| Checkov |
Terraform, CloudFormation, Kubernetes, Dockerfile security checks |
| Bandit |
Python-specific security issues |
| npm audit |
Node.js dependency advisories |
| Nuclei |
Live DAST scanning against a target URL (optional) |
| OpenAPI / Route scanners |
Auth gaps and misconfigurations in API specs and route handlers |
Getting started
- Install the extension from the VS Code Marketplace
- Click Get Started — Sign In in the CyberMoose sidebar panel
- Sign in at cybermoose.io/get-started — free tier available, no credit card required
- VS Code opens automatically after sign-in
- Click ▶ Run Security Scan in the sidebar
No local tools required. All scanning runs in the CyberMoose cloud.
Features
Core (all tiers)
- OWASP Top 10 2025 — full coverage across all 10 categories
- OWASP LLM Top 10 2025 — auto-activated when LLM framework code is detected (OpenAI, Anthropic, LangChain, etc.)
- OWASP API Security Top 10 2023 — auto-activated when API framework code is detected (Express, FastAPI, NestJS, etc.)
- AI-generated report — streamed in real time using Claude, with remediation guidance and code examples
- HTML export — one-click export to a shareable HTML report
- DAST scanning — optional live scanning against a staging URL using Nuclei
- Stop scan — cancel any in-progress scan instantly from the sidebar
- Subscription management — upgrade or manage your plan directly from the sidebar
Pro and above
- Attack chain analysis — Claude Sonnet identifies multi-step attack paths between findings, ranks the single fix that breaks the most chains, and produces an executive summary
Consultant and Enterprise
- Multi-role authenticated DAST — configure multiple roles with auth headers and privilege levels; the scanner runs once per role plus an unauthenticated baseline, tags findings with
discoveredAsRole / accessibleByRoles, and flags privilege escalation when a low-privilege role can reach an admin-pattern path
- Retest fixed findings — after remediating, click Retest Fixed Findings, pick the findings you fixed, and the cloud re-runs only the relevant scanners against the persisted workspace and target. Each finding gets a Resolved / Still-present pill and an AI-generated remediation summary
- Persistent scan history — scans (and the workspace zip) are stored for 30 days so retests can reuse them
Enterprise
- SOC 2 evidence bundle export (roadmap) — date-stamped reports, retest history, and control mappings packaged for auditor handoff
Pricing
| Plan |
Price |
Monthly tokens |
| Free |
£0 |
90,000 lifetime |
| Pro |
£19/mo |
400,000 (rolls over, 800k cap) |
| Consultant |
£49/mo |
1,000,000 (rolls over, 2M cap) |
| Enterprise |
£199/mo |
Unlimited |
Token usage reflects actual AI report generation cost — small projects use fewer tokens, large ones more. Unused tokens roll over month to month up to the bank cap.
Visit cybermoose.io/scanner for full plan details.
DAST scanning
Enter a live target URL (e.g. https://staging.myapp.com) in the DAST config panel to enable Nuclei scanning alongside static analysis.
Important: Only scan systems you own or have explicit written permission to test.
For localhost targets, install Nuclei locally — the extension will detect and use it automatically.
Multi-role authenticated DAST (Consultant / Enterprise)
Add multiple roles in the DAST config — each with its own auth header and privilege level — and the scanner runs once per role plus an unauthenticated baseline. Findings are tagged with the roles that can reach them, and a [PRIVILEGE ESCALATION] badge appears whenever a low-privilege role hits an admin-pattern path.
Extension settings
| Setting |
Description |
owaspScanner.appName |
Application name shown in the report |
owaspScanner.outputDirectory |
Directory to save exported HTML reports |
owaspScanner.targetUrl |
Default DAST target URL |
owaspScanner.authHeader |
HTTP auth header for authenticated DAST scans |
owaspScanner.roleConfigs |
JSON array of role configs for multi-role DAST (Consultant / Enterprise) |
Privacy
Your source code is zipped and sent to the CyberMoose cloud API for scanning. For Free and Pro tiers it is not stored after the scan completes. For Consultant and Enterprise tiers the workspace zip is retained in private storage for 30 days so the retest agent can re-run the original scanners against it; it is automatically deleted after that window. Only scan findings (not source code) are used to generate the AI report.
Support
