What Vines does out-of-the-box — fast, accurate, and credible.
Vines takes raw OWASP ZAP findings and transforms them into clear, prioritized intelligence.
✨ Impact Summaries: Plain-language explanations highlight business risk, compliance exposure, and user trust implications.
🧭 Risk Ranking: AI blends CVSS, EPSS, and context signals into a defensible priority order so teams focus where it matters most.
Built on the industry-trusted OWASP ZAP engine. Combines Spider, AJAX Spider, and Active Scan with tuned rule caps, time budgets, and curated exclusions to deliver thorough coverage without runaway noise.
Logs in before scanning using your form POST, username/password fields, optional CSRF prefetch, and logged-in/out indicators. Excludes logout endpoints by URL or regex to maintain session and reach real, behind-auth surfaces.
Discovers hosts, open ports, and services to complement web scanning. Presents open-port summaries and risk context alongside application findings for an end-to-end view.
Practical defaults keep scans predictable: per-rule and total scan time limits, thread caps, connection timeouts, modern user-agent, and exclude patterns for WordPress/pagination sprawl.
Clarity for engineers, signal for leaders, and data for dashboards.
Gruvbox-themed, high-contrast reports with big, readable typography. Export polished PDFs for stakeholders, interactive HTML for teams, and JSON for BI/CI dashboards.
Smart grouping collapses duplicates and highlights the proof-of-finding (request/response snippets, parameters, and sample payloads) so reviewers see exactly why a finding is real.
Severity mix, top rules by instances, open-port summaries, trend/bubble charts, and max-risk callouts — all tuned for rapid prioritization and leadership visibility.
Make security a habit — not a heroic event.
Daily, weekly, monthly, yearly, or one-time. UTC hour picker, “future-only” validation, enable/disable toggles, and run-now actions to verify changes on demand.
Clean REST endpoints to start scans, check status, fetch reports, and manage schedules. Ideal for pipelines, nightly jobs, or gated releases.
Plan-based concurrent scan limits with friendly prompts when capacity is full. Abort, retry, and resume flows are hardened for reliable operation in small teams.
Designed for focus, built for credibility.
Aesthetic, high-contrast dark theme with bold Fira Sans typography. Clear hierarchy, large touch targets, accessible colors, and a streamlined single-page workflow.
Findings originate from OWASP ZAP — a widely trusted open-source DAST engine. Vines enhances the signal with AI and curation without obscuring the underlying evidence.
Each run stores artifacts in a dedicated folder: logs, XML/HTML outputs, and a debug snapshot of command, environment, and log tails — full traceability when you need it.
Fast setup, sensible defaults, and guardrails reduce tuning overhead. You get accurate detection, readable outputs, and an AI layer that translates findings into action.
Ready for what’s next.
Support for ZAP add-ons (GraphQL, reports, Selenium, scripts) and custom scripting to extend crawling, auth flows, or header injection for advanced targets.
Adjust scan policy thresholds, time budgets, and concurrency based on risk appetite and environment to balance depth with runtime.
| Feature | Vulnerability Vines AI | Typical Commercial Scanner |
|---|---|---|
| Core Engine | ✔ OWASP ZAP at the core with AI enhancements for clarity | ✖ Proprietary, closed-box engine |
| AI Fix & Guidance | ✔ Detailed remediation, impact summaries, and verification steps | ✖ Generic text, little or no actionable code |
| Authenticated Scans | ✔ Full form-login support, CSRF, logout handling | ✔ Limited support; often complex setup |
| Developer Outputs | ✔ Code snippets, configs, security headers | ✖ Mostly PDF exports or dashboards only |
| Scheduling & Automation | ✔ Built-in daily/weekly/monthly/yearly with run-now | ✔ Available, but often premium-tier only |
| Report Formats | ✔ PDF, HTML, JSON for dashboards | ✔ PDF and HTML; JSON rarely exposed |
| User Interface | ✔ Modern SPA, Gruvbox dark theme, large fonts | ✖ Traditional enterprise dashboards |
| Scan Guardrails | ✔ Rule-level caps, global exclusions, predictable runtime | ✖ Often black-box, scans run long or noisy |
| Debug & Transparency | ✔ Full logs, artifacts, XML/HTML, debug.json | ✖ Logs hidden or not accessible |
| Licensing | ✔ Open-source core, transparent, SME-friendly | ✖ Expensive per-seat or per-scan licensing |
The pillars that give Vines AI its edge in accuracy, usability, and developer trust.
Vines enriches every finding with AI-driven context, risk reasoning, and guided remediation. Raw scanner output becomes clear, prioritized intelligence the whole team can act on.
Built on OWASP ZAP with tuned rule caps, connection timeouts, smart exclude patterns, and balanced concurrency — delivering thorough coverage with low noise.
Form login, CSRF prefetch, logout URL/regex, and logged-in/out indicators let Vines map and test the true behind-login attack surface.
Gruvbox-styled PDF, HTML, and JSON with KPIs, charts, and grouped evidence. Executives get clarity; developers get actionable details immediately.
Copy-ready headers, configs, and patterns tailored to common stacks, plus verification steps to prove closure — bridging detection and implementation.
Built-in scheduling, REST APIs, and pipeline hooks enable gated releases, nightly scans, and “run-now” checks — frictionless in DevSecOps workflows.
Every run stores logs, XML/HTML outputs, and a debug snapshot (command, env, tails). Full traceability builds trust in every result.
Aina sits inside Vines to explain findings, prioritize risk, and guide real fixes — in plain language. Ask questions, drill into evidence, and leave with validated, repeatable steps.
Aina reads the current scan context — targets, KPIs, evidence, instances — then translates raw findings into plain-language explanations that anyone on the team can trust.
Blends CVSS/EPSS with exploitability hints to rank what to fix first, surfacing quick wins and high-impact items so you spend effort where it counts.
Generates step-by-step remediation tailored to common stacks: header sets, config changes, safer patterns, and guardrails — all grounded in the evidence Aina is looking at.
Supplies post-fix validation steps and quick checks to prove closure, prevent regressions, and prepare for audits or gated releases.
Unsure why a finding is real? Ask Aina to walk you through the request, response, parameter, and proof — linking directly to the instance that triggered the alert.
From executive briefs to developer to-dos, Aina drafts the right message for the right audience — fast, accurate, and grounded in your latest scan.
Drop Vines AI into your pipelines and platforms — scans run where your code lives, results land where your team works, and releases stay gated by risk.
Trigger scans on Jenkins, GitHub Actions, GitLab, Azure DevOps, Bitbucket, or CircleCI. Run on PRs, nightlies, or release tags; fetch status via REST; fail builds when thresholds are exceeded.
Works cleanly across Azure, AWS, and GCP runners. Store artifacts in blob/S3/GCS; integrate with registries (ACR/ECR/GCR) to scan app endpoints post-deploy.
Lightweight runners in Docker; orchestrate with Kubernetes and Helm. Parallelize scans, isolate environments, and surface JSON KPIs to cluster dashboards.
Enforce guardrails: block release if High/Critical issues exist, or if max risk exceeds a set score. Ship with confidence when Vines says you’re green.
Pipe summaries to Slack / Teams; open issues in Jira, Azure Boards, or GitHub Issues with links to evidence and AI remediation notes.
Use pipeline secrets and vaults: Azure Key Vault, AWS Secrets Manager, HashiCorp Vault. Rotate credentials safely; no hardcoding in jobs.
Query /api/scans & /api/scan/:id/status, fetch PDF/HTML/JSON outputs, and feed Grafana or custom BI with risk trends, fix velocity, and coverage.
Continuous coverage, credible detection, and AI guidance that closes the loop — so risk goes down release after release.
Schedule daily/weekly/monthly scans, add quality gates in CI/CD, and run “scan-now” before go-live. No blind spots between releases.
Vines blends CVSS/EPSS with exploitability hints to surface the highest-impact, easiest-to-exploit issues first — less noise, faster focus.
Clear, step-by-step guidance for headers, config, and code patterns — tailored to common frameworks — so teams fix correctly the first time.
Post-remediation checks and quick retests verify closure, prevent regressions, and give change reviewers evidence, not guesswork.
Authenticated deep scans (form login, CSRF prefetch, logout exclusions) test the real attack surface customers use.
Each run stores logs, XML/HTML reports, and a debug snapshot (command, env, tails) — building a defensible audit trail.
Reduced mean-time-to-remediate (MTTR) across sprints
Release gates that prevent critical risk from shipping
Consistent security posture across apps, teams, and clouds
Clear executive visibility with decision-ready reports
A broad, modern catalog — accurate detection powered by OWASP ZAP + Vines AI analysis.
HttpOnlySecureSameSitekid Header Injection / JWK Abuseunsafe-inline)../ traversal).git / .env / backups.zip, .bak, ~)%2f tricks)postMessage Misuse (SOP bypass patterns)state Parameter (CSRF in OAuth flows)localStorage exposure)*.example.com)frame-ancestors Missing (clickjacking via CSP bypass)Content-Disposition)dangerouslySetInnerHTML injection misusev-html template injectiontrusted-types)callback=)__Host- / __Secure- cookie prefixes missingwindow.name / history lengthjti replay (no blacklist/rotation)location.hashobject-src overly open (plugin content allowed)postMessage with origin="*"Access-Control-Allow-Headers: * risksjavascript: / mixed encodings)allow-scripts + allow-same-origin combo)Origin)crit misuseAt-a-glance mapping of Vines AI detection coverage across OWASP Top 10 (Web), OWASP API Top 10, and WSTG domains. (Title 32px, items 24px as specified.)
Key categories and representative findings covered by Vines AI.
Modern API risks in REST/GraphQL/gRPC covered by Vines.
Representative WSTG areas Vines exercises during scans.
RCCE students train with Vines AI from day one — learning to identify real vulnerabilities, triage risk, and ship verified fixes with confidence. RCCE Cybersecurity is the most advanced, cutting-edge cybersecurity training in the world, and Vines AI turns that expertise into hands-on results.
Scan. Interpret. Remediate. Verify. Students graduate with practical DAST, DevSecOps, and reporting skills that transfer instantly to production environments.
Students run deep and authenticated web scans with OWASP ZAP (via Vines), exploring XSS, injection, access control, misconfigurations, GraphQL/API issues, and more — exactly what they’ll face in the real world.
Vines AI converts raw findings into clear explanations, prioritized risk, and step-by-step remediation. Students learn how to move from detection to validated fixes — fast.
Practice scans in CI/CD (Jenkins, GitHub Actions, Azure DevOps, GitLab): set quality gates, enforce thresholds, and ship only when risk is green. Real pipeline muscle memory.
Produce Gruvbox-styled PDF/HTML/JSON reports with KPIs, charts, and grouped evidence. Students learn to brief executives and guide engineers — a critical, career-ready skill.
End-to-end exercises: identify issues, propose remediations, apply changes, and prove closure with verification steps and re-scans. Exactly how modern teams operate.
Graduates leave with a portfolio of real scans, findings, and reports — demonstrating practical ability, not just theory. That’s why RCCE stands apart.
Job-ready DAST, triage, and remediation skills
Fluent with OWASP ZAP + AI analysis (Vines)
Real DevSecOps practice: CI/CD, quality gates, thresholds
Executive-grade reporting and stakeholder communication
Confidence to detect, fix, and verify before release
RCCE is the most advanced, modern, cutting-edge, AI-focused, practical cybersecurity training in the world. It’s not just a syllabus — it’s a launchpad. RCCE blends deep technical mastery with real-world execution, preparing you to defend, break, automate, and lead with confidence.
RCCE’s philosophy is simple: learn by doing — in production-style labs powered by Vines AI, OWASP ZAP, and modern DevSecOps tooling. The result? Practitioners who can find vulnerabilities, fix them, and prove they’re closed.
Students use Vines AI to interpret findings, prioritize risk, and generate guided remediations. This AI-first approach transforms scanner output into clear action — the same workflow elite teams use.
Authenticated deep scans, API/GraphQL coverage, traffic captures, and executive-grade PDF/HTML/JSON reports — every exercise leaves a trail of proof you can show to employers.
Jenkins, GitHub Actions, Azure DevOps — quality gates, thresholds, and release policies embed security into delivery. RCCE grads know how to automate scans, block risky builds, and ship safely.
Web, APIs, cloud edges, identity flows (OAuth/OIDC/SAML) — RCCE drills the attack surface that businesses actually run, mapping risks that matter: authZ gaps, SSRF, misconfig, logic abuse, and more.
You won’t just “know” security; you’ll do it — triage alerts, fix issues, re-test, and brief stakeholders. RCCE measures impact with KPIs that employers understand.
The RCCE badge signals hands-on capability and AI-driven security fluency. It’s a hallmark of modern defenders and builders — the gold standard for practical cybersecurity education.
Graduates who can find, fix, and verify vulnerabilities — end-to-end
Portfolio of reports & artifacts demonstrating real expertise
DevSecOps muscle memory: pipelines, gates, and safe releases
AI fluency with Vines AI — the new baseline for modern teams
Predictable runtime with tuned budgets — built to scale across projects, pipelines, and teams.
Active-scan total cap (deep)
Per-rule cap for stability
Spider + AJAX budgets
Threading per host (tuned)
Guardrails: concurrency caps, time budgets, and exclude patterns keep scans fast and focused.
Reliable outputs: per-run artifacts (XML/HTML/logs) + debug snapshots for easy triage and proof.
Horizontal scale: run multiple isolated workers in Docker/Kubernetes with shared storage.
Scheduling: daily/weekly/monthly/yearly or one-time; “run now” for release candidates.
Quality gates: block builds on High/Critical or risk≥threshold via simple API checks.
KPIs: JSON endpoints for Grafana/BI — risk trends, fix velocity, coverage.
Show stakeholders how Vines AI supports your controls and audits — with evidence, traceability, and policy-friendly outputs.
Control coverage for vulnerability management, change management, and logging via scheduled scans, quality gates, artifacts, and audit-ready debug snapshots.
Support for regular application testing, evidence capture, and remediation tracking; export PDF/HTML/JSON for ROC documentation.
Data-minimal operation, on-prem/VPC deployment, retention controls, and proof-of-fix workflows reduce exposure during testing.
Google/OIDC/SAML guard for access to scans and reports; role-based permissions; artifact segregation per team/project.
Map findings to OWASP/WSTG categories, export JSON KPIs, and attach evidence to Jira/Boards for verifiable remediation trails.
Per-run debug.json, logs, and reports provide defensible proof of scanning scope, parameters, and outcomes.
Built by Rocheston — the team behind RCCE, the most advanced, AI-focused practical cybersecurity training — and powered by the OWASP ZAP engine trusted worldwide. Transparent, auditable, and proven in real environments.
Vines AI is developed by Rocheston, creators of RCCE — widely recognized as the most advanced, modern, AI-driven practical cybersecurity training. The same philosophy powers Vines: real targets, real evidence, real results.
Findings originate from the OWASP ZAP DAST engine — open, peer-reviewed, and widely trusted. Vines enhances ZAP with tuned budgets, guardrails, authenticated flows, and AI analysis for clarity and action.
Every run stores artifacts (logs, XML/HTML, debug snapshot) so security teams and auditors can trace scope, parameters, decisions, and outcomes. No black boxes — full visibility.
Used daily in RCCE labs and by SMEs in real pipelines. Vines demonstrates consistent, predictable scans with guardrails (rule caps, time budgets, excludes) and actionable outputs engineers trust.
PDF/HTML/JSON reports, KPI feeds, and per-run debug make it straightforward to support SOC 2, ISO 27001, PCI DSS, HIPAA/GDPR reviews with defensible proof.
Vines advances security education: AI explanations, verification steps, and developer-friendly guidance bridge scanning to fixing — the reason RCCE graduates become job-ready, credible practitioners.
Simple, SME-friendly licensing. Keep your data local. Scale at your pace.
Deep web scans + Nmap, PDF/HTML/JSON reports, schedules, and CI hooks. Everything you need to begin.
Multi-user, role-based access, Slack/Jira integrations, JSON KPIs for dashboards, larger concurrency.
On-prem/VPC deployment, SSO (OIDC/SAML), artifact retention controls, audit evidence, custom support SLAs.
Included with RCCE. Vines AI is free for RCCE students — train with the same tool you’ll use on the job.
Quick answers for teams evaluating Vines AI.
It’s built by Rocheston (RCCE) and powered by the OWASP ZAP engine. Every run stores artifacts (logs, XML/HTML, debug snapshot) for full transparency.
Yes — form login, CSRF prefetch, logout URL/regex, and logged-in/out indicators so you can test real behind-login surfaces.
Native CI/CD hooks (Jenkins, GitHub, GitLab, Azure) with risk thresholds to gate releases; JSON KPIs for dashboards.
Yes — deploy on-prem or VPC, keep artifacts local, integrate with your secrets manager, and set retention policies.
Vulnerability Vines AI is a modern, AI-powered web application security scanner built on the trusted OWASP ZAP engine. It discovers vulnerabilities, explains impact in plain language, provides step-by-step remediation, and outputs PDF/HTML/JSON reports for engineers and executives.
A precise security pipeline that goes from discovery to proof of fix.
Spider + AJAX Spider to map routes, APIs, and dynamic content. Optional directory discovery for hidden paths.
Form login, CSRF prefetch, logout exclusions, and logged-in/out indicators to test behind-login surfaces.
OWASP ZAP rules with tuned budgets (per-rule caps, total caps, concurrency) for accurate, low-noise results.
Plain-language impact, risk ranking, fix instructions, and verification steps — ready for developers.
Export PDF/HTML/JSON, store artifacts (logs, XML/HTML, debug.json) for audits and dashboards.
Where Vines AI delivers fast security wins.
Shift-left app security, PR-gated scans, board-ready PDFs.
Authenticated flows, session/cookie hardening, PCI DSS evidence.
Business logic abuse, coupon replay, API rate-limit checks.
Data protection headers, artifact retention for HIPAA audits.
On-prem/VPC, audit trails, role-based access & SSO.
Hands-on labs, AI remediation coaching, job-ready skills.
Broad coverage for real-world stacks and environments.
Transparent techniques that balance depth and predictability.
Launch your first scan in minutes.
Highlights of recent improvements. (Use this structure and keep shipping notes fresh for SEO.)
Plain-language definitions of the terms that appear in Vines AI reports, dashboards, and DevSecOps workflows.
Vines’ built-in AI chatbot that explains findings, prioritizes risk, proposes fixes, and provides verification steps in plain language.
Rules that determine who can access which resources or actions. Broken access control leads to IDOR/BOLA-class issues.
ZAP’s active attack phase that safely probes endpoints for vulnerabilities using payloads and rules with time/scan budgets.
A dynamic crawler that executes client-side code to discover routes traditional spiders miss.
Per-scan evidence files (logs, XML/HTML report, debug snapshot) saved for triage and audits.
Broken Object Level Authorization: object access without proper permission checks.
Broken Object Property Level Authorization: updating fields you shouldn’t be able to change.
Broken Function Level Authorization: invoking privileged functions without the right role.
Exploiting intended flows (e.g., discounts, refunds) for unintended gain.
Continuous Integration/Delivery pipelines. Vines hooks into Jenkins, GitHub Actions, GitLab, Azure DevOps to gate releases.
Content-Security-Policy header that reduces XSS by controlling what resources can load or execute.
Cross-Site Request Forgery: tricking a user’s browser to perform unwanted authorized actions.
Cross-Origin Resource Sharing: controls whether browsers allow cross-site requests.
Scoring frameworks: CVSS (severity) and EPSS (exploit probability) inform prioritization.
CWE: weakness classification. CVE: public vulnerability identifier for specific products.
Dynamic Application Security Testing: black-box testing of running apps. Vines is DAST with AI guidance.
Per-run JSON capturing command, environment, and log tails to make scans reproducible.
Baking security into development & delivery. Vines supports quality gates and KPIs.
Directory/content discovery to find hidden routes and files.
Exploit Prediction Scoring System — probability a CVE will be exploited in the wild.
Proof attached to a finding (request/response, parameter, payload, screenshot, trace).
Concise, non-technical brief of risk posture for leadership.
API query language. Vines covers introspection exposure, depth/complexity abuse, and auth gaps.
Binary RPC framework over HTTP/2; watch for reflection exposure and size/rate limits.
Time/thread caps and excludes that make scans predictable and low-noise.
Strict-Transport-Security header that enforces HTTPS.
Desync attacks across proxies using HTTP/2 quirks.
HTTP Parameter Pollution — duplicate keys change server behavior.
Insecure Direct Object Reference — reading/modifying objects by guessing identifiers.
GraphQL schema disclosure; disable in production or secure tightly.
JSON Web Token (bearer token). Watch for alg confusion, weak secrets, long TTLs, insecure storage.
JSON Web Key — public keys for token verification; misconfig can enable key confusion.
Key Performance Indicator — risk trend, fix velocity, coverage; Vines exposes JSON KPIs.
Multi-Factor Authentication; check coverage and enforcement.
Mean Time To Remediate — how quickly teams fix findings.
Network mapper for ports/services; Vines pairs it with web scans for full surface context.
Case/Unicode/path handling differences that cause bypasses.
Delegated auth; watch for redirect URIs, state/PKCE, scope creep.
OpenID Connect — identity layer on OAuth 2.0.
Out-of-Band AppSec Testing for blind SSRF/XXE via callback servers.
OAuth extension to protect code flow on public clients.
Enforcing security gates via config in pipelines.
Automated rule (e.g., “no Criticals”) that blocks a release when risk is high.
Regular-Expression DoS by catastrophic backtracking.
Representational APIs; validate auth, inputs, rates, error handling.
Numerical limit (e.g., CVSS ≥ 7) used to gate builds.
Static code scanning vs dynamic runtime testing; Vines is DAST.
Recurring scans (daily/weekly/monthly/yearly) plus “run now”.
PWA caching agent; scope and cache rules must be secured.
Subresource Integrity for third-party scripts.
Server-Side Request Forgery — server makes attacker-chosen network calls.
SSTI/CSTI — server/client template engines executing attacker input.
Protocol/cipher selection and certificate handling.
Consistent handling of encodings/case to avoid bypasses.
Rocheston’s AI-enhanced DAST platform with authenticated scans, DevSecOps hooks, and beautiful reports.
Structured list of issues the scanner detects, mapped to OWASP/WSTG and enriched by AI.
Web Application Firewall — may mask issues; coordinate testing allowances.
Origin checks, auth, and message validation for WS channels.
OWASP Web Security Testing Guide — comprehensive test taxonomy.
Cross-Site Scripting — injecting script into pages (reflected/stored/DOM).
XML External Entity injection — reading files or SSRF via XML parsers.
OWASP Zed Attack Proxy — open-source DAST engine at Vines’ core.
Assume breach; verify explicitly; least privilege everywhere.
Cybersecurity has a pricing problem. The largest commercial vulnerability scanners cost thousands of dollars a year, wrapped in seat licenses, scan quotas, and “enterprise” add-ons. Fortune-scale companies can absorb that. Small organizations — clinics, schools, startups, non-profits, regional firms — often cannot. The result is predictable: systems go unscanned, defects linger, and avoidable breaches happen.
Per-seat and per-scan models punish the very people who should see and fix issues: developers. Features that should be table stakes — authenticated scanning, API coverage, useful reporting — are gated behind premium tiers. Meanwhile the engines are opaque, run times are unpredictable, and “contact sales” appears where a status code should be. This isn’t security; it’s a toll.
Small organizations keep operating anyway. They serve patients, ship releases, take payments, and host student data. When scanning becomes unaffordable, they don’t buy a cheaper truth; they get no truth at all. Risk doesn’t scale down just because the budget is smaller.
Vines AI is a web application scanner for the rest of us. It uses the industry’s trusted core — the OWASP ZAP DAST engine — and adds an intelligence layer that explains impact, ranks risk, and guides fixes. Authenticated deep scans are first-class, reports export to PDF/HTML/JSON, and CI/CD quality gates are straightforward to wire. The price is what small teams can actually pay: $10–$40 per month. Not thousands.
debug.json snapshot (command, env, log tails) so you can verify every claim.For RCCE students, learning comes first. Rocheston makes Vines AI free of charge to RCCE learners. This is not a crippled “community” edition; it is the full product. Anything less would teach the wrong habits. RCCE is the most advanced, modern, cutting-edge, AI-focused, practical cybersecurity training in the world — and students should practice with the real tool they’ll use on the job.
We cannot eliminate the cost of security, but we can make it sane, transparent, and effective. That is the standard Vines AI holds itself to — and the bar we believe the industry should meet.
A practical, single-column checklist to get accurate, low-noise results — and to move from findings to verified fixes with confidence.
List in-scope domains, paths, and APIs. Note out-of-scope areas (e.g., billing provider, third-party widgets). A clear scope reduces noise and legal risk.
Create test accounts per role (user, admin, support). Provide login URL, username/password fields, CSRF/extra form data, and a logout URL/regex to exclude. Most real risk hides behind login.
Seed non-production with realistic accounts, orders, and files. Scans that can click “buy” or delete should run in staging. If you must scan prod, exclude destructive routes.
Expose /sitemap.xml and keep navigation crawlable. Add key URLs (dashboards, settings, API playgrounds) to the seed list to ensure coverage.
Block routes that change state irreversibly (e.g., /delete, payments), huge exports, and endless pagination. You’ll protect data and keep scans predictable.
Use a callback server for blind SSRF/XXE detection. Ensure outbound egress is allowed from the scanner to the OAST endpoint during tests.
Keep credentials in a vault or CI secret store. Never hard-code tokens in scripts. Rotate test creds on a schedule and limit their permissions to least privilege.
Use per-rule and total scan time budgets, thread limits, and curated exclude regexes (e.g., WordPress pagination). Guardrails cut noise and reduce false positives.
Provide OpenAPI/Swagger files and enable GraphQL checks. Add tests for auth on read/write, pagination limits, mass assignment, and IDOR across tenants.
Whitelist scanner IPs for the window, disable aggressive bot rules that block the crawl, and note any header injections or origin rewrites that may affect auth.
Save logs, XML/HTML reports, and a debug snapshot (command, environment, log tails). Evidence speeds triage and gives auditors a defensible trail.
Blend CVSS with exploit likelihood and business impact. Fix high-impact, high-reach issues first; quick wins next; long tails last.
Apply secure defaults (headers, validation, authz checks) across the app. One policy change can close dozens of findings at once.
Use post-fix checklists or unit tests for the defect class (e.g., XSS encoding tests). Run a targeted re-scan to confirm closure and prevent regressions.
Watch risk trend, fix velocity (MTTR), and coverage. Report executive summaries (PDF/HTML) and feed dashboards with JSON KPIs for daily visibility.
Run daily/weekly scans and set quality gates in CI/CD (e.g., “no Criticals”, “max risk < 7.0”). Ship when green; investigate when red.
Scan with multiple roles and sample tenants. Verify that cross-tenant and cross-role accesses are denied (BOLA/BFLA/BOPLA checks).
Review CSP, HSTS, X-Frame-Options, Referrer-Policy, MIME sniffing, service worker scope, and CORS. Client controls prevent entire classes of issues.
When you waive, record the reason and evidence. If a rule is noisy due to a pattern in your stack, adjust the rule or standardize the fix to prevent repeats.
Get written permission, test only what you own, and avoid real PII in non-prod. For prod scans, announce the window and minimize test payloads.
We welcome good-faith security research. If you believe you’ve found a vulnerability in Vines AI or related Rocheston assets, please report it responsibly so we can fix it quickly.
[email protected] with steps to reproduce, impact, and screenshots/logs.Thank you for helping keep our users and the wider community safe.
Need help, a demo, or an SLA quote? Reach us directly.
[email protected][email protected][email protected]Response targets: next business day for support, same day triage for security reports.
Vines AI is designed to keep your data private and under your control. This summary describes how we handle scan information and artifacts.
debug.json) remain in your environment by default.debug.json snapshot (command, env, log tails) to support compliance reviews (SOC 2/ISO 27001/PCI).For a signed DPA or questionnaires (CAIQ, SIG), contact [email protected].
We are committed to making Vines AI usable by everyone, including people with disabilities.
[email protected] with steps to reproduce.Accessibility is an ongoing effort; fixes ship continuously via our changelog.
Boilerplate (120 words): Vulnerability Vines AI is an AI-powered web application security scanner built on the OWASP ZAP engine. It discovers vulnerabilities, explains impact in plain language, prioritizes risk, and provides step-by-step remediation with verification steps. Vines exports PDF/HTML/JSON reports and plugs into DevSecOps pipelines (Jenkins, GitHub Actions, GitLab, Azure DevOps). Deployed on-prem or in your VPC, artifacts remain under your control with audit-ready evidence. Vines AI is developed by Rocheston, creators of RCCE — the most advanced, AI-focused practical cybersecurity training in the world — and is provided free of charge to RCCE students.
Brand Assets
[email protected]Usage Guidelines
Rocheston partners with educators, non-profits, and solution providers to make vulnerability scanning accessible and effective.
RCCE Academic Access (Free)
Non-Profit & Startup Support
Channel/Integration Partners
To apply, email [email protected] with a brief description of your program and use case.
We ship frequently. Here’s what’s next (subject to change). Last updated: 2025-09-01.
Feature requests welcome at [email protected].
Rocheston builds advanced, practical cybersecurity education and tools. Our flagship certification, RCCE, is the most advanced, modern, AI-focused practical cybersecurity training in the world. We believe students should train on the real thing, not limited “community” editions — which is why RCCE students use Vines AI free of charge.
Vulnerability Vines AI is our AI-enhanced DAST platform. Built on the OWASP ZAP engine, it delivers authenticated deep scans, readable impact analysis, step-by-step fixes, and verification steps. It integrates with DevSecOps pipelines and exports PDF/HTML/JSON with audit-ready artifacts, all at pricing that small teams can actually adopt.
Contact: [email protected] · Security: [email protected]