The WASViking^® Platform

Continuous exposure management and DAST for modern web, API, and software supply chains.

See what is exposed. Know what an attacker can chain. Prove what is in your software. Tie adversary traffic at your edge to your own posture. One platform.

Start free trial Book a demo

REST · OpenAPI · GraphQL · SOAP · WebSocket · JWT PCI DSS v4.0 · LGPD · GDPR · BACEN · ISO 27001:2022

Three answers, one platform

Buyers do not buy 17 analyzers. They buy three answers.

Every WASViking capability ladders into one of these three answers. That is how the product is built, and how it is sold.

See what you expose

External DAST, modern protocol coverage, authenticated scanning, internal scope via Sentinel, asset inventory with first-seen and reappeared drift.

External DAST Modern API Sentinel internal DAST

Know what is in your software

SBOM cloud-side and premise-side, CI/CD SCA gate, signed Evidence Bundle, continuous OSV + CISA KEV watch, secrets with optional live verify.

Supply chain CI/CD gate

Operate the evidence

Findings workflow with Risk Score 0-100, SLA digest, Exploit Path Graph, Posture Shares, Compliance mapping across five frameworks, AI recommendations.

For CISOs Compliance

Findings workflow + Risk Score

The dashboard your team works from, not the dashboard you show your boss.

Risk Score 0-100 per Finding combines severity, asset criticality, environment, industry, and SLA window. Status transitions are auditable and emit webhook events. Jira sync with two-way mapping, bulk push, and polling.

Stable fingerprint, no duplicate noise across scans
SLA breach digest per organization on schedule
AI Recommendation per Finding, EN / PT-BR / ES
Webhook events on status transitions
Jira, Slack, Teams, webhook, email destinations

# Webhook payload on status transition
{
  "event": "finding.escalated",
  "finding_id": "f_8ab2",
  "category": "graphql_bola",
  "cwe": "CWE-639",
  "risk_score": 88,
  "asset_criticality": "high",
  "sla_window_hours": 24,
  "primary_risk_category": "authorization",
  "compliance": ["PCI 6.5.8","LGPD Art.46"]
}

Exploit Path Graph

Compound risk that single findings miss.

Individual findings look medium. Chains of findings are critical. The Exploit Path Graph materializes attack chains as a graph of finding-to-finding dependencies (auth weakness → SSRF → metadata service → IAM token), surfaced as chokepoint analysis. Shipped 2026-05-15.

See the engines feeding it

auth weakness  ────┐
                   ├──▶  internal SSRF  ────▶  metadata svc  ────▶  IAM token
no egress filter ──┘                                                    │
                                                                        ▼
                                                              chokepoint score: 92

Posture Shares

Prove your posture without exposing your portal.

Tokenized, password-protected, time-limited snapshots at posture.<DOMAIN>. Token + password split share model, zero-knowledge. Bilateral audit log on every access. Rebuildable, revocable.

Share with a customer, partner, auditor, or investor in one click
No portal access, no PDF freshness problem
Audit on both sides: who accessed what and when
SBOM Evidence Bundle uses the same security model

Sample share link

https://posture.wasviking.com/s/ACME-Q2/8a4f...e21

Password is shared out of band. Token can be revoked or reissued any time. Every access is logged for both the share owner and the viewer.

AI principle

Engines detect. AI explains, prioritizes, and plans.

That principle is enforced in code. The engine's primary_risk_category wins on every disagreement with the LLM. Deterministic fallback so a missing LLM never produces an empty experience. Quota per plan so AI cost is bounded. JWT claims are not redacted, because enterprise visibility under contract beats blanket redaction.