Sandyaa: The Autonomous Code Auditor That Finds and Proves Real Bugs
Security teams have long relied on static analysis tools to flag potential vulnerabilities—but most stop short of proving whether those flaws are actually exploitable. Enter Sandyaa, an open-source autonomous code auditor that doesn’t just detect bugs; it builds context, traces execution paths, and generates exploitable proof-of-concepts for every finding. Powered by Claude’s language models and designed to run on existing Claude Code subscriptions, Sandyaa represents a paradigm shift in how developers and security professionals approach code audits.
How Sandyaa Works: Beyond Static Analysis
Most LLM-based security scanners treat code like a black box—feeding files into a model and hoping for the best. Sandyaa takes a fundamentally different approach:
- Recursive Language Models (RLM): Instead of relying on a single context window, Sandyaa uses a multi-pass pipeline with a Python REPL. It writes custom regex filters, chunks files strategically, and spawns sub-LLM queries to aggregate results programmatically. This method, inspired by research from arXiv’s 2025 paper on recursive reasoning in code analysis, allows it to handle large codebases with precision.
- Eight-Pass Validation: The tool performs eight distinct analysis phases, including call-chain tracing, data-flow expansion, self-verification, and exploitability proof. Each phase refines findings, ensuring only actionable vulnerabilities are reported.
- Attacker-Control Analysis: Sandyaa filters out false positives by determining whether a vulnerability is reachable from untrusted input—a critical step often missed by traditional scanners.
- Zero-Setup Deployment: No API keys required. Sandyaa piggybacks on your existing Claude Code subscription, eliminating billing surprises and setup friction.
Under the Hood: Why This Matters for Security
Traditional static analysis tools often generate thousands of low-severity findings, overwhelming teams with noise. Sandyaa’s approach addresses this in three key ways:
| Traditional Scanners | Sandyaa |
|---|---|
| Flags potential issues without context | Traces execution paths to validate exploitability |
| Relies on static pattern matching | Uses dynamic reasoning with recursive LLM queries |
| Generates reports without proof | Delivers runnable exploit proofs mapped to source lines |
| Requires manual review for validation | Autonomously verifies findings through self-consistency checks |
*”Exploit proofs” are not just theoretical—they’re functional code snippets that demonstrate how an attacker could leverage the vulnerability, complete with evidence chains linking back to the source.
Where and How to Use Sandyaa
Sandyaa is designed for developers and security teams working with:
- macOS: Fully supported and actively tested by the SecureLayer7 team.
- Linux: Expected to work (no known blockers), though not yet actively tested. Community contributions welcome.
- Windows: Native support is not available. The tool relies on Unix commands and the Claude CLI, which fails on Windows natively. However, it can run in WSL2 with the Linux build of Claude Code.
For organizations using Windows environments, the team encourages contributions to add native support via pull requests.
Who Benefits Most from Sandyaa?
Sandyaa is particularly valuable for:
Security Researchers
Automate zero-day hunting with validated findings and exploit proofs, reducing manual effort by up to 70%.
Open-Source Projects
Eliminate false positives in contributions with autonomous validation, accelerating merge reviews.
Enterprise DevSecOps
Integrate into CI/CD pipelines for continuous vulnerability verification without adding API costs.
Frequently Asked Questions
Is Sandyaa free to use?
Yes. Sandyaa is open-source and leverages your existing Claude Code subscription—no additional costs or API keys are required.
How accurate are the findings?
The tool is in alpha, so expect some false positives. However, its recursive validation pipeline significantly reduces noise compared to traditional scanners. The team recommends treating initial runs as a starting point for manual review.
Can Sandyaa replace penetration testers?
No. While Sandyaa automates vulnerability validation and exploit proof generation, it lacks the strategic context and human judgment of a red team. It’s best used as a complement to manual testing.
What languages does it support?
Sandyaa is language-agnostic and can analyze any codebase, though its effectiveness depends on the complexity of the language and the quality of Claude’s training data for that syntax.
The Future of Autonomous Security Tools
Sandyaa represents an early but ambitious step toward fully autonomous security audits. As the tool matures, we can expect:
- Integration with vulnerability databases (e.g., NVD) for automated CVE submissions.
- Expanded support for Windows and other platforms through community contributions.
- Collaboration with other LLM-based tools to create end-to-end security pipelines.
For now, Sandyaa offers a glimpse into a future where security audits are not just faster but smarter—combining the scalability of automation with the rigor of human-like reasoning.