Our Mission

The attacks hiding
in plain sight.

We build the infrastructure that keeps modern software honest — from the pull request to the AI prompt layer.

The Problem

Why we built this

Supply chain attacks changed in 2023. Attackers stopped targeting infrastructure and started targeting source code itself — not the logic, but the characters. A zero-width Unicode override in the right identifier. A Cyrillic 'а' in a package name. A base64-encoded payload in a comment.

None of these are visible in a standard code review. Every major SAST tool misses them. The attacks that took down SolarWinds, XZ Utils, and dozens of npm packages all exploited this gap: the space between what code looks like and what it does.

Then AI platforms added a new surface. Every external data source — calendar events, emails, documents, API responses — became a potential injection vector. A single malicious prompt buried in a meeting invite can hijack an AI assistant and exfiltrate everything it has access to.

PhantomCorgi closes both gaps. Code Corgi for the code layer. API Phantom for the AI layer. Calendar Sentry for the input layer.

The Suite

Three tools. Three attack surfaces.

Modern software is attacked at the code layer and the AI prompt layer. We built a dedicated product for each.

CC

Code Corgi

Supply Chain Code Security

GA

Scans every pull request for invisible Unicode characters, homoglyphs, and semantic malware patterns. Kubernetes-native, air-gappable, SOC2-ready. Catches the attacks that no code reviewer can see.

  • Unicode & homoglyph detection
  • AST-level semantic scanning
  • GitHub, GitLab, Bitbucket, Azure DevOps
  • On-premise / air-gap install
Explore Code Corgi →
AP

API Phantom

AI Platform Security Shield

GA

A security reverse-proxy for AI platforms. Enforces auth, detects SQL injection in JSON payloads, protects system prompts in a versioned vault, and runs autonomous red-team probes 24/7.

  • Auth enforcement & endpoint inventory
  • Prompt integrity vault
  • IDOR & SQL injection detection
  • Autonomous red-team agent
Explore API Phantom →
Principles

How we build

Transparent detection

Every detection rule is documented. You can read exactly what we flag and why — no black-box scoring that blocks PRs with no explanation.

Defense in depth

No single layer catches everything. We run Unicode, homoglyph, and AST analysis in parallel so a failure in one layer doesn't create a silent gap.

Enterprise-first design

Air-gap support, Vault secrets, SOC2 audit logs, and SAML are designed in from the start — not bolted on after enterprise customers ask for them.

Open core

The core detection engine is open source. Security tools that can't be inspected shouldn't be trusted with your codebase.

Which layer do you need to secure?

Both products are free to try. Start with the one that matches your immediate threat surface.

PhantomCorgi → API Phantom →