Product

App Vetting, Scan Coverage Heatmap, Mobile Shielding Scan, Deep Agentic Scan Improvements, Cyber Models & Source Code Scanning

This release introduces App Vetting, Scan Coverage Heatmap, Mobile Shielding Scan, Deep Agentic Scan improvements, Cyber Models, additional model support, and source code scanning.

Tue 07 July 2026

Highlights

  • App Vetting for Android and iOS application risk assessment.
  • Scan Coverage Heatmap for visibility into tested areas, remaining gaps, and incremental coverage.
  • Mobile Shielding Scan for validating mobile app self-defense protections under attack.
  • Faster and deeper Deep Agentic Scan with improved mobile execution, reverse engineering, planning, and vulnerability chaining.
  • Ostorlab-managed Cyber Models with prepaid compute credits, wallet visibility, and controlled scan effort profiles.
  • Additional model support for cost-efficient autonomous scanning, including Kimi K2.7 and GLM 5.2.
  • Source code scanning through GitHub, GitLab, Azure DevOps, Bitbucket, and standard Git repositories.

1. App Vetting

App Vetting is a new capability in Ostorlab designed to help organizations assess Android and iOS applications before approval and throughout the application lifecycle.

Organizations increasingly rely on third-party mobile applications, but evaluating whether an app can be trusted often requires security teams to combine vulnerability reports, privacy signals, malware indicators, and reputation checks from multiple sources. App Vetting brings those signals into a single automated workflow.

App Vetting combines static analysis, dynamic testing, and safe containment sandbox execution to provide a contextualized view of application risk.

App Vetting overview

Key capabilities:

  • Risk-based scoring across Malware, Security, Privacy, Trust, and Maintainability.
  • Static and dynamic analysis to evaluate both application structure and runtime behavior.
  • Safe containment sandbox execution for observing application behavior in a controlled environment.
  • Telemetry assessment to review outbound communications, third-party services, analytics SDKs, tracking frameworks, and potential privacy concerns.
  • Secure token-based sharing so stakeholders can review results through a dedicated web view without requiring platform access.
  • Continuous monitoring to track changes in security, privacy, and trust as applications evolve.
  • Workflow access through the Ostorlab platform, REST and GraphQL APIs, and integrations such as Jira and Slack.

App Vetting helps teams move from isolated findings to a clearer approval decision: should this application be trusted for use?

App Vetting risk score


2. Scan Coverage Heatmap

Scan Coverage Heatmap gives teams a visual view of how much of an application was tested, which components and security categories received deeper coverage, and where gaps still remain.

Instead of looking only at findings, teams can track coverage itself: what was explored, what needs more attention, and how testing evolves across assessments.

Scan Coverage Heatmap

Key capabilities:

  • Component-level visibility into which application areas received deeper investigation.
  • Security-category coverage to understand testing depth across different risk categories.
  • Gap detection to identify areas where coverage was limited or missing.
  • Incremental coverage tracking from one scan to the next.
  • Historical context so future scans can build on previous findings, validated paths, and known behavior instead of starting from zero.

Teams can also use Transparent Attack Validation paths inside scan results to review the decisions, tool outputs, and steps followed during vulnerability validation.


3. Mobile Shielding Scan

Mobile Shielding Scan automatically tests how well a mobile application defends itself against reverse engineering, tampering, cloning, instrumentation, and runtime manipulation.

Many mobile apps ship with built-in self-defense protections, often called shielding. These protections are designed to stop attackers from modifying the app, bypassing controls, inspecting secrets, or manipulating the app while it runs. Mobile Shielding Scan makes those protections testable in a repeatable way.

Mobile Shielding Scan answers two questions for each protection:

  1. Is the protection present?
  2. Does it hold up when attacked?

The scan evaluates common Android and iOS defenses, including:

  • Anti-tampering and integrity checks.
  • Root and jailbreak detection.
  • Anti-instrumentation and anti-debugging protections.
  • Anti-cloning and install-source verification.
  • Code and data obfuscation.
  • Network protection, including SSL and certificate pinning.

The scan uses AI-powered analysis and bypass attempts to go beyond detecting whether a protection exists. It runs the app on real devices, observes how the app reacts, and attempts to defeat protections in a way that mirrors a skilled attacker.

Customers receive:

  • Strength ratings that separate robust protections from weak ones.
  • Proof of bypass when a defense fails.
  • Confirmation when a defense holds.
  • Findings mapped to recognized mobile security standards.

Mobile Shielding Scan replaces assumptions with evidence, helping teams validate commercial shielding investments and find weak links before attackers do.


4. Deep Agentic Scan Improvements

This release brings several major improvements to Deep Agentic Scan, focused on speed, depth, and stronger vulnerability validation.

Deep Agentic Scan now uses stronger execution logic to spend more time investigating suspicious behavior, following meaningful attack paths, and validating risks that matter.

Faster Mobile Scans

Mobile execution is now faster thanks to improvements in scaling and device management infrastructure. This reduces setup overhead, improves device orchestration, and allows deep mobile testing to run more consistently across release cycles.

Deep testing becomes easier to run regularly instead of being reserved for occasional assessments.

Mobile scan duration

Improved Reverse Engineering Capabilities

Deep Agentic Scan now has upgraded reverse engineering capabilities to improve how the agent understands an application before testing begins.

The agent can better explore binaries, identify relevant code paths, investigate application behavior, and decompile selected functions for deeper analysis. This helps it move beyond simple pattern matching and make better testing decisions.

Reverse engineering function discovery

Automated function decompilation

Stronger Planning and Tooling

Vulnerability detection is not just about running more tests. The difficult part is deciding which signals deserve investigation, which tools should be used next, and which attack paths are worth following.

Deep Agentic Scan now has improved planning and tooling capabilities, allowing the agent to spend more time investigating suspicious behavior and follow promising attack paths further before deciding whether a finding is real.

The goal is not more findings. The goal is more findings that matter.

Exploit-driven validation plan

Improved Vulnerability Chaining and Risk Prioritization

Deep Agentic Scan now improves vulnerability chaining and risk prioritization by validating findings, following pivots automatically, and measuring the impact of the resulting attack path.

For example, a hardcoded credential, an exposed API, and an overly permissive token may appear as separate findings in a traditional report. Deep Agentic Scan can connect these signals into a validated attack path and prioritize the real business impact.

In one validation flow, the scan started with hardcoded Auth0 M2M credentials embedded in an iOS application. It validated that the credentials were active, confirmed that they could issue production JWTs, analyzed the token scopes and audience, and then validated access to identity infrastructure and tenant-wide user data.

What started as a high-severity hardcoded credential issue became a critical finding with demonstrated impact.

Hardcoded service credentials

Token analysis attack paths

Management API access

Tenant-wide user data exposure

Transparent Attack Validation

Security teams should not have to trust a black box. Deep Agentic Scan provides visibility into the attack paths, decisions, tools, and validation steps used during testing.

Teams can see what was tested, what was validated, and how a finding was reached.

Transparent Attack Validation

Flexible Testing Depth

Teams can now choose testing durations and scan effort levels depending on their objectives and timelines, from focused assessments to deeper engagements comparable to longer penetration tests.

Scan effort configuration


5. Cyber Models and New Model Support

Ostorlab now supports managed Cyber Models for Deep Agentic Scans.

Cyber Models provide managed AI compute for teams that want advanced AI-assisted security testing without managing external provider accounts, API keys, rate limits, or fragmented billing dashboards.

Cyber Models are designed for governed depth: deeper reasoning, bounded execution, visible usage, and clear accounting.

Cyber Models vs BYOK

Key benefits:

  • No external API key management.
  • Prepaid compute credits through an Ostorlab workspace wallet.
  • Managed model orchestration through Ostorlab infrastructure.
  • Predictable spend controls with credit reservation and settlement.
  • Centralized wallet auditing with balance, ledger, and transaction visibility.
  • Scan effort profiles for controlled execution depth.

Teams can choose Cyber Models when configuring a Deep Agentic Scan, or continue using BYOK when they prefer to route execution through their own provider accounts.

Cyber Models wallet

Compute Credits

Cyber Models use prepaid compute credits for AI-assisted scan execution. Credits represent Ostorlab-managed scan execution capacity, not raw language model input or output tokens.

The lifecycle includes:

  1. Reservation: The maximum credit ceiling for the selected effort profile is reserved before execution.
  2. Scoped execution: The scan runs within the selected target boundaries, configuration, and credit ceiling.
  3. Settlement: Only consumed credits are deducted, and unused reserved credits are returned.

Scan Effort Profiles

  • Core: 200 credits, best for focused testing of priority assets.
  • Advanced: 500 credits, best for broader application and API coverage.
  • Elite: 1,000 credits, best for complex environments and high-value targets.

Cyber Models effort profiles

Additional Model Support

Deep Agentic Scan now also supports Kimi K2.7 and GLM 5.2 for wide-scale autonomous scanning. These models provide advanced reasoning and large context windows for complex pentesting loops while supporting more cost-efficient scan execution.


6. Source Code Scanning

Ostorlab now supports source code scanning directly from connected repositories.

Clients can connect GitHub, GitLab, Azure DevOps, Bitbucket, or any standard Git server from the Integrations page. During scan creation, users can select Source Code as the asset type, choose the connected repository, then select the branch, commit, or tag they want to scan.

Source code asset selection

Ostorlab securely clones the repository, analyzes the code, and surfaces vulnerabilities with clear, actionable details inside the platform alongside the rest of the organization's security findings.

This helps teams detect vulnerabilities earlier, before they reach production.