Scan. Fix.Improve. Govern.
Scan every file, fix what is broken, surface what to improve, and govern every merge. You review and approve. Hyrax handles the rest.
No credit card required.
Four pillars.
Zero drift.
Profile once.
Audit continuously.
Discovery runs once, reads every file, maps your architecture, commits context to your repo. Audit scans continuously against that profile: six parallel domain agent groups plus a deterministic scanner.
Discovery
runs once per repo- -Reads every file, maps architecture and conventions
- -Commits a .hyrax/ context bundle to your repo - architecture, conventions, and how-to guides for every agent
- -Writes HYRAX.md - every IDE AI (Cursor, Copilot, Claude Code) loads codebase context automatically
Audit
runs continuously- -Pre-flight generates repo-specific analysis protocol
- -Six parallel agent groups plus a deterministic scanner
- -Findings categorized: critical / high / medium / low
Auth, hardening, privacy
Logic errors, edge cases
Dead code, naming, tests
Bottlenecks, memory, queries
Patterns, contracts, coupling
Deps, config, logging
13 steps.
All must pass.
Fix resolves a detected finding. Task resolves a directive you write. Either way: isolated worktree, 13 verification steps, PR opened, ticket closed.
Fix
per issue- -Targets bugs and security issues from Audit
- -Isolated Git worktree - failure leaves main untouched
- -Independent reviewer step must approve
Task
on demand- -Plain-English input instead of detected finding
- -Refinement step converts directive to structured plan
- -Same 13-step verification as Fix
Consider this.
Beyond must-fix.
Beyond the findings that trigger a fix, Hyrax surfaces suggestions and advisories: architectural guidance and broader recommendations scoped to the repository. They need a human decision, so they stay out of the fix queue.
Suggestions
alongside the findingsTargeted architectural guidance on a specific file or module - refactors worth weighing, not defects to patch.
Advisories
broader guidance for the repoRepository-wide guidance Hyrax flags when a pattern, dependency, or boundary warrants attention before it becomes a problem.
Review every PR.
Automatically.
Every change ships as a PR with the [Hyrax] prefix. Review runs on every push, the comment updates as code changes, and merge is blocked on must-fix findings. No manual trigger needed.
Automated PR Review
on every push- -Reviews every PR automatically - no manual trigger
- -Updates comments as code changes on each push
Merge Control
configurable- -Can block merge on must-fix findings
- -Configurable severity thresholds per repo
Self-Improvement
learned from accepted findings- -Turns accepted findings into deterministic scanner patterns
- -Patterns run instantly at zero added cost; skills guide the agents
- -Repo skills apply only to one repo's conventions
Clear pricing.
No surprise bills.
Start free. Upgrade when you need more. No credit card required.
AI runs on AWS Bedrock with SOC 2 compliance. Your code is processed securely and never used for model training.
Free
- 1 private repo
Installed via the GitHub App
- 1 mini-audit per calendar month
Capped scan, top findings only
- Verified fixes
Tested before every PR
- No commitment, no card
Start immediately
- Full audit + scan
The full pipeline (Pro)
- PR reviews on every PR
Upgrade to Pro
Pro
- $30 of usage included each month
No rollover
- Up to 3 repos
Public or private, via the GitHub App
- Full audit + scan
The full pipeline beyond Free's mini-audit
- PR reviews on every opened PR
Webhook-driven review comments
- Auto-publish to Linear
Findings become tickets in the workspace
- Usage-based monthly volume
Draws from included usage as you run
- Opt-in on-demand overage
Past the included usage, $15 chunks billed to card
- Self-improvement learn loop
Team-only
- Public repos by URL
Team-only
Team
- $200 of usage included each month
Shared across the workspace, no rollover
- Unlimited repos and seats
Connect every repo in the org
- Every Pro workflow
Audit, scan, discover, PR reviews, publish
- Self-improvement learn loop
Hyrax learns the patterns from accepted fixes
- Public repos by URL
Audit any public repo anonymously, no install
- Opt-in on-demand overage
Past the included usage, $100 chunks billed to card
All AI inference runs on AWS Bedrock. Credits do not roll over.
How overage works
- -Optional. Off by default. Toggle on at signup or any time from billing settings.
- -With overage off, work stops at the included usage until the next cycle.
- -With overage on, keep running past the included usage. The card is billed in $15 chunks on Pro or $100 chunks on Team.
- -Open balances must be paid before the next cycle renews.
Frequently asked questions
Clean code in. Clean PRs out. Hyrax profiles your entire codebase, runs a multi-agent audit to surface bugs and security issues, executes the fix through 13-step verification, opens the pull request, and closes the Linear ticket.
PR review tools wait for a pull request and post comments. A developer still has to triage every comment, write the fix, push it, get another review, and close the ticket. Hyrax starts before the PR exists. It audits the full codebase, surfaces issues that have never appeared in a diff, executes the fix on the findings you select, and closes the loop. Comments are not the output. Closed tickets are.
Static analysis tools surface issues and generate a report. A developer triages every finding and does the work. Hyrax audits issues, creates the ticket, executes the fix, and closes the ticket. Static analysis is a reporting layer. Hyrax is an execution layer.
Hyrax runs AI inference on AWS Bedrock with SOC 2 compliance. Your code is processed securely and never used for model training. All data is encrypted in transit and at rest. Full audit logs are available for compliance review.
Every fix runs through 13 verification steps before the PR opens: isolated Git worktree, baseline tests established, agent executes fix, diff size guard, regression gate, build verification, format and lint, scanner quality loop, reviewer step, post-fix audit, PR opened, CI confirmation, and ticket close. If any step fails, nothing ships. You retain review rights on every PR.
Discovery profiles your entire codebase (architecture, conventions, patterns) and commits HYRAX.md plus a .hyrax/ context bundle. This context powers every workflow that follows. Discovery profiles. It does not find issues. Audit finds issues.
Hyrax runs AI inference on AWS Bedrock with SOC 2 compliance. Your code is processed securely and never used for model training. Hyrax receives only structured finding data from LLM calls, not raw code content. No codebase content is stored by Hyrax beyond what is needed to execute the current workflow.
Every fix runs: (1) isolated worktree (2) baseline tests (3) agent executes (4) diff size guard (5) regression gate (6) build verify (7) format + lint (8) scanner loop (9) reviewer step (10) post-fix audit (11) PR opened (12) CI confirmation (13) ticket close. A failure at any step aborts the run. Nothing is skippable.
Hyrax works across 19 languages: Python, TypeScript, JavaScript, Go, Rust, Swift, Ruby, Java, Kotlin, C#, C++, C, PHP, Scala, Dart, Elixir, Shell, Lua, and MDX. It works with the frameworks built on them — React, Next.js, Vue, Svelte, Angular, Node.js, Django, Rails, Spring, FastAPI, Express, React Native, and Flutter.
Free is $0 with 1 private repo and 1 mini-audit per month. Pro is $30/month and includes $30 of usage and the full audit + scan pipeline. Team is $200/month and includes $200 of shared usage. Audits, scans, and fixes draw from the included usage; go past it with opt-in overage billed in $15 chunks on Pro or $100 chunks on Team.
Free is a permanent plan, not a trial. 1 private repo, 1 mini-audit per month, no card required.
If any verification step fails, nothing is pushed. Hyrax surfaces an escalation signal with the specific step that failed, the reason, and a suggested next step: retry, split into smaller scope, or route to a human reviewer. Control returns to you with a clear explanation.
Every change ships as a pull request with the [Hyrax] prefix. Automated review runs on every opened PR, posts a maintained comment that updates with each commit, uses domain-specific checklists based on changed files, and can block merge on must-fix findings. Available on Pro and Team.
Security is one of six audit domains. Hyrax's Security agent covers auth patterns, input validation, hardening, privacy, compliance, and vulnerability patterns. It is not a SAST tool. It is an AI audit-and-fix platform where security is a first-class domain alongside Correctness, Maintainability, Performance, Architecture, and Operations.
No. Overage is opt-in. With overage off, work stops at the included usage until the next cycle. With overage on, keep running past the included usage, billed to your card in $15 chunks on Pro or $100 chunks on Team.
No. The only payment at plan selection is the plan price. If you need more capacity, enable overage.
Pro runs the full audit + scan pipeline, PR reviews on every opened PR, and auto-publish to Linear across up to 3 repos. Team adds unlimited repos and seats, the self-improvement learn loop, and public repos by URL. All AI runs on AWS Bedrock.