KAVACH

Vercel
application badge
Created by team Segmentation Fault on July 06, 2026
Unicorn Track

KAVACH (Knowledge-driven Autonomous Vulnerability Assessment, Correction & Hardening) automates the detect-diagnose-patch-verify loop for web application vulnerabilities, replacing the manual bottleneck between security alerts and shipped fixes. A Log Monitor watches traffic in real time; a Forensic Investigator (LLM-driven) localizes the vulnerable code and cross-checks the finding against the actual source file to prevent hallucinated line numbers; a Patch Engineer rewrites the broken logic; and a Sandbox Test Harness re-fires the original exploit against an isolated copy of the app, only shipping the patch if it holds. Reliability comes from a five-layer safety stack: schema-constrained LLM output, confidence thresholding, source-line validation, in-memory AST syntax checks before any disk write, and a final sandbox exploit re-test. If the LLM fails or hallucinates, KAVACH switches to a deterministic, rule-based fallback using pre-written safe replacements instead of trusting generative output. This was stress-tested by deliberately swapping in Llama 4 Scout 17B, which produced confidently wrong patches — all caught and discarded by the AST layer, with 0% leakage recorded. KAVACH currently handles five vulnerability classes: SQL injection, command injection, path traversal, insecure deserialization, and SSRF. It runs fully on-premises on an AMD Radeon Pro Wseries GPU with a locally-served 14B coder model, keeping unpatched source code off any public cloud. Current limitations: it scans a single source file rather than a full repository, and the deterministic fallback requires manual rule-writing for each new vulnerability type.

Category tags: