Frequently asked questions.

Hyrax is an autonomous code governance platform. It reads the entire codebase, runs a multi-agent audit to find bugs and security issues, executes the fix through 13-step verification, opens the pull request, and closes the Linear ticket - without an engineer in the critical path. Scan, Fix, Improve, and Govern run continuously - not triggered by a PR, not waiting for an incident.

PR review tools wait for a pull request and post comments. A developer still has to triage every comment, write the fix, push it, get another review, and close the ticket. Hyrax starts before the PR exists. It scans the full codebase, finds issues that have never appeared in a diff, executes the fix autonomously, and closes the loop. Comments are not the output. Closed tickets are.

Static analysis tools find issues and generate a report. A developer triages every finding and does the work. Hyrax finds issues, creates the ticket, executes the fix, and closes the ticket. Static analysis is a reporting layer. Hyrax is an execution layer.

Discovery reads the entire codebase and builds a complete application profile: what type of application it is, its architecture, the conventions the team uses, and how-to guides derived from the code itself. This context is stored in a `.hyrax/` directory committed to the repo via PR. It also patches `CLAUDE.md` so every developer's AI session loads full codebase context automatically. Discovery runs once. Every audit and fix that follows uses it.

Improve runs the full six-agent audit with a code quality focus: dead code, naming conventions, structural refactors, documentation gaps, deprecated APIs. Every improvement runs through the same 13-stage pipeline as Fix.

When an agent finds an issue that could be detected deterministically, it generates a scanner pattern. Patterns meeting quality thresholds are added to the codebase's scanner library automatically and applied as virtual patches at runtime - the next audit is smarter without a code deployment. Governance rules build themselves from observed failure modes and update as the codebase evolves.

Security is one of six audit domains. Hyrax's Security agent covers auth patterns, input validation, hardening, privacy, compliance signals, and vulnerability patterns. It is not a dependency scanner (SCA) - it does not scan `package.json` or `go.mod` for vulnerable versions. It is an AI audit-and-execution platform where security is a first-class domain alongside correctness, maintainability, performance, architecture, and operations.

Hyrax's audit covers 18+ languages including Python, TypeScript, JavaScript, Go, Rust, Java, Kotlin, Ruby, PHP, Swift, C, and C++. Autonomous fix execution targets the languages where execution accuracy is reliable. Language support expands continuously.

Hyrax's three-step audit is designed to reduce false positives at each stage. Scanner findings are capped at medium severity until LLM-verified - pattern matches alone cannot surface a critical or high alert. The six-agent step requires both severity and confidence fields on every finding. Low-confidence findings are surfaced for human review rather than executed. High false-positive findings accumulate in the review queue, not the execution pipeline.

Every fix runs through 13 quality stages before the PR opens: isolated worktree, baseline tests, fix agent, diff size guard (20 files / 2,000 lines max), test regression, build, auto-format, lint, cross-project test, scanner loop (Hyrax scans its own fix), review loop, post-fix audit, and PR opened. If any stage fails, nothing ships. Review and merge rights are retained on every PR. Hyrax cannot self-merge.

In order: (1) Isolated worktree - dedicated Git worktree for the fix. (2) Baseline tests - existing tests recorded before any change. (3) Fix agent - convention-matched to the codebase. (4) Diff size guard - rejects fixes touching more than 20 files or 2,000 lines. (5) Test regression - every previously passing test must still pass. (6) Build - the repo must build after the fix. (7) Auto-format - changed files formatted to config. (8) Lint - linted to config. (9) Cross-project test - validates fix doesn't break dependent code. (10) Scanner loop - Hyrax scans its own fix for new issues. (11) Review loop - a second agent reviews the fix. (12) Post-fix audit - confirms the original issue is resolved. (13) PR opened - opens the pull request. PR opens only if all 13 steps pass.

Nothing is pushed. Hyrax surfaces an escalation signal with the specific gate that failed, the reason, and a suggested next step: retry, reduce scope, or route to a human reviewer. Control returns with a complete explanation of what failed and why.

Discovery maps conventions before any fix runs - naming patterns, test structure, API patterns, error handling styles. Fixes are required to match the codebase's conventions, not produce generic solutions. If a PR is rejected, that feedback informs the governance rules. Repeated rejections of a fix class update the rules to route that class to human review.

High-severity, high-confidence findings execute autonomously. Low-confidence findings, large-scope findings (above the diff size guard threshold), and findings in configured review-only categories are surfaced as actionable work items rather than executed. The thresholds are configurable via governance rules. The security team or engineering lead owns the rule configuration.

No. Hyrax opens PRs against the configured target branch - typically `main` or a staging branch. It never pushes directly to production branches and never self-merges. Every change requires a human to approve and merge the PR.

Hyrax provides all AI compute - no separate AI account or API key needed. Token costs are passed through at cost and appear on the Hyrax invoice. Discovery: ~$5-10, runs once. Full audit: ~$1-35 depending on codebase size; most mid-sized repos land between $3-8. Fix: ~$1-10 per fix. Hyrax charges a platform subscription fee for access on top of compute.

One repo, 15 findings surfaced, up to 15 fixes per month. No credit card required. Each month resets: re-audit the code and get a fresh set of findings.

Free: 1 repo, 15 findings/fixes per month. Pro is $30/mo with $30 of credits and up to 3 repos. Team is $200/mo with $200 of shared credits, unlimited users, unlimited repos, plus Improve, Govern, RBAC, and audit logs. Credits do not roll over.

No. Hyrax's pricing is based on the platform subscription, not per developer seat. Team plan includes unlimited users - billing is not per engineer who reviews Hyrax's PRs.

Hyrax uses Anthropic's Claude models via Amazon Bedrock. The multi-agent audit runs parallel agent groups. Model selection is managed by Hyrax - configuration is not required.

Compute cost scales with the number of repos connected and their activity - specifically with finding volume and fix execution frequency. The platform subscription covers org-level access. Discovery is a one-time cost per repo; subsequent audits and fixes are pay-per-use on compute.

Install the GitHub App on the repo. Hyrax runs Discovery immediately - reads the codebase, builds the application profile, generates the `.hyrax/` directory, patches `CLAUDE.md`, and opens the first PR. No configuration required before first value.

GitHub at launch.

Linear is supported at launch with full ticket lifecycle closure - finding opens ticket, fix merges, ticket closes automatically. Jira is on the roadmap. Ticket lifecycle closure ensures findings don't live in a scanner dashboard disconnected from the project management workflow.

No. Hyrax's Scan phase runs its own SAST-grade scanning - but it's designed to complement existing scanners, not replace them. SCA (dependency scanning), container scanning, and IaC scanning are separate capabilities owned by specialized tools. Hyrax handles source code security and quality; existing SCA and container tools continue to own their surfaces. If using Snyk or SonarQube, Hyrax is the remediation layer for what they surface.

Hyrax runs as a GitHub App alongside the existing pipeline - it doesn't modify CI/CD steps. It opens PRs; the pipeline runs on those PRs exactly as it does on human-authored ones. Continuous scanning and execution happen asynchronously, not in the critical path of builds.

Yes. Hyrax runs its own scanning from the first audit. A separate SAST tool is not required first. Install the GitHub App, connect the repo, and Hyrax begins scanning immediately.

GitHub App installation takes two minutes. Discovery runs automatically and completes in 10-20 minutes depending on codebase size. The first audit can start immediately after Discovery. No configuration, no rule authoring, no pre-tuning phase before first value.

Code goes to the AI provider (Claude via AWS Bedrock) for analysis. Hyrax receives structured finding data from LLM calls, not raw code content. No codebase content is stored by Hyrax beyond what is needed to execute the current workflow.

Yes. Every fix Hyrax executes produces a PR with a complete audit trail: finding type, severity, code diff, test suite results, approver identity, and merge timestamp. This evidence satisfies change management documentation requirements for PCI-DSS (Req 6.5), SOC 2 Type II (CC8.1), HIPAA Technical Safeguards, and SOX IT General Controls without additional tooling or manual assembly.

PCI-DSS 4.0 Req 6.2 requires secure coding practices including automated scanning for in-scope payment systems. Req 6.4 requires critical vulnerabilities to be remediated within one month of discovery. Req 6.5 requires change and tamper-detection mechanisms. Hyrax addresses all three: continuous SAST-grade scanning, autonomous fix execution that doesn't wait for sprint allocation, and a PR-based audit trail for every change.

SOC 2 Trust Services Criteria CC8.1 requires change management controls including authorization and testing before deployment. Every Hyrax fix is a PR - it cannot self-merge. The developer or lead who merges is the approving party. The finding, fix, test results, and merge event are all logged. CC6.1 (logical access controls) and CC7.2 (system monitoring) are addressed by Hyrax's continuous scanning and governance rule enforcement.

Code is processed in isolated environments and never used for training. All AI inference runs on AWS Bedrock.

Hyrax operates on the repos connected via the GitHub App. Which repos are connected can be limited. Governance rules control which findings execute autonomously versus surface for human review. Fine-grained file-level access restrictions are on the roadmap.

Snyk is a detection platform - best-in-class SCA with a database that leads NVD by 47 days, plus SAST, container, and IaC scanning. Snyk surfaces findings. Hyrax closes them. If the Snyk SAST queue is growing faster than the team resolves it, Hyrax addresses that directly. Many teams run both: Snyk for detection and compliance reporting, Hyrax for source code remediation.

SonarQube is a mature detection platform with 40+ language coverage, Quality Gates, and enterprise compliance dashboards. Its Remediation Agent is available on one configuration: SonarQube Cloud Enterprise, GitHub only. Hyrax works regardless of SonarQube edition and runs continuously - not only when a PR introduces 2+ fixable issues. The pattern: SonarQube for detection and compliance reporting, Hyrax for remediation.

Copilot Code Review reviews PRs and leaves inline comments - developers apply them manually. A 2025 peer-reviewed study found fewer than 20 total security comments across 7 vulnerability datasets. Copilot Autofix covers CodeQL alerts only, capped at 20 per PR. Hyrax runs continuously, catches issues before PRs open, and executes fixes without a manual trigger.

CodeRabbit reviews PRs within 90 seconds and leaves comment threads - fast, useful for style and logic review. Every comment it leaves is a triage decision. Hyrax doesn't leave comment threads; it closes findings. CodeRabbit and Hyrax don't conflict - CodeRabbit reviews human-authored PRs, Hyrax opens its own. Over time, as Hyrax's governance layer matures, CodeRabbit has fewer issues to flag.

Hyrax is designed to complement, not replace. Snyk for SCA, SonarQube for enterprise compliance dashboards, CodeRabbit for PR review - all of these run in parallel with Hyrax. Hyrax's job is to close the findings those tools surface and to continuously reduce the source code debt that accumulates between sprint cycles.

AI coding assistants help developers write new code faster. Hyrax operates on existing code - scanning what's already there, finding what's wrong, and fixing it autonomously. The two are complementary: assistants accelerate new code creation; Hyrax governs the accumulating codebase. They don't overlap in function.