We've been a customer of Hiro's for the last few months, and honestly, we love it. Our company sells into healthcare, and our buyers are hyper-aware of security. Anything touching PHI and HIPAA gets scrutinized hard. Hiro actually gets the industry-specific risk stuff, not just the typical surface level findings that you get from another AI. It finds and then fixes the security gaps all on its own. Every time I show an IT team the backbone of our security, they are always impressed.
Set up was straightforward, and now Hiro is wired into our entire build workflow. Nothing ships without a Hiro review. As a coder in the AI agentic era, it's my guardrails. It's my copilot within claude code. As a founder, it's the thing that lets me sleep at night. And our customers' security teams feel the same on their side of the table.
As an early customer I've provided feedback, and the founder himself has been super responsive with feedback too, which makes the whole thing feel like a partnership vs a transaction.
Hiro
"Not a dashboard of homework" is the right positioning, most security tools just surface more things to stare at. What does the approval flow look like for higher-risk fixes? Curious whether Hiro acts autonomously or hands off to a human before touching production configs. That threshold between "safe to auto-fix" and "needs human eyes" seems like the hardest product decision here.
Hiro
@harshalvc_ai It is the hardest product decision. That's why my cofounder and I are eager to review all of the work Hiro does for you if you have any questions
By default, Hiro does not land any changes without your approval. Each change gets a risk grading. We have autonomy tiers users can configure to auto-land changes as you gain trust. The tiers are: read-only (default setting; all actions must be user approved), conservative (low risk plans execute automatically), moderate (low to medium risk plans execute automatically), autonomous (low to high plans execute automatically). Plans with critical risk always require the operator.
@ethan_blackburn what happens if the number of threats are more than 100. would the agent ask for 100 approvals ?
Hiro
@harshalvc_ai In the default read-only mode, yes. Most of our customers use our MCP server to have the agent they trust (Claude code, Codex, etc) review each Hiro plan, and either give feedback to hiro or approve the plan.
We also are more than happy to take a look at all 100 if that's an issue :)
This actually solves a real problem. I’ve faced this myself — shipping fast is easy now, but handling security and compliance later becomes overwhelming and usually gets pushed back. I like that Hiro focuses on actually fixing issues instead of just generating reports.
how do you make sure automated security fixes don’t accidentally break existing workflows or production configs?
Hiro
@saniya_jeswani Making sure we don't break production is the part of the product we've spent the most time on.
At a high level, each change Hiro proposes goes through several rounds of review and is risk graded. By default, Hiro cannot land changes without your approval. As you learn to trust Hiro, you can configure it to auto-land low risk, low to medium risk, or low to high risk changes. Critical changes always require your approval.
Wrote a longer breakdown on the agent-review architecture on @swati_tiwari6's question above if you want the technical detail.
I'm a solo founder pre-launch on a relationship app, handling pretty sensitive emotional content. SOC 2 is somewhere on the horizon, but the pressing security work today is more like "am I doing the basics right before the first paying user." Curious where Hiro pays off on that lifecycle...is there meaningful value in the pre-SOC-2, pre-enterprise-customer phase, or is the real inflection only when you start needing the compliance artifacts?
Congrats on launching!!
Hiro
@ferdi_sigona Yes absolutely! Several of our customers are pre-SOC 2. A couple ways we can help
1. Realtime code reviews – Hiro can embed in whatever agent you use (Claude Code, Codex, etc) and give security feedback as the agent is coding. This is so much better than posting a PR, waiting for feedback, iterating on it, pushing changes, etc.
2. Audit your stack – Hiro scans the tools you've connected for insecure configs. Are your Supabase tables actually enforcing tenant isolation via RLS? Does Google Workspace require 2FA? Is your Sentry leaking PII? Everyone who's connected Hiro has found pretty serious bugs they'd missed.
Would love for you to try it out and see what Hiro finds!
Recently while going through a few AI-built projects, I realised how easy it is for insecure defaults to slip into production when people are shipping generated code they don’t fully understand or properly review.
Hiro feels like it’s solving exactly that problem. The security review/questionnaire side especially stands out to me. Fixing vulnerabilities is one thing, but being able to confidently answer security questions from clients is a whole different problem for small teams. One thing I’m really curious about though, when Hiro suggests a fix that conflicts with custom business logic in the codebase, does it understand that context beforehand or is that something the developer has to catch manually during review?
mailX by mailwarm
"Not a dashboard of homework. The homework, done." That tagline is absolute gold. Security alert fatigue is incredibly real for engineering teams, and most security tools just add to the noise instead of actually reducing the backlog. Moving from alerting to automated remediation across platforms like GitHub and Vercel is a massive shift.
Since Hiro is actively fixing code and infrastructure configurations rather than just flagging them, how does the review and approval workflow look?
Hiro
@manal_essalek1 Thanks! We hate security backlogs too
Quick version of the workflow:
Every change Hiro proposes goes through several rounds of review and is risk-graded (low → critical)
By default, nothing lands without your approval; you see the proposed diff, the predicted impact, and a one-click approve/reject.
As you build trust, you can let low-risk changes auto-execute, then low-to-medium, then low-to-high
Critical-risk changes always require human approval, regardless of tier
For code changes specifically, Hiro opens a PR and runs your existing CI — your tests stay the source of truth.
Wrote a longer breakdown on the multi-agent review architecture on @swati_tiwari6's thread above if you want the technical detail.
Also adding some demo videos to our site since this is a common question!