Hiro gets your security work done. It reads findings from Aikido and Wiz, pulls open tasks from Drata, and scans Supabase, Vercel, Github, and more then ships the fixes. Not a dashboard of homework. The homework, done.
We keep meeting founders who shipped a product in a few weeks with Claude Code and have no idea what to do about security. Some don't know where to start. Others know what to do but don't have the time to do it. Buying a security or compliance tool feels like an investment in your company, but you quickly realize it's a ton of work, and that work never ends. It's time you're not spending on your product.
Hiro is our shot at building the thing that actually does it. Plug in the tools you already have (e.g. Supabase, Vercel, AWS, Drata, GitHub), and Hiro ships security fixes.
It's early. There are categories of work Hiro handles end-to-end today (e.g. RLS on Supabase, scanning and fixing security bugs, large portions of SOC 2), but we recognize there may be some spots we've missed, and security is sensitive work. So we're giving everyone two weeks free, and Danny and I will review any plan Hiro comes up with if you're not sure about it.
We've tried to be generous with trial credits — you might be able to get through most of a SOC 2 on the trial alone 😅
Sign up at https://hiro.is. We'd really love your feedback!
— Ethan
Report
"Not a dashboard of homework" is the right positioning, most security tools just surface more things to stare at. What does the approval flow look like for higher-risk fixes? Curious whether Hiro acts autonomously or hands off to a human before touching production configs. That threshold between "safe to auto-fix" and "needs human eyes" seems like the hardest product decision here.
@harshalvc_ai It is the hardest product decision. That's why my cofounder and I are eager to review all of the work Hiro does for you if you have any questions
By default, Hiro does not land any changes without your approval. Each change gets a risk grading. We have autonomy tiers users can configure to auto-land changes as you gain trust. The tiers are: read-only (default setting; all actions must be user approved), conservative (low risk plans execute automatically), moderate (low to medium risk plans execute automatically), autonomous (low to high plans execute automatically). Plans with critical risk always require the operator.
Report
@ethan_blackburn what happens if the number of threats are more than 100. would the agent ask for 100 approvals ?
@harshalvc_ai In the default read-only mode, yes. Most of our customers use our MCP server to have the agent they trust (Claude code, Codex, etc) review each Hiro plan, and either give feedback to hiro or approve the plan.
We also are more than happy to take a look at all 100 if that's an issue :)
Report
This actually solves a real problem. I’ve faced this myself — shipping fast is easy now, but handling security and compliance later becomes overwhelming and usually gets pushed back. I like that Hiro focuses on actually fixing issues instead of just generating reports.
how do you make sure automated security fixes don’t accidentally break existing workflows or production configs?
@saniya_jeswani Making sure we don't break production is the part of the product we've spent the most time on.
At a high level, each change Hiro proposes goes through several rounds of review and is risk graded. By default, Hiro cannot land changes without your approval. As you learn to trust Hiro, you can configure it to auto-land low risk, low to medium risk, or low to high risk changes. Critical changes always require your approval.
Wrote a longer breakdown on the agent-review architecture on @swati_tiwari6's question above if you want the technical detail.
Report
I'm a solo founder pre-launch on a relationship app, handling pretty sensitive emotional content. SOC 2 is somewhere on the horizon, but the pressing security work today is more like "am I doing the basics right before the first paying user." Curious where Hiro pays off on that lifecycle...is there meaningful value in the pre-SOC-2, pre-enterprise-customer phase, or is the real inflection only when you start needing the compliance artifacts?
@ferdi_sigona Yes absolutely! Several of our customers are pre-SOC 2. A couple ways we can help
1. Realtime code reviews – Hiro can embed in whatever agent you use (Claude Code, Codex, etc) and give security feedback as the agent is coding. This is so much better than posting a PR, waiting for feedback, iterating on it, pushing changes, etc. 2. Audit your stack – Hiro scans the tools you've connected for insecure configs. Are your Supabase tables actually enforcing tenant isolation via RLS? Does Google Workspace require 2FA? Is your Sentry leaking PII? Everyone who's connected Hiro has found pretty serious bugs they'd missed.
Would love for you to try it out and see what Hiro finds!
"Not a dashboard of homework. The homework, done." That tagline is absolute gold. Security alert fatigue is incredibly real for engineering teams, and most security tools just add to the noise instead of actually reducing the backlog. Moving from alerting to automated remediation across platforms like GitHub and Vercel is a massive shift.
Since Hiro is actively fixing code and infrastructure configurations rather than just flagging them, how does the review and approval workflow look?
Hiro
"Not a dashboard of homework" is the right positioning, most security tools just surface more things to stare at. What does the approval flow look like for higher-risk fixes? Curious whether Hiro acts autonomously or hands off to a human before touching production configs. That threshold between "safe to auto-fix" and "needs human eyes" seems like the hardest product decision here.
Hiro
@harshalvc_ai It is the hardest product decision. That's why my cofounder and I are eager to review all of the work Hiro does for you if you have any questions
By default, Hiro does not land any changes without your approval. Each change gets a risk grading. We have autonomy tiers users can configure to auto-land changes as you gain trust. The tiers are: read-only (default setting; all actions must be user approved), conservative (low risk plans execute automatically), moderate (low to medium risk plans execute automatically), autonomous (low to high plans execute automatically). Plans with critical risk always require the operator.
@ethan_blackburn what happens if the number of threats are more than 100. would the agent ask for 100 approvals ?
Hiro
@harshalvc_ai In the default read-only mode, yes. Most of our customers use our MCP server to have the agent they trust (Claude code, Codex, etc) review each Hiro plan, and either give feedback to hiro or approve the plan.
We also are more than happy to take a look at all 100 if that's an issue :)
This actually solves a real problem. I’ve faced this myself — shipping fast is easy now, but handling security and compliance later becomes overwhelming and usually gets pushed back. I like that Hiro focuses on actually fixing issues instead of just generating reports.
how do you make sure automated security fixes don’t accidentally break existing workflows or production configs?
Hiro
@saniya_jeswani Making sure we don't break production is the part of the product we've spent the most time on.
At a high level, each change Hiro proposes goes through several rounds of review and is risk graded. By default, Hiro cannot land changes without your approval. As you learn to trust Hiro, you can configure it to auto-land low risk, low to medium risk, or low to high risk changes. Critical changes always require your approval.
Wrote a longer breakdown on the agent-review architecture on @swati_tiwari6's question above if you want the technical detail.
I'm a solo founder pre-launch on a relationship app, handling pretty sensitive emotional content. SOC 2 is somewhere on the horizon, but the pressing security work today is more like "am I doing the basics right before the first paying user." Curious where Hiro pays off on that lifecycle...is there meaningful value in the pre-SOC-2, pre-enterprise-customer phase, or is the real inflection only when you start needing the compliance artifacts?
Congrats on launching!!
Hiro
@ferdi_sigona Yes absolutely! Several of our customers are pre-SOC 2. A couple ways we can help
1. Realtime code reviews – Hiro can embed in whatever agent you use (Claude Code, Codex, etc) and give security feedback as the agent is coding. This is so much better than posting a PR, waiting for feedback, iterating on it, pushing changes, etc.
2. Audit your stack – Hiro scans the tools you've connected for insecure configs. Are your Supabase tables actually enforcing tenant isolation via RLS? Does Google Workspace require 2FA? Is your Sentry leaking PII? Everyone who's connected Hiro has found pretty serious bugs they'd missed.
Would love for you to try it out and see what Hiro finds!
mailX by mailwarm
"Not a dashboard of homework. The homework, done." That tagline is absolute gold. Security alert fatigue is incredibly real for engineering teams, and most security tools just add to the noise instead of actually reducing the backlog. Moving from alerting to automated remediation across platforms like GitHub and Vercel is a massive shift.
Since Hiro is actively fixing code and infrastructure configurations rather than just flagging them, how does the review and approval workflow look?
Hiro
@manal_essalek1 Thanks! We hate security backlogs too
Quick version of the workflow:
Every change Hiro proposes goes through several rounds of review and is risk-graded (low → critical)
By default, nothing lands without your approval; you see the proposed diff, the predicted impact, and a one-click approve/reject.
As you build trust, you can let low-risk changes auto-execute, then low-to-medium, then low-to-high
Critical-risk changes always require human approval, regardless of tier
For code changes specifically, Hiro opens a PR and runs your existing CI — your tests stay the source of truth.
Wrote a longer breakdown on the multi-agent review architecture on @swati_tiwari6's thread above if you want the technical detail.
Also adding some demo videos to our site since this is a common question!