We are a small, founder-led team building verifiable security. Find. Prove. Fix. Verify. — every finding ships with a Proof Capsule your team can run, see, and close. We tell you what we've built and what we're building, in that order, with dates.
The mission
The cycle that drives us out of bed: a researcher finds a real bug, a developer disputes it from a screenshot, a security team mediates, two weeks pass, the ticket closes "could not reproduce." The bug stays in production. The people who exploit bugs for a living are not running a triage thread — they're running the exploit. That gap is where breaches happen, careers stall, and customers get hurt.
Celvex exists to close that gap. Not by claiming more autonomy than we've earned, and not by promising perfection — but by shipping, every day, a runnable artifact your team can act on. That's the work.
"I started Celvex because I watched too many real findings get argued into the trash. The bug was real. The fix didn't ship. The auditor signed off anyway. So we built the thing I wanted to hand a developer instead of a PDF: a sealed reproduction they run on their own laptop, against their own asset, and watch happen. That's the artifact. Everything else flows from it."
— Founder, CelvexGroup
Where we are. Where we're going.
The validation category has a marketing problem: claims get made everywhere and audited nowhere. We'd rather under-promise and over-deliver. Here is what's actually live, what's in flight, and what's on the roadmap with dates.
Bounded AI-generated payload variants, with a safety envelope that makes sure we never make a change we can't undo. Forensic-grade observability per scan chain. Watermarked Proof Capsules. Patch-mining nightly chain that turns disclosed vulnerabilities into tested coverage the next morning.
Verifiable today: run a free scan and inspect the capsule.
Patch-diff-to-coverage transformer with single-digit-hour latency from public disclosure to capsule-confirmed coverage. Open-format capsule schema. Browser-native capsule runner so even unconfigured laptops can verify.
Quarterly milestones, public commitment dates.
Calibrated confidence at the per-finding level. A third-party benchmark we publish, against a methodology we can defend. Capsule format adopted by other vendors as a standard.
This is on the roadmap. We won't claim it before it ships.
The full architecture is documented in our public roadmap. We publish technical depth so buyers can distinguish "AI-native" from "AI-bolted-on" by reading, not by trusting marketing copy.
Trust posture
Celvex serves customers in EU, US, APAC, and on customer-owned VPCs. Default deployment is global, with data-plane processing in the region closest to where your scans originate. We adapt to where your compliance team needs the data to live.
EU, US, APAC, or your own VPC. Data-processing addenda to match. Sub-processor list named on the Trust Center; thirty-day notice on changes with material customer-data scope.
Every Proof Capsule signed with an open standard, anchored to a public log. Anyone can verify offline. Quarterly key rotation, with previous-quarter keys remaining valid for historical verification.
Public sub-processor list, software bill of materials per release, and a quarterly transparency report covering changes, incidents, and key rotations. The supply chain is the trust boundary, so we publish it.
Certifications, honestly dated
Trust Center live. Pre-filled vendor-risk packet. Vulnerability disclosure policy and /.well-known/security.txt published. Cyber-liability and E&O cover in place.
SOC 2 Type II observation window in flight with a named auditor. Type I bridge letter available on request from month six.
SOC 2 Type II report issued. ISO 27001 readiness gap assessment kicked off.
ISO 27001 certified (target month eighteen). Additional regional or sector frameworks as customer demand justifies.
We won't put a SOC 2 Type II badge on this site before the report is signed. We tell you what we've built and what we're building — with dates — because the alternative is the marketing we'd both rather not read.
Forward-looking commitments
Discipline about scope is how we keep the work honest. Here's what we've committed to, and what we've explicitly chosen not to chase yet.
SOC 2 Type II is in observation; we will not claim "Type II" until the report is signed. Same rule for every framework that follows. The badge comes after the audit, not before.
When we publish performance metrics, we publish how they were measured, against what baseline, and on what data. Buyers should be able to reproduce the claim — not just read it.
The Proof Capsule schema and the verify-only tool ship under an open licence. Any vendor can adopt the format. The category we want to build is "verifiable security as a standard," not "Celvex-only artifact."
Some organisations need bespoke human-led engagements, full-stack offensive partnerships, or framework-specific authorisations we're not built to deliver. When that's the case we say so, and we point you to whoever is.
Why now
You used to underwrite on an annual pentest. Today the underwriter wants quarterly evidence of what you ran between engagements. The annual report alone doesn't satisfy that anymore.
Compliance frameworks are catching up to verifiable security. The cost of staying compliant is shifting from one big number once a year to a smaller number every month — with a record the auditor can verify.
If your product is itself an AI application, your traditional pentester probably doesn't understand prompt injection, agent escape, or model-supply-chain risk. We do, because we built one.
Run a free scan first. We'll send you a signed Proof Capsule for the first finding — replayable evidence you can hand your engineers. If you want to walk through it, we'll book a 20-minute call. Verifiable security shouldn't be a quarterly fire drill; it should be standard practice.
CELVEX Group