Every finding we ship comes with evidence your engineers can run themselves — on their own laptop, against your own asset — to watch the issue, fix it, and confirm the fix held. The same artifact answers your auditor, your underwriter, and your largest customer's security review. We call it the Proof Capsule. The deep mechanics live further down this page.
Why it exists
The honest answer is: most of them. Static reports describe the bug; they don't reproduce it. The argument that follows — "we can't reproduce that", "that's not real", "we'll look at it next sprint" — is where verifiable security goes to die. The Proof Capsule kills that argument in thirty seconds. Your engineers run it themselves, watch the exploit land, and write the fix from a position of certainty.
What your team does with it
Everything below happens on your engineers' machines, against your own staging environment. We don't ask for trust. We hand you the receipt.
CELVEX Groupfix-confirmed. Wire it into CI to fail builds on regression.The high-frequency classes — SQL injection, SSRF, IDOR, XSS — close the entire Find. Prove. Fix. Verify. loop inside an hour.
In plain language
A capsule is a sealed reproduction. The same exact request sequence we used to demonstrate the bug, bundled with everything needed to replay it — isolated, repeatable, and verifiable. Your engineer runs one command and watches it work.
Before the capsule runs anything, it builds a sandbox that can only talk to the host you authorised. We make sure the AI never makes a change it can't undo. If the sandbox can't be established, the capsule refuses to run.
Where the bug came from in the upstream code or the configuration drift. What the standard remediation looks like. The compliance controls it touches, pre-mapped. Your team writes the fix from a starting line, not a search engine.
After the fix, the same capsule runs again. It tells you fix-confirmed or still-vulnerable in plain English. Wire it into your build pipeline so a regression fails the deploy — the bug stays closed without anyone re-engaging.
What your engineer sees on the laptop
$ celvex run capsule.celvexgroup.com/findings/2026-05-04-a1b2c3d4 Verifying signature... OK Establishing sandbox... OK (deny-all-except api.acme.com) Reachability check on https://api.acme.com/health... OK Replaying finding: Reflected SQLi in /api/v2/orders ?search Request 1/14: time-based blind, payload pl-sqli-time-mysql-0042 Response delta: 4,318 ms (assertion: > 4,000 ms — passed) Request 7/14: out-of-band callback to oob.celvexgroup.com Callback observed: true (assertion: binary — passed) Evidence written to /replay/output/ - exchange.har (14 requests) - transcript.json (timing, headers, payloads) - outcome.json (structured) OUTCOME: success RUNTIME: 28s CONFIDENCE: 0.84 (calibrated)
That output is what your developer sees. Then they open the patch citation, ship the fix, and run the same capsule again with celvex retest.
How you know it's real
That's the whole point of the capsule: you don't have to take our word for any of it. The trust mechanics are built into the artifact, not promised in marketing copy. Verify it offline, on a flight, on an air-gapped laptop — the maths still hold.
Every capsule carries a cryptographic signature anchored to a public, append-only log. Tamper any byte and the signature breaks. If a capsule with our name on it shows up that we didn't build, your team can detect it offline using open tools.
Before any capsule leaves our build pipeline, every byte is scanned for secrets, personal data, and out-of-scope references. A hit fails the build — we'd rather miss a delivery than leak something we shouldn't ship. The dashboard previews exactly what made it through.
Every capsule tells you how confident the system is in the finding, against a calibrated baseline. We don't claim 0.99 on a class where we hit 0.84. You get a probability you can act on, not a marketing number.
The capsule schema and the verify-only tool ship under an open licence. Any vendor can adopt the format. We open the standard; we keep building the pipeline that produces capsules at scale. Same play the supply-chain-integrity world made with signed artifacts.
Three workflows the capsule unlocks
A developer opens the dashboard, sees a P1 finding, runs the capsule. Thirty seconds later they've watched their own service get exploited. They go from "Celvex says this is a bug" to "I just watched it happen" without leaving the tab.
Security attaches the capsule to a ticket. Engineering pulls it, runs it, watches it work, ships the fix, runs the retest, sees fix-confirmed, closes the ticket. Security stops being the verification bottleneck.
At year-end, the auditor asks for evidence of past findings and remediations. You hand them the capsule archive — every capsule, every retest verdict, signed. They verify offline. The audit answer is now a record, not a fire drill.
A gift to the industry
The capsule format and the verify-only tool ship under an open licence. We want runnable, signed, sanitised exploit reproduction to become a category standard — not a Celvex-only differentiator.
The brand stays ours. The format belongs to everyone. That's how a category of "verifiable security" becomes the way the industry expects to ship security findings.
Just your domain and your work email. We'll handle the rest.