Short answers to the questions we hear most often. Open the docs or contact us if you need more depth.
DoesItDefend simulates real attacks against your web apps and AI systems, scores how well your defenses hold up against OWASP Top 10 + OWASP LLM Top 10, and produces signed evidence packs you can share with auditors or your security team.
Register, generate an API token, register your first target, and POST /v1/runs with the `quick` profile. The quickstart guide walks through it end-to-end in under ten minutes.
Yes — every new tenant starts on the Free plan with 5 runs per day and access to the built-in scenario catalogue. No credit card required to start.
Three scan profiles: `quick` (≈5 minutes, smoke coverage), `standard` (≈15 minutes), and `deep` (≈30 minutes, full OWASP LLM Top 10 + paraphrasing). Pair any profile with a built-in or custom scenario catalogue.
Yes — run the same scenario catalogue against two endpoints, tag both with a `comparison_group`, and open /runs/compare?ids=…. The compare view shows per-category coverage and brittleness deltas.
Quick: 3–7 minutes. Deep: 25–40 minutes. Custom: depends on scenario count; the engine reports an ETA in the run dashboard.
Yes — write a YAML manifest plus a deterministic grader function and publish it to your tenant catalogue. The custom-scenarios guide has a worked example.
Scenarios are derived from public OWASP LLM Top 10 reference probes, MITRE ATT&CK techniques, and incident reports. The full methodology — probe corpus and graders — is documented internally.
Free: 150 runs/month with the built-in catalogue. Starter: 200 runs/month. Pro: 500 runs/month plus custom scenario authoring. Enterprise: unlimited, contractually negotiated.
Free, Starter, Pro, and Enterprise. Free is a sandbox-only tier; Starter and Pro are self-serve (monthly or yearly); Enterprise is quote-only. Current pricing is on the /pricing page.
Yes — on-prem deployment, dedicated VPC, custom SLAs, and dedicated support. Contact sales@doesitdefend.ai.
PagerDuty, Slack, JIRA, Linear, and generic webhooks. The webhooks page documents the signed event payloads.
Yes — subscribe to webhooks (`run.completed`, `finding.created`, `evidence_pack.ready`) and POST findings into your downstream system. The signature scheme is HMAC-SHA256.
Encryption in transit (TLS 1.2+) and at rest (provider-managed KMS). Evidence packs are signed; access is scoped per-tenant; audit log captures every state change.
We follow LGPD (Brazil), GDPR (EU), and align with the EU AI Act. Full posture is documented in the privacy and terms pages.
Still have a question?
Contact us