Skip to main content
View as Markdown

Takumi byGMO

info

The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.

Takumi byGMO

Takumi byGMO is an AI agent from GMO Flatt Security that takes on product-security work autonomously. The vulnerability assessments, code reviews, autofixes, and supply-chain protection that have historically required dedicated security engineers are carried out by Takumi.

What Takumi Does

Takumi is not a single tool — it is a set of capabilities that plug into the places where development and operations actually happen. Examples include:

  • Whitebox assessment: Reads the source code and specifications of a repository and reviews each feature for vulnerabilities.
  • Blackbox assessment: Crawls an application from its URL and runs attack scenarios against it.
  • Autofix: Generates a patch and opens a Pull Request for the vulnerabilities it finds.
  • Dependabot PR auto-triage: Analyses dependency-update PRs and surfaces only the ones that actually need attention.
  • Takumi Runner: A GitHub Actions runner that traces builds with eBPF and detects supply-chain anomalies at build time.
  • Takumi Guard: Blocks malicious-package installs from npm / PyPI / RubyGems and gives you searchable install history.

Getting Started

The shortest path is three steps:

  1. Subscribe to a Takumi plan — attach a plan to your Shisho Cloud organization.
  2. Follow the Takumi Pentesting Quickstart to run your first assessment.
  3. Set up GitHub and Slack integrations later, only when a feature you use needs them.

How the Docs Are Organized

This guide is structured by Takumi byGMO capability.

  • Assessment: The core capability. Covers the assessment model, pricing, internals, and references.
  • Takumi Runner: The eBPF-traced GitHub Actions runner.
  • Takumi Guard: The package-registry proxy.
  • Takumi API: The HTTP API for invoking Takumi from CI/CD and custom workflows.
  • Management: Organizations, subscription, and cancellation.

If you want to scale your security work or close the loop on vulnerability remediation from inside your dev team, start with the Pentesting Quickstart.

Last updated on