Frequently Asked Questions

Most teams are scanning their first repository within 5 minutes. Connect your VCS (GitHub, GitLab, Bitbucket, or Azure DevOps) with one click, select which repos to add, and start a scan. There are no build scripts to configure, no agents to install, and no infrastructure to provision. ZeroPath automatically discovers your tech stack, maps your application architecture, and begins analysis. Enterprise SSO and team permissions can be configured in the same session.

ZeroPath's Team plan starts at $1,000/month base plus $60 per developer per month, with a 14-day free trial. We only count developers actively using the tool day-to-day, not everyone who has ever committed to a repo. All plans include unlimited repositories and scans.

The Enterprise plan offers custom pricing with on-prem/self-hosted deployment, BYOK (bring your own LLM keys), volume discounts, dedicated support with SLA, SCIM provisioning, the policy engine, and custom compliance reports.

A usage-based Credits plan (pay per scan, no monthly commitment) is coming soon. See full details on our pricing page.

PR scans typically complete in under 2 minutes. They're diff-focused meaning only changed files and their surrounding context are analyzed, with SAST, SCA, secrets, and IaC running in parallel. By comparison, tools like Checkmarx take 25–45 minutes on full codebases and can't be used as a practical PR gate.

Full repository scans take longer depending on codebase size, but subsequent scans are up to 10x faster because ZeroPath intelligently reuses results for unchanged files.

ZeroPath detects standard technical vulnerabilities like SQL injection, XSS, SSRF, command injection, path traversal, insecure deserialization, XXE, CORS misconfigurations, CSRF, and memory safety issues (buffer overflows, use-after-free). All findings are scored with CVSS 4.0.

What sets ZeroPath apart is its ability to find business logic vulnerabilities that rule-based tools miss entirely: broken authentication flows, authorization bypasses (IDOR), privilege escalation, race conditions, and workflow bypass. For example, ZeroPath found an unauthenticated API key creation flaw in Better Auth enabling complete account takeover, 7 memory safety flaws in FFmpeg including heap buffer overflows in protocol handlers, and a credential theft vulnerability in OpenClaw enabling unauthorized access to stored credentials.

ZeroPath also detects AI-specific vulnerabilities like prompt injection and training data exposure, secrets and hardcoded credentials, IaC misconfigurations, and vulnerable dependencies with reachability analysis.

Yes. ZeroPath integrates with Vanta, Drata, and ServiceNow for automated compliance evidence collection. Every scan generates fresh audit evidence that maps findings to exact control clauses across SOC 2, ISO 27001, PCI-DSS 4.0, and NIST 800-53.

You can schedule automated evidence exports with signed SBOMs and fix verification records, generate auditor-ready compliance reports on demand, and track MTTR and SLA breaches by business unit. This turns last-minute audit scrambles into continuous compliance. Learn more about compliance automation and our GRC team solutions.

ZeroPath's enterprise offering includes granular role-based access control (RBAC) with immutable audit logs, SSO/SAML via WorkOS (Okta, Azure AD, Google, Auth0, and more), and SCIM provisioning for automated user lifecycle management.

For organizations with complex structures, ZeroPath supports multi-tenant architecture with workspace isolation for subsidiaries and business units, making it suitable for MSPs and holding companies. A natural language policy engine lets you define and enforce organization-specific security rules without learning a DSL.

Deployment options include on-prem, self-hosted, and private cloud with BYOK (bring your own LLM keys) for organizations with strict data residency requirements. All enterprise plans include dedicated support with SLA and hands-on onboarding.