ZeroQuarry overview
ZeroQuarry is a cloud platform for finding security vulnerabilities before they reach attackers. It runs agent-led assessments against the assets teams actually ship and operate:
- source code repositories and uploaded source archives
- binary artifacts such as Android packages, JARs, firmware, installers, and archives
- authorized live targets such as web applications, APIs, and SaaS assets
The primary UI is the ZeroQuarry console at
console.zeroquarry.com. Programmatic access is
available through the public API gateway at https://api.zeroquarry.com.
The console opens into a project workspace where scan history, findings, and new assessment flows stay grouped by product or service.
New accounts start with a short workflow-mode setup step. This lets ZeroQuarry tailor the scan UI for a guided owner/operator experience, a security-research workflow, or an AppSec triage workflow before the first scan is created.
What ZeroQuarry is for
Use ZeroQuarry when you need security review capacity around software that is changing faster than a human team can manually inspect every time.
Common use cases:
- Release security review: scan a release branch, shipped artifact, and staging target before promotion.
- Continuous CI scanning: trigger source scans from CI and use delta scans to focus on changed code.
- Triage and remediation: challenge findings, generate fix patches, export engineer-ready evidence, and re-run after fixes.
- External disclosure: prepare PoCs, disclosure drafts, HackerOne review context, and a disclosure timeline.
- Multi-surface assessment: combine source, binary, and remote scans when a vulnerability crosses build, packaging, and runtime boundaries.
Start with Choose the right assessment if you are deciding what to scan first.
Core concepts
Projects group scans for one product, service, repository, or target set. Every scan belongs to a project. Use projects to preserve history across source, binary, and remote reviews of the same product.
Scans are asynchronous security assessments. A scan has one mode: source, binary, or remote. Scans move through states such as queued, running, awaiting batch artifacts, completed, failed, or cancelled.
Targets are the concrete inputs for a scan: uploaded files, Git repositories, or URLs.
Findings are confirmed or candidate vulnerabilities recorded by the agents. Each finding includes severity, CVSS-style scoring, evidence, and source context where available.
Artifacts are generated outputs attached to findings, including proof of concept material, generated patches, and, when enabled, a draft disclosure email.
Reports are the durable review surface for a scan. Reports include findings, non-issues, target metadata, logs, chat, exports, and re-run controls.
Disclosures track externally reported issues across acknowledgement, fix, public advisory, bounty, credit, and closure.
How scans work
ZeroQuarry uses a coordinator and worker model.
- The coordinator maps the target surface and builds a checklist.
- Worker agents investigate focused areas, files, endpoints, or binary outputs.
- Triage reviews recorded findings and filters weak or duplicate issues.
- Artifact generation creates PoCs and disclosure drafts when the plan allows it.
- Optional review passes can add HackerOne eligibility labels, vendor-style challenge results, rebuttals, and confidence scores.
The result is a report that is intended to be actionable: evidence first, reproducibility where possible, and enough context for an engineer or security reviewer to decide what to do next.
How to read these docs
If you are planning work, start with a playbook:
If you already know what asset you want to scan, go straight to the scan mode:
If you are new to the console, run a small scan first:
Start with Run your first scan, then read the mode-specific page for the target you want to assess:
For CI-driven source scanning, use GitHub Actions.