The agent doesn't just say it found a bug. It proves it.
Opviva is a security agent you talk to — and every exploit it finds is reproduced, not asserted, on a tamper-evident Evidence Canvas. Under the hood, that's the Flight Recorder: hash-chained, retained, reconstructable, and exportable, built to satisfy the EU AI Act's Article 12 requirement that high-risk AI systems automatically log events over their lifetime, from August 2, 2026.
- We prove vulnerabilities by reproducing them — not guesses
- Tamper-evident record of what your AI agents do
- We never store your source code
Watch it prove the exploit — every agent action captured, hash-chained, and reconstructable to an audit-grade standard.
One agent's session, replayed newest first. It handled a refund normally — then quietly overstepped. Opviva caught it and sealed an unforgeable record.
Opviva flagged the action and sealed the sessionCaught & sealed
2026-06-20T14:02:56Z
checkout-agent ran DELETE FROM users — outside its allowed scopeThe violation
2026-06-20T14:02:55Z
checkout-agent issued a ₹4,200 refund to the original method
2026-06-20T14:02:44Z
checkout-agent queried the orders table for order #80421
2026-06-20T14:02:43Z
checkout-agent received a refund request from a customer
2026-06-20T14:02:41Z
Every step is sealed and linked to the one before it — edit or delete any of them and the record visibly breaks, so it can't be forged. Illustrative reconstruction.
Why the agent needs a record, not just a verdict
“There's a vulnerability here” isn't proof — it's a claim. So when Opviva's agent finds an exploit, it reproduces it and records every step on the Evidence Canvas: automatically logged, to a degree that gives you real traceability of what the agent did and why. The hard part isn't storing lines of text; it's producing a record you can trust and reconstruct. That matters doubly for AI agents themselves — they leave no trace by default, logging in as themselves with valid credentials while a bad decision hides inside a chain of tool calls.
The EU AI Act's Article 12 requires high-risk AI systems to keep exactly this kind of log. Opviva provides the technical record-keeping capability. Whether your system is “high-risk” and how you meet your obligations is a determination for you and your counsel — we give you the evidence layer to build on.
How the agent builds the record
Automatic capture
One line of SDK lets the agent record every prompt, tool call, decision, and outcome — across LangChain, the Vercel AI SDK, OpenAI/Anthropic, in TS and Python.
Tamper-evident
Events are hash-chained and append-only, so any alteration or deletion is detectable — the integrity that turns a log into proof.
Retention
Configurable per-account retention keeps the record for as long as your obligations require.
Sealed deletion
When data expires, a signed tombstone records what was removed and that its chain was intact — so even deletion is auditable.
Reconstruction
The agent rebuilds any incident into a step-by-step timeline with a verifiable integrity check — this is how it proves the exploit, not just claims it.
Auditor export
Export a session as a signed evidence bundle or an auditor-ready PDF for a regulator, insurer, or internal review.
Start recording your agents
The Flight Recorder is live. One line of SDK — TypeScript or Python — lets the agent capture every prompt, tool call, and outcome, so it can reconstruct any session to an audit-grade standard.
Already a customer? Find the recorder in your dashboard under Settings → SDK install, or follow the setup guide.
