Website Quality Agent
Checks website availability, security headers, basic HTML issues, image accessibility signals, and evidence-backed findings.
Now in design-partner program
Evidence-backed QA and security release-readiness before your software goes live.
ACW QA & AWS Security Agent Platform helps teams verify websites, web applications, APIs, access controls, and cloud security posture with repeatable scans, evidence-backed findings, and release decision support.
Manual pre-release checks are fragile.
Most teams still rely on manual checklists, screenshots, chat messages, and memory before software goes live. That creates gaps: protected pages may be exposed, APIs may return private data, reports may be downloadable without login, cloud settings may drift, and findings may lack evidence.
- Manual route checks are easy to miss.
- API and export endpoints are often tested inconsistently.
- Security headers and access controls can regress silently.
- QA evidence is scattered across chats and screenshots.
- Release decisions are made without a clear risk summary.
One platform for repeatable QA, access, and security validation.
Six coordinated agents give software teams a single place to run, evidence, and review the checks that gate every release.
Web Application Testing Agent
Checks application availability, protected endpoints, basic web application behavior, and release-impact findings.
Access Audit Agent
Automates logged-out production checks for protected pages, APIs, reports, exports, and private-data exposure.
AWS Deployment Security Agent
Designed to support AWS deployment security review, read-only cloud checks, and cloud posture evidence.
Evidence-backed Reports
Findings are designed to include severity, evidence, steps to reproduce, likely cause, recommended fix, owner/category, and release impact.
Release Decision Engine
Summarizes findings into PASS, WARN, BLOCK, or PASS_WITH_NOTES decisions so teams know whether a release should proceed.
Benefits for software teams, agencies, and security-conscious companies.
Repeatable scans, structured evidence, and clear release decisions move QA out of chat threads and into an auditable workflow.
- Reduce manual QA repetition.
- Catch exposed routes and access-control gaps before release.
- Create evidence-backed reports for engineering and leadership.
- Improve communication between QA, DevOps, security, and product teams.
- Track whether findings are new, still open, resolved, or regressed.
- Support compliance-prep and audit-readiness workflows.
- Avoid treating NOT_TESTED as PASS.
How the platform works.
Five steps from scan request to release decision. Every step produces evidence that flows into the final report.
STEP 01
Select target
Choose the application, website, or cloud environment to scan.
STEP 02
Choose scan type
Website QA, WebApp, Access Audit, AWS, Code, or a combined scan.
STEP 03
Run safe checks
The platform runs safe, evidence-backed checks against the target.
STEP 04
Categorize findings
Findings are grouped by severity, owner, release impact, and remediation guidance.
STEP 05
Release decision
Summarizes whether the team should proceed, review, or block release.
Target App
Agents
Evidence Store
Findings
Release Decision
Report / Ticket / Review
Use cases.
Built for the recurring scenarios where release uncertainty creates real cost.
SaaS pre-release validation
Repeatable pre-release checks across web, API, and cloud surfaces with clear release decisions.
Website QA review
Availability, security header, and basic accessibility checks with evidence captured for every run.
Protected route and API verification
Automated logged-out checks for admin routes, exports, and APIs that should not be reachable without auth.
Agency client QA reporting
Standardized, evidence-backed reports your team can hand to clients alongside each release.
AWS deployment security readiness
Read-only AWS checks designed to surface posture drift before production deploys.
Compliance-prep support
Structured evidence and decision history that helps teams prepare for SOC 2, ISO 27001, and similar reviews.
Current capabilities and roadmap.
The platform is actively evolving from an internal MVP into an enterprise-grade release-readiness system. Current capabilities include website checks, access-control validation, evidence-backed reports, scan comparison, and release decision support. Roadmap capabilities expand persistence, browser-grade testing, AWS integrations, RBAC, audit logs, and compliance mapping.
| Area | Current Status | Roadmap |
|---|---|---|
| Website availability | Available | Expand with browser checks |
| Security header checks | Available | Add deeper policy validation |
| Basic HTML checks | Available | Add richer DOM/browser checks |
| Access-control audit | Available (logged-out) | Add authenticated role testing |
| Evidence-backed reports | Available | Add retention and durable storage |
| Scan comparison | Available | Expand lifecycle intelligence |
| Playwright | Roadmap / rollout | Screenshots, console, mobile |
| Lighthouse | Roadmap / rollout | Performance, SEO, best practices |
| axe-core | Roadmap / rollout | Deeper accessibility |
| PostgreSQL | Phase 1 priority | Production persistence |
| RBAC | Roadmap | Named users and roles |
| Audit logs | Roadmap | Tamper-evident activity history |
| Risk acceptance | Roadmap | Expiring approvals and audit trail |
| AWS integrations | Roadmap | Security Hub, GuardDuty, Inspector, Prowler |
| Ticketing | Roadmap | GitHub, Linear, Jira |
| Compliance mapping | Roadmap | SOC 2, ISO 27001, NIST, CIS AWS |
Evidence-backed reports your team can act on.
Reports are designed to show what was tested, what failed, why it matters, who should own the issue, what evidence supports the finding, and whether it should block release.
Missing Content-Security-Policy header
Production response is missing Content-Security-Policy. Evidence captured from response headers on three sample routes, with steps to reproduce and recommended baseline policy attached to the finding.
Image alt-text coverage at 84%
Five marketing images are missing meaningful alt text. Evidence includes the affected URLs, the offending elements, and a recommended fix per element.
Release 2.4.0 — review required
Summary of all findings categorized by severity, with owner and remediation guidance. The decision engine recommends BLOCK because two access-control findings are open.
Evidence-backed remediation steps
Each finding ships with a recommended fix, the evidence that triggered it, and the conditions a future scan would use to confirm the fix landed.
Built for teams that cannot afford release uncertainty.
The platform is designed for organizations where shipping a regression has real operational and reputational cost.
SaaS companies
Software agencies
DevOps teams
QA teams
Security-conscious founders
Cloud teams
Compliance-prep teams
CTOs and product leaders
Now accepting limited design-partner conversations.
We are opening a limited design-partner program for companies that want stronger QA, security validation, and release-readiness workflows across web applications, websites, APIs, and cloud deployments.
Tell us about your team.
Share a few details about your company and primary interest. We respond from [email protected] and use the information only to evaluate fit for the design-partner program.
- Limited cohort — we work closely with each partner.
- Read-only AWS reviews and safe, scoped scans.
- Direct access to the engineering team building the platform.
Responsible security statement
How to read findings from this platform.
ACW QA & AWS Security Agent Platform supports evidence-backed QA, security validation, and release-readiness decisions. It does not guarantee that any system is 100% secure, bug-free, or fully compliant. It does not replace professional penetration testing, legal review, or formal compliance certification. Results should be reviewed by qualified humans before business or release decisions are finalized.