Dimension scores are derived from public data and fields; weighted into the composite. Reference only.
HAVOC is a framework-aware security scanning tool for Laravel/PHP, positioned differently from generic SAST tools. It claims to understand Laravel policies, Gates, middleware, and Eloquent scoping, using AST analysis to detect vulnerabilities that are closer to business semantics—such as missing $this->authorize(), mass assignment, Blade XSS, SQL injection, IDOR, privilege escalation, and exposed credentials. It can run locally, via CLI, in GitHub Actions, and as part of PR workflows.
Its standout capability is “authorization coverage”: it parses public controller methods and checks whether authorize, Gate, can, or route middleware checks are present—similar to code coverage, but for security. In CI, it supports diff-aware scanning, scanning only files changed in a PR while combining results with historical coverage. Output formats include text, json, sarif, and github, making it usable with GitHub Code Scanning. The paid cloud offering provides dashboards, trends, AI triage, auto-fix PRs, team collaboration, and alerts; the Enterprise plan supports a self-hosted scanner so source code does not leave the network. The official site states that source code is cloned and then immediately deleted, with only findings, coverage metrics, and metadata retained.
The free plan includes 1 repository, CLI/GitHub Action, inline PR comments, status checks, authorization coverage, and all framework analyzers, with unlimited local scanning—making it a strong value. Solo costs $29/month, Team costs $149/month, Business costs $499/month, and Enterprise is custom-priced. Team and above add Slack, Discord, and Email alerts plus exploit test generation; Enterprise includes SAML/SSO, audit logs, a 99.9% SLA, dedicated support, and custom integrations. Billing is handled via Stripe, and paid features come with a 14-day free trial with no credit card required.
The main advantage is its deeper understanding of Laravel’s authorization model. It can surface security issues directly as inline PR feedback, generate PHPUnit exploit tests, and create auto-fix PRs, making it well suited for shifting security gates left into the development workflow. The free plan is not just a demo and is friendly to individuals and open-source projects. Its limitation is that deep support currently focuses mainly on Laravel, while Rails and Django are still on the roadmap. The official site also contains two different claims about the number of analyzers—15 and 9—suggesting that documentation consistency could be improved. The product is still in Beta, so detection rate, false positives, and stability should be validated against real repositories.
The source material does not provide information on mainland China access, RMB payments, or localized support, so china_access can only be assessed as unknown. Because it depends on GitHub, GitHub OAuth, Stripe, and a cloud dashboard, teams in China should independently verify network connectivity, payment availability, and data compliance. If domestic support or private deployment is required, alternatives to compare include Semgrep, Snyk, SonarQube, GitHub Code Scanning, as well as Chinese code security/DevSecOps vendors—but Laravel framework-semantic analysis capability should be a key point of evaluation.
⚠ This review is compiled from public sources and does not constitute a purchase recommendation. Verify all facts on the vendor's official site. Verify on havoc.cloud official site.
havoc.cloud is an United States pentest provider. TG4G tracks its product information, an overall rating of 7.0/10, and a China-accessibility score of Workable. Click "Visit Official Site" to reach havoc.cloud directly.