How It Works

From Scan To Signal In 5 Minutes

Observability completes the triangle with code and agent. ThinkingPatterns normalizes findings, tracks their lifecycle, and measures whether your security posture is actually improving.

Step 1

Ingest from anywhere

Pipe scanner output from any tool that speaks SARIF. We normalize severity levels, deduplicate via fingerprinting, and track recurrence automatically.

Universal SARIF ingestion

POST any SARIF 2.1.0 payload. We extract titles, severities, file locations, and remediation guidance.

Smart deduplication

SHA-256 fingerprints based on rule ID, file path, line range, and message. Same finding from two scanners? Counted once.

MCP ingestion

Use the ingest_sarif tool from Claude Code to pipe results directly from your agent.

Ingest via API

curl -X POST https://app.thinkingpatterns.ai/api/ingestion/sarif \
  -H "Authorization: Bearer tp_sk_..." \
  -H "Content-Type: application/json" \
  -d '{
    "project_id": "your-project-id",
    "sarif": { ... }
  }'

Ingest via Claude Code

> Scan this project for security
  vulnerabilities using ThinkingPatterns

✓ Running security scan...
✓ Ingested 47 findings (12 new, 35 deduplicated)

Step 2

Triage with context

Every finding moves through a tracked lifecycle. Accept, dismiss, or defer — from the web UI or directly from your agent.

Triage from Claude Code

> Review my ThinkingPatterns findings and
  explain the top 3 most critical ones

1. SQL Injection in user_query.py:42
   Severity: critical | Status: open
   → User input passed directly to query()

2. Hardcoded secret in config.ts:18
   Severity: high | Status: open
   → API key committed to source

3. XSS in template.html:93
   Severity: high | Status: open
   → Unescaped user input in innerHTML

> Accept finding 1 and fix it

✓ Finding accepted. Applying fix...
✓ Parameterized query applied. Marked complete.

Lifecycle tracking

Open → Triaged → Completed (or Dismissed). Every state transition is timestamped and attributed to a user.

Team collaboration

Add comments to findings, discuss remediation approaches, and create GitHub issues directly from a finding.

Bulk triage

Select multiple related findings and apply the same action. Dismiss 20 false positives in one click.

Step 3

Custom agents for deeper analysis

Go beyond pattern matching. Define security analysis workflows in plain Markdown and let your agent execute them against your codebase.

SKILL.md workflows

Each agent is a Markdown file describing an analysis strategy. No YAML configs, no DSLs — just plain language instructions.

SARIF output

Agent results are normalized into SARIF format and ingested as findings, just like scanner output. One unified finding feed.

SKILL.md — Security Deep Analysis

# Security Deep Analysis Agent

## Analysis Strategy
1. Map the attack surface
   - Identify HTTP handlers and entry points
   - Trace authentication and authorization flows
   - Catalog data stores and external services

2. Follow sensitive data flows
   - Track PII from input to storage
   - Check for logging of sensitive values
   - Verify encryption at rest and in transit

3. Check trust boundaries
   - Validate input sanitization at boundaries
   - Review CORS and CSP configurations
   - Assess dependency supply chain risk

Step 4

Measure what matters

Track how your security posture evolves over time with metrics that tell you whether things are getting better.

MTTR

Mean time to resolution. Track how quickly your team addresses findings, and whether that speed is improving.

Fix success rate

What percentage of completed findings actually stay fixed? Catch regressions before they ship.

Finding velocity

Are new findings being discovered faster than they're resolved? See the trend over 7, 30, or 90 days.

Integrations

Fits into your workflow

Connect ThinkingPatterns to the tools your team already uses.

GitHub Actions

Trigger scans on every push via CI. Findings sync bidirectionally with GitHub Issues. Scan status updates via webhooks.

Linear

Create tasks from findings. When a Linear task is marked done, the finding is automatically completed. Bidirectional status sync.

MCP

17+ tools exposed via Model Context Protocol. Scan, triage, query metrics, and manage agents — all from your editor.

REST API

Full API access with scoped API keys. Integrate with any tool that can make HTTP requests. SARIF ingestion endpoint for custom pipelines.

Ready to see your security posture?

Connect your first scanner and start tracking findings in under 5 minutes.

Start free