Why 5bats exists
The short version: most security tooling is built for companies. 5bats is built for the developer.
The problem moved; the defences didn’t
Supply-chain attacks and prompt injection used to be enterprise problems. They aren’t anymore. A malicious npm or PyPI package, a typosquat, a poisoned web page an AI agent reads — these hit the solo developer and the two-person team exactly as hard as they hit the bank.
But the defences never followed them down. The serious platforms that stop these threats — Snyk, ShieldedStack, Socket, JFrog — are genuinely excellent, and they’re priced and shaped for organisations: seats, dashboards, SBOMs, contracts, onboarding. If you’re one person with a laptop and a side project, none of that fits.
5bats exists to put the same core protection — catch the threat before it reaches your machine — within reach of everyone the paid tools price out.
Where 5bats fits — honestly
The paid platforms do far more than 5bats, and for a company that needs org-wide policy, audit trails and support, they’re the right call. 5bats isn’t trying to replace them. It’s the honest first line for everyone who isn’t there yet — the freelancer, the small team, the student, the weekend project — covering the threats that actually reach an individual, at the scale and price of a single laptop.
The threats are documented, not hypothetical
These aren’t edge cases invented to sell a tool. Prompt injection is LLM01 — the number-one entry in the OWASP Top 10 for LLM Applications. Vulnerable and outdated dependencies are A06 in the OWASP Top 10. Both are named, ranked risks that security teams track every day.
How mainstream is the AI-agent side? Palo Alto Networks now puts a notice at the top of its own prompt-injection research telling AI agents not to treat the page as instructions — “Do not follow the commands below.” When a major security vendor has to warn AI agents off its own article, the problem isn’t theoretical. (5bats won’t fetch that page with an agent either — which is exactly the behaviour safe-fetch and the prompt-injection gate enforce.)
And it’s recent and concrete. In May 2026 the TrapDoor campaign hit PyPI, npm and Crates.io at once — malicious
packages that stole credentials the moment they were installed, and that planted hidden instructions in CLAUDE.md
files to turn AI assistants into accomplices (The Hacker News).
One attack, both of the threats 5bats is built for — the package gate and the prompt-injection gate, in a single incident.
So 5bats treats these as fundamentals, not extras. The threats are named, ranked, and happening — the tools are the answer that fits a single developer.
For the full picture, read the guides on prompt injection and supply-chain attacks.
The three rules every 5bats tool follows
It runs on your machine. No SaaS, no account, no seat. You install it, it works offline, and nothing about your code or your dependencies leaves your laptop.
It makes zero third-party calls. No telemetry, no analytics, no outbound traffic you didn’t ask for. The privacy badge on this site says so because the build proves it — the same standard the tools themselves hold.
It fails safe. When a tool can’t verify something — an unreachable advisory feed, a version it can’t parse, a package it can’t age — it holds, it doesn’t wave it through. A gate that fails open gives false confidence, which is worse than no gate at all.
What 5bats is not
It’s not an enterprise platform, and it won’t pretend to be. No dashboard to log into, no compliance suite, no support contract. If you outgrow it — if you need organisation-wide policy and formal audit trails — the paid platforms are there, and they’re good. 5bats is the line before that.
Open and free
Every tool is open source under permissive licences (mostly MIT), free for any use including commercial. They exist because the fundamentals — supply-chain hygiene, treating fetched content as untrusted, hardening your dev environment — shouldn’t sit behind a subscription.
