Live demos

Runtime attack
protection

See what happens when real CVEs hit an unprotected server — and what changes when Thicket is active.

Malicious .pt checkpoint — same technique used in HuggingFace Hub incidents (JFrog / Protect AI, 2024)

Without Thicket

With Thicket

CVSS 9.8 — unauthenticated RCE in Langflow < 1.3.0. Actively exploited May 2025 (Cisco Talos)

Without Thicket

With Thicket

CVSS 8.6 — SSRF via redirect bypass. Same class as Capital One (2019). Confirmed on RAGFlow: live Azure IMDS token exfiltrated.

Without Thicket

With Thicket

Deserialization vulnerability class documented by JFrog & Protect AI (2024). Langflow CVE-2025-3248 actively exploited per NVD / Cisco Talos (May 2025). SSRF (undisclosed, reported 2026) — same class as Capital One (2019). Our research confirmed live Azure IMDS token exfiltration from a production AI platform deployment.

Runtime attackprotection

Runtime attack
protection