Hostile Review

Hostile Review gives you full control over every scan. Pick a preset to get started fast, or go deep — choose exactly which agents review your code, what quality tier each one runs at, and which files to include. The cost estimate updates live as you adjust, so there are no surprises.

Scan Presets

Choose Your Coverage Level

Presets select a curated group of agents. You can always add or remove individual agents after picking a preset.

Demo (6 agents)

FREE

Core security agents only. Great for trying out Hostile Review on a small project at no cost.

Core Only (8 agents)

The essential agents from each active category. Covers the fundamentals without specialists.

Quick Scan (26 agents)

RECOMMENDED

Best balance of coverage and cost. Includes core agents plus key specialists across security, improvements, and design.

Deep Scan (68 agents)

Comprehensive coverage. Adds performance, API design, testing, i18n, data/ML, mobile, and cloud cost agents.

Full Assault (108 agents)

$$$

Every agent. Every angle. All 15 categories activated. Best for critical releases, compliance audits, or when you want maximum coverage. Can get expensive on large repos, but we always show the full cost estimate before any scan begins.

Custom: Pick "Custom" to start from scratch and hand-select exactly the agents you want.

Agent Tiers

Quality vs. Cost

Every agent can run at one of four quality tiers. Higher tiers use more powerful AI models and produce deeper analysis, but cost more.

● Diamond $0.0140 / 1K tokens

Our highest-tier frontier model. Best reasoning, deepest analysis, catches subtle issues other tiers miss. Recommended for security-critical agents where accuracy matters most. All Diamond + Full Assault on a large repo gets very expensive — reserve that combo for high-stakes releases where every line needs top-tier scrutiny.

● Platinum $0.0100 / 1K tokens

Comprehensive coverage with strong attack surface detection. A great middle ground between Diamond's depth and Gold's economy.

● Gold $0.0070 / 1K tokens

Best value, production-grade. Frontier-class reasoning at a fraction of the cost — 128K context window.

● Silver $0.0006 / 1K tokens

Fast, lightweight analysis at a fraction of Diamond's cost. Good default for improvement, design, and testing agents.

● Bronze $0.0001 / 1K tokens

Powered by our in-house specialized model. Extremely low cost. Best for informational and lower-priority agents where broad coverage matters more than maximum depth. Note: Bronze scans are queued and processed locally, so they take longer than cloud tiers. Take a lunch.

What does "Recommended" mean?
Each agent has a default tier chosen for the best quality-to-cost ratio. Security agents default to Diamond because accuracy matters most there. Improvement and design agents default to Silver. Informational agents default to Bronze.

Per-Agent Customization

Fine-Grained Control

Every agent card has a tier dropdown that lets you override its quality level individually.

Tier Preset Buttons

Use the Agent Tiers bar (above and below the agent grid) to set all agents at once: Recommended, All Diamond, All Platinum, All Gold, All Silver, or All Bronze.

Individual Overrides

After setting a preset, click the dropdown on any specific agent card to promote or demote it. The cost bar updates instantly.

Example workflow: Set everything to Silver with "All Silver", then promote just the security agents (Razor, Sentinel, Vault, etc.) to Diamond. You get top-tier security analysis with budget-friendly coverage everywhere else.

File Browser

Choose What Gets Scanned

For Full Repo and Zip Upload scans, you'll see a file browser after submitting. It shows every scannable file in your project with checkboxes.

Select / Deselect Directories

Click a folder checkbox to toggle all files inside it. Expand folders with the arrow to cherry-pick individual files.

Live Token & Cost Updates

As you check or uncheck files, the estimated token count and cost in the cost bar update in real time. Deselect large directories (like docs/ or tests/) to cut cost significantly.

Auto-Filtered

Non-code files, binaries, node_modules, vendor, and build artifacts are automatically excluded. Only scannable code files appear in the browser.

Tip: Use "Select All" / "Deselect All" at the top right of the file browser, then add back only the directories you care about.

Understanding Cost

The Cost Bar

The cost bar appears below Step 3 and shows a live estimate based on your current configuration.

Combined Rate

The estimated total cost. Calculated as: tokens × agents × tier_price summed across all selected agents. Each agent's tier price is applied individually.

Token Count

Shown as "886K tokens" etc. This is the estimated input size — roughly 4 characters = 1 token. Files over 50KB are capped at 50KB each.

Cost Estimator

The live cost estimate updates as you select agents and tiers. You always see the total before you scan — no surprises.

Why is it an estimate?
We do our best to estimate as exact as possible. The actual cost depends on how much output each agent produces. The estimate covers input tokens (which are the vast majority of the cost). Actual charges will be close to the estimate and typically slightly below.

Pro Tips

Security-First Repos

Set security agents to Diamond, everything else to Silver or Bronze. You get top-tier vulnerability detection without paying Diamond prices for style suggestions.

Large Repositories

Use the file browser to exclude docs/, tests/, and generated code. Scanning just src/ can cut costs by 50%+ while covering the code that matters.

Budget-Conscious Scans

Start with Quick Scan (26 agents) at Recommended tiers. This gives excellent coverage for most projects at a fraction of Full Assault cost.

Save Your Defaults

After dialing in your preferred agents and tiers, click "Save as Default" in the preset area. Your configuration persists across sessions so you don't have to set it up again.

About False Positives

False Positives Happen — Here's Why

Hostile Review agents analyze code statically — they read it, they don't run it. That means they can't know your runtime environment, infrastructure, deployment configuration, or the full context of how your application actually operates in production. Some findings will inevitably flag things that aren't real issues in your specific setup.

Environment-Dependent Code

An agent might flag a missing authentication check that's actually handled by a reverse proxy, API gateway, or middleware that isn't visible in the scanned code. It doesn't know what sits in front of your app.

Outdated Documentation

If docs, comments, or READMEs don't match the current code, agents will flag the contradictions. These aren't bugs per se — but they're a signal that your documentation needs updating. Stale docs mislead developers and AI tools alike, so catching them early is a win.

Framework Conventions

Frameworks handle things implicitly — Django's CSRF protection, Rails' parameter sanitization, Next.js server components. Agents may flag a "missing" check that the framework handles automatically.

Intentional Design Decisions

Sometimes code that looks risky is intentional — a public endpoint that's meant to be unauthenticated, a permissive CORS policy for a local dev tool, or debug logging left in for a staging build.

The right approach: Treat every finding as worth a second look, but use your judgment. A false positive means the agent was being cautious — better to flag something safe than miss something dangerous. Dismiss what doesn't apply, investigate what does. That's the value of adversarial review: it forces you to consciously decide rather than unconsciously assume.

Review Tool

Start scanning your code

MCP Setup

Connect to your AI assistant

Pricing

Purchase credits

← Back to Review