June 9, 2026
Refuse to refuse? Comments refuse peace
Show HN: We post-trained a model that pen tests instead of refusing your code
AI bug hunter launches, but the comments instantly turn into an AI-authenticity brawl
TLDR: Cosine launched an AI tool that scans code for security problems and says it’s trained not to refuse sensitive security work. But the tiny comment thread stole the show, with people instantly arguing over whether the launch post itself was written by AI.
A startup rolled into Hacker News with a bold pitch: a command-line tool that scans your software for security holes and, in a separate mode, can try attacks on systems you explicitly approve. The company’s big flex is that it won’t chicken out the way many chatbots do when asked to examine risky code. It runs locally, costs $20 a month to actually scan, and promises a grounded report with what’s wrong, how serious it is, and how to fix it. In plain English: it’s selling an AI security guard that reads your code without changing it.
But the real fireworks were in the comments, where the crowd immediately swerved from the product to a much juicier question: was the post itself written by AI? One commenter came in swinging with, “Don’t post generated text,” basically accusing the launch of sounding machine-made. Another shot back that the submission was, at least partly, clearly chatbot-written anyway. Then came the killer line: after the founder said, “I’ll be in the thread all day,” someone dryly replied, “Yeah, now that’s flagged.” Brutal.
So while the product is about teaching AI to stop refusing scary code, the community drama became a mini morality play about whether humans are still talking to humans online. The tool promised no “vibes-based vulnerabilities,” but the thread absolutely delivered vibes-based suspicion, sarcasm, and the kind of nerdy side-eye that turns a launch post into a spectator sport.
Key Points
- •Cosine’s cos CLI has two modes: Security Scan for reading code and producing reports, and Pen Test for attempting exploits against authorized targets.
- •Security Scan mode is described as read-only, with a Go harness that intercepts tool calls and blocks mutating actions such as file writes and command execution.
- •The article says Security Scan mode does not perform fuzzing, DAST, or live exploitation, and only reports findings it can ground in the code.
- •Cosine says scan runtime scales sub-linearly through parallel module execution, citing about 10 minutes for roughly 30k LOC and about 40 minutes for roughly 1.5M LOC.
- •The product is described as a closed binary that runs locally, built on Cosine’s own post-trained offensive-security model, with scans requiring a $20/month subscription.