Financial services
FCA-supervised institutions, banks, building societies, and FinTechs operating under SYSC and UK GDPR.
Design-partner programme open
Catch the vulnerability.
Cite the regulation.
Open the fix.
Osynax is an autonomous AI reviewer for GitHub pull requests. It produces remediation diffs grounded in UK regulatory frameworks, with verbatim regulatory citations on every finding.
The gap
Modern code velocity. Regulated review timelines.
Engineering teams in UK regulated industries ship faster than security and compliance review can keep pace with. Manual review by senior engineers and second-line risk functions does not scale to the volume or cadence of modern pull-request traffic, and the bottleneck shows up either as shipping delays or as risk taken on under time pressure.
Existing static-analysis tooling closes part of the gap, but tends to surface noise rather than signal — long lists of low-severity findings without the regulatory context a compliance reviewer needs to act on them. Findings sit in queues; queues age; nothing reaches the regulator's bar of evidence.
Regulatory and risk teams need audit-grade evidence of why a change was approved or blocked, with citations to the specific clause or article that justified the decision — not a severity score, and not a private model's opinion. That gap, between code review and regulatory review, is where Osynax sits.
Pipeline
How it works
Four stages run on every pull request opened against a configured repository. Each finding emerges with a clause citation, a verdict, and — where appropriate — a remediation diff opened back into your codebase for human review.
01 / Detect
Detect
Static analysis runs against every pull request and flags candidate findings.
02 / Evaluate
Evaluate
Findings are cross-referenced against a hybrid retrieval corpus of compliance clauses to determine which regulations apply.
03 / Audit
Audit
A reasoning agent produces a verdict per finding, citing the specific clause and source URL.
04 / Remediate
Remediate
Where appropriate, Osynax opens a remediation pull request back into the customer's repository for human review.
Building blocks
Built in Go and TypeScript. Embeddings via Voyage AI. Hybrid retrieval over Postgres with pgvector. Reasoning via the Anthropic API, customer-configured.
Retrieval corpus
Frameworks the agent grounds findings in
The retrieval layer indexes verbatim clause text from each of the corpora below. Citations attached to a finding link back to the clause, the source URL, and the licence under which it was retained.
OWASP Top 10:2025
Web application risk taxonomy.
CWE Top 25:2025
Common Weakness Enumeration.
FCA SYSC
Senior Management Arrangements, Systems and Controls.
UK GDPR (2021)
Articles and recitals.
Data Protection Act 2018
Selected sections and schedules.
ICO Guidance (2026 Q2)
Information Commissioner's guidance corpus.
Verbatim clause text retained per source. Source URLs and licence terms preserved on every citation.
Deployment
Your repository stays inside your perimeter.
Osynax is delivered as customer-self-hosted software. The full stack runs inside your perimeter via Docker — orchestration core, retrieval database, and analysis agents — packaged for deployment on your own infrastructure.
Your source repository stays in your infrastructure. The only outbound traffic from your perimeter is the inference call you control — and it carries only a sanitised, comment-stripped diff of the change under review, never your full codebase. That call runs against the Anthropic API under your own credentials: your egress, your audit trail. Osynax Ltd never receives your code.
Installation and updates ship through a versioned Docker image. The platform team that runs your existing GitHub Enterprise, Snyk, or SonarQube installations is the team that runs Osynax.
fig.01 — Deployment topology
process
data
See it
From webhook to remediation, four ways.
The same PR—#142, a free-text patient search endpoint that leaks identifiers into the request log—runs through Osynax in each of the four views below. Watch it, click through it, calculate what it would cost you, and see how the dashboard could look.
01 / Animation
Watch the 46-second explainer
A timeline walkthrough of one evaluation, end to end. Webhook arrives, four agents run, three regulatory citations land, remediation PR opens. With scrub bar and keyboard controls.
02 / PrototypeClick through the dashboard
The real product, rendered with realistic data. Seven PRs across one repo, each clickable. Detail view replays the agent pipeline in 9 seconds with verbatim citations you can expand inline.
03 / NumbersCalculate the invisible overhead
Engineers, PRs, review minutes, escalation rates, blended rates. Move the sliders, watch the bars. See what your team spends on PR security review today, and what Osynax would cost instead.
Verticals
Built for regulated industries
Osynax is designed for engineering organisations that ship code under a supervised regulatory perimeter. The corpora and retrieval layer are tuned to the obligations these sectors carry.
Healthcare
NHS trusts, healthtech vendors, and clinical-data platforms operating under UK GDPR, the DPA 2018, and ICO health-data guidance.
Government
Central government, local authorities, and public-sector vendors with data-protection and audit-trail obligations.
Pilot programme
Talk to us about a pilot.
Osynax is opening a design-partner programme for UK regulated industries. If you run engineering, security, or compliance for a regulated UK enterprise and you'd like to evaluate Osynax against your own pull-request workflow, we'd like to hear from you.
Email us