Privacy Policy

Chaos Kitten is an open-source, agentic AI security testing tool designed to intelligently find vulnerabilities in APIs. This Privacy Policy explains how the tool operates, what data it processes, and your rights when using it.

Important: Chaos Kitten is a locally-run security testing tool. It does not collect, store, or transmit your personal data to any external servers operated by the project maintainers.

Chaos Kitten is an AI-powered security scanner that:

• Parses OpenAPI specifications to understand your API structure
• Intelligently generates attack payloads using LLM models (Anthropic Claude or OpenAI GPT)
• Tests for vulnerabilities including SQL injection, XSS, authentication flaws, and more
• Provides detailed security reports in multiple formats (HTML, JSON, SARIF, JUnit)
• Runs locally on your machine or in your CI/CD pipeline

When you run Chaos Kitten, the following data is processed:

Local Data Processing

• API specifications: Your OpenAPI/Swagger files are read locally to map endpoints
• API responses: HTTP responses from your target API are analyzed for vulnerabilities
• Configuration files: Settings from chaos-kitten.yaml and .env files
• Authentication credentials: API keys, tokens, or TOTP secrets you configure (stored locally only)
• Scan results: Generated reports are saved to your local filesystem

Third-Party LLM API Usage

Chaos Kitten sends the following data to your configured LLM provider (Anthropic or OpenAI):

• API endpoint structures and parameter schemas
• Sample request/response data for vulnerability analysis
• Context needed to generate intelligent attack payloads

The Chaos Kitten project maintainers do NOT collect:

• Personal information (name, email, location)
• Your API endpoints or target URLs
• Scan results or vulnerability findings
• Authentication credentials or API keys
• Usage analytics or telemetry data
• Logs of your security testing activities