Updates
Introducing Touchstone
Apr 2, 2026
AI has made security faster, sharper, and more accessible than ever. Teams are finding more bugs, reviewing code quicker, and catching things that would have slipped through a year ago. The productivity gains are real.
But AI also created a problem nobody was ready for.
The same models that make security more efficient also make noise harder to detect. When findings are right, they can save you hours and potentially an exploit scenario. When they're wrong, they can, in turn, cost you hours, because the wrong output can look indistinguishable from the right one on the surface.
The industry has started calling this AI slop - findings that reference real code, follow sound logic, and sometimes even produce PoCs that compile and run, but fall apart under scrutiny because of assumptions the model never verified.
The cost of this is adding up fast. Maybe you’re a protocol team running AI tools on your own codebases and can’t easily tell which flagged vulnerabilities actually matter. Your bug bounty submissions have significantly spiked in volume and you’re routing the same finding through multiple AI models, hoping to cross-validate. You watch as your engineering time disappears. Figuring out which findings are actually valid goes from a side task to a full-time job.
Or maybe you’re on the other side of the table. You’re a security researcher who spent real time on a finding, but you’re still not sure it holds. Whether it’s a contest, a bounty, or a client audit, you’re wondering if what you found is actually valid, or if you’re about to spend another sleepless night chasing something that might not land. Regardless of which side you’re on, you’re stuck asking the same question: is this real?
The gap between looks exploitable and is exploitable still takes the best people hours, days, sometimes entire weeks to close, because the tools available today stop at analysis. And analysis alone can’t give you a definitive answer.
So we built something that does.
Introducing Touchstone by Shepherd.
Touchstone takes claimed vulnerabilities and executes them against your contracts. Traces the full context across the codebase (safeguards, architectural and design decisions, code comments) to build the complete picture around the finding. Models realistic attacker profit, not theoretical maximums.
You get back a structured verdict, the reasoning and evidence behind it, and everything you need to act on it confidently.
It doesn’t matter where the finding came from or which side of the table you’re sitting on. We built this for everyone stuck asking the same question, whether you’re reviewing findings or producing them.
Security is a shared problem. The security researchers finding vulnerabilities and the protocols fixing them are working toward the same goal: to create a safer ecosystem. And nothing should hinder that.
That’s why we’re releasing Touchstone for free.
We believe that when better tools are available to everyone, the whole space moves forward.
Stop guessing, start verifying.
Supports EVM today.
Try it on your next finding: app.useshepherd.io