Technical

Developer QA / Tester Security Manager CTO / CISO

Business

PM / Delivery Manager HR / Recruiter Marketing & Analytics
Auditor Pricing GitHub ↗ Book a call
Speedwave · Open source AI-SDLC platform · Built for BFSI

Speedwave is the developer
productivity platform for BFSI.

The open source AI-SDLC platform that lets your engineers ship 15–20% faster in regulated environments. Sandboxing, PII tokenisation, full audit trail, DORA-ready compliance and 13-agent code review — around the AI assistant you already use.

Works with: Claude Code ★ Cursor VS Code IntelliJ Local LLMs deepest integration with Claude Code
See on GitHub (Apache 2.0) → Book the AI-SDLC Readiness Workshop →
github.com/speednet-software/speedwave · 15-20% delivery velocity · Built by Speednet — 24+ years in banking
• The dilemma

You do not have to choose between AI velocity and BFSI compliance.

Most banks and fintechs treat this as a trade-off. Speedwave breaks it — 15–20% faster delivery with full audit trail, PII tokenisation, and DORA-ready exit strategy.

Challenge

01

Shadow AI

Engineers are already using AI — pasting code into Claude, ChatGPT and Copilot on personal devices, without audit trail. Banks cannot stop it without a sanctioned alternative. Speedwave is that alternative.

Challenge

02

Compliance under DORA, AI Act, GDPR

DORA, AI Act and GDPR each impose specific requirements on AI tools in financial services. Most enterprise AI tools were not built with these regulations in mind. Speedwave was.

Challenge

03

Vendor lock-in and credential exposure

Routing all AI traffic through a vendor SaaS puts a third party in the credential path between your engineers and Anthropic. Speedwave is open source and your API keys never touch our servers.

• What Speedwave is

Numerous capabilities. One installer.

Works alongside Claude Code, Cursor, or Copilot from minute one. No Docker, no Kubernetes, no IT ticket.

01 It is one installer
One package (.dmg, .exe, .deb) — Lima or WSL2 are bundled. No Docker Desktop, no Kubernetes, no IT setup. Installs alongside Claude Code, Cursor, or Copilot on each engineer workstation.
02 It is a hardened container
When your engineer asks the assistant to do something, it runs inside a Speedwave container — isolated from SSH keys, .env files, secrets, and other projects. The container is what the assistant can see. Your machine is what it cannot.
03 It is a tool gateway
Speedwave exposes to Claude only two tools: "search for the right tool" and "execute code". Context window stays constant no matter how many integrations you connect.
04 It is a PII tokeniser
Sensitive data — PESEL, NIP, IBAN, phone, email, card numbers — tokenised before reaching the model. Tokens are stable within a session and reversed locally. The model never sees your real data.
05 It is a 13-agent code review pipeline
Every commit goes through 13 specialised agents in parallel — security, test coverage, SOLID, KISS, YAGNI, DRY, duplications, silent failures, comments, documentation, type design, simplifications, project conventions.
06 It is a full audit log
Every AI action logged from minute one — read, write, delete, with timestamp and attribution. No configuration required. Ready for your CISO and your auditor.
07 It comes with trusted integrations
Speedwave gives teams trusted, maintained integrations for tools like Jira and Redmine — secured in containers, centrally logged and updated with every release.
• For whom

Speedwave adds value across your entire organisation.

The same platform serves seven roles in your delivery organisation. Pick the role that is yours.

For Developers

Your AI coding assistant in a hardened container. 13-agent code review on every commit. Existing .claude/ skills work from minute one. Local LLM fallback when your network requires it.

Learn more →

For CTO / CISO

11-layer defense-in-depth. Prompt injection FAQ answered honestly. Direct client-Anthropic relationship. Open core licensing with DORA exit strategy.

Learn more →

For QA / Testers

Describe a test in plain language. Speedwave writes it and runs it in an isolated environment. Intelligent regression scope.

Learn more →

For Security Managers

Full audit log from minute one. EU AI Act-ready event categories. Plugin signature verification. Optional SIEM telemetry through Auditor.

Learn more →

For PM / Delivery Managers

Sprint status, blockers, dependencies — answered in chat instead of clicked across Jira, Slack, GitLab.

Learn more →

For HR / Recruiters

CV ranking with justification, in a sandbox. Sensitive data tokenised before it reaches the model. Audit trail for every shortlist decision.

Learn more →

For Marketing & Analytics

Data for a case study without waiting on a PM. Speedwave pulls from project systems with permission boundaries that match your role.

Learn more →
• How it works

Stay on top of AI security risks.

11 independent defense layers that let your engineers move at AI speed without putting your organisation at risk. Defense-in-depth — if one layer is bypassed, the next still holds.

Layer 1

Workstation isolation

Lima (macOS) / rootless nerdctl (Linux) / WSL2 (Windows). Container-level isolation from the host. 22 sandbox-escape patterns blocked (OWASP-aligned). File system isolation per project.

Layer 2

Tool gateway and PII protection

MCP gateway exposes only two tools to Claude. SecurityCheck gate (fail-closed) on every request. PII tokenisation before model invocation. API keys go directly to Anthropic — never to Speednet.

Layer 3

Audit and integrity

Full audit log of every action (READ/WRITE/DELETE/timestamp). Log sanitisation. Plugin signature verification (Ed25519). Auto-updater with SHA-256 binary verification. Optional OTEL to your SIEM.

Speednet engineers

11 independent defense layers

01 Kernel-level isolation (Lima / nerdctl / WSL2)
02 Container hardening, OWASP-aligned
03 Network isolation per project
04 Credential isolation
05 JavaScript sandbox — 22 escape patterns blocked
06 PII tokenisation
07 Routing validation
08 SecurityCheck (fail-closed gate)
09 Secret file permissions (0o600)
10 Authentication gateway
11 Log sanitiser
• Open source

Apache 2.0. Public on GitHub. Verify it yourself.

Apache 2.0 is what makes Speedwave bankable. Your security team audits the code without an NDA. Your procurement gets a built-in DORA exit strategy. Your engineers stay free of vendor lock-in.

Why open source for an AI security tool

Your security team can read every line of code — no NDA required.
Explicit patent grant protects you against patent claims.
Perpetual access to the codebase even if Speednet disappears — DORA exit strategy.
Plugin signatures (Ed25519) prevent unauthorised plugin substitution.
See on GitHub →

What is open — and what is not

Speedwave core (gateway, sandbox, PII, audit log, 13-agent review) Apache 2.0
Custom plugins built for you Customer-owned
Configurations, data, logs Customer-owned
Auditor (fleet management, dashboards) Commercial
SLA, training, compliance documentation packs Subscription
• Auditor module

Scale Speedwave to your entire engineering organisation — with full board-level visibility.

Once you go past a single team, you need three things SaaS cannot give you on its own: central governance across the fleet, AI Act-ready system registry, and a compliance documentation pack your CISO and auditor can hand to the regulator. Auditor delivers all three.

Talk to us about Auditor →
SSO + RBAC Microsoft Entra ID, 9 permission areas, fleet-wide central management
AI Registry AI Act Art. 51-52 and ISO 42001. Risk classification and governance workflow
34 metrics DeepEval, RAGAS, Promptfoo — PII Leakage, Prompt Injection, SQL Injection Guard
139 events Full audit trail (Kafka + Debezium CDC). OTLP/HTTP to Splunk, QRadar, Datadog
32 docs Compliance documentation pack, 3 phases, gap analysis with severity classification
• BFSI compliance

Full compliance coverage out of the box.

Speedwave + Auditor cover regulatory frameworks for AI in regulated environments.

EU AI Act Regulation EU 2024/1689
  • Art. 5-6 risk classification
  • Art. 12 full audit logging
  • Art. 51-52 AI System Registry
GDPR Data protection
  • Art. 5 data minimisation (tokenisation)
  • Art. 25 privacy by design
  • Art. 32 security measures
DORA Regulation EU 2022/2554
  • Art. 33 exit strategy
  • Apache 2.0 = perpetual code access
  • Local LLMs as network fallback
ISO 27001 2022 edition
  • A.8.25 secure dev lifecycle
  • Annex A.8.15 logging
  • A.5.19 supplier security
ISO 42001 AI management systems
  • Clause 6 AI risk planning
  • AI System Registry
  • Clause 8 AI lifecycle
KNF / EBA Banking supervisory guidelines
  • KNF cloud circular requirements
  • EBA ICT and security risk
  • Audit trail for supervisory access
• FAQ

Frequently asked questions

Does Speedwave send our code to Speednet servers? +
No. Speedwave is an on-workstation tool. Your code and data stay on your machine. API calls go directly from your workstation to Anthropic (or your chosen LLM provider). Speednet servers are not in the data path.
What happens to our API keys? +
Your API keys are stored locally on the engineer's workstation. They are used to make direct calls to Anthropic. They never pass through Speednet infrastructure. Credential isolation is one of the 11 defense layers.
Is there a risk of prompt injection? +
Yes, the risk exists for all AI tools. Speedwave reduces it through the tool gateway (two-tool model), SecurityCheck (fail-closed gate), and container isolation that limits blast radius. We are the only AI-SDLC platform to publish a dedicated Prompt Injection FAQ.
What is the difference between Speedwave core and Auditor? +
Speedwave core is the per-workstation tool: container, gateway, PII tokenisation, 13-agent code review, audit log. Apache 2.0 open source. Auditor is the enterprise module: central governance, AI System Registry, dashboards, SIEM integration, compliance documentation. Commercial subscription.
Can we use local LLMs instead of cloud APIs? +
Yes. Speedwave supports local LLM backends (Ollama, LM Studio). Recommended for teams that cannot route AI traffic to external services due to network policy or data classification. DORA exit strategy includes local LLM fallback.
What does the AI-SDLC Readiness Workshop include? +
A 2-day on-site or remote workshop led by Speednet engineers. Output: current-state assessment of your SDLC, identification of AI integration points, DORA and AI Act gap analysis, and a concrete implementation roadmap — tailored to your BFSI context.
Do you offer SLA for the open source core? +
The Apache 2.0 core comes without SLA. SLA, priority support, and custom development are available through the Speedwave Team or Enterprise subscription. Community support is available through GitHub Discussions.
Speednet team
Open source

Read the code first

Apache 2.0. Public GitHub. Your security team can audit every line before your procurement talks to anyone.

See on GitHub →
Talk to us

Talk to us about Speedwave

30-min scoping call or the AI-SDLC Readiness Workshop. We scope your BFSI environment, map the regulatory requirements, and give you a concrete implementation plan.

Book a call → Or book the AI-SDLC Readiness Workshop →