Annexo
Verify an agent

Free · self-serve · checks your own site

Is your site safe?

Give Annexo a URL and it runs a black-box check of your website — security headers, TLS, cookies, version leakage and CORS — and looks for how AI is used on the page. For sites you own, it can also stress-test whether a public endpoint rate-limits. Out comes a holding / watch / surfaced report with the top fix.

  • Security hygiene: CSP, HSTS, X-Content-Type-Options, frame protection, Referrer-Policy, Permissions-Policy, cookie flags, CORS, version leakage.
  • TLS enforced (http redirects to https) and a small fixed safe-path check (/.env, /.git, security.txt). No brute-forcing.
  • AI surface: detects chatbot widgets and chat endpoints, and flags a missing AI disclosure (EU AI Act Art. 50, applies 2 Aug 2026).

Active probe — only for sites you control

Tick this to enable the bounded rate-limit probe: a small, hard-capped burst (max 10 requests, a few seconds) that observes whether a public endpoint throttles abuse. It is a defensive check, never a load test or DoS tool — and it only runs on sites you affirm you control.

One safe read-only request for the passive scan. We never store your URL.

This reports observed behaviour at one point in time — assurance evidence, not a certification, security warranty, penetration test, or legal advice. Annexo is not a notified body. The check only ever sends safe, standard requests to the URL you provide.

Go deeper

Verify an AI agent

Point Annexo at an OpenAI-compatible endpoint and run the live behavioural battery — prompt-injection, MCP tool-poisoning, guardrails, disclosure, PII echo.

The full picture

The Founder's Review

An independent review of how your AI product actually behaves, across a 10-dimension rubric, with a prioritized remediation backlog.

About Annexo

Annexo is the independent trust layer for AI agents: it verifies how a third party’s AI agent actually behaves with live tests, watches it for drift, and produces audit-ready evidence for buyers, regulators and insurers. Every result is observed behaviour at the time of testing — never a certification, conformity assessment, guarantee, or legal advice. Annexo is not a notified body.

Frequently asked questions

What is Annexo?
Annexo is an independent trust layer for AI agents. It verifies how a third party’s AI agent actually behaves with live behavioural probes, watches it for drift over time, and produces audit-ready assurance evidence a buyer, regulator or insurer can rely on. The thesis is simple: a builder cannot credibly grade its own homework, so verification has to be independent.
Who is Annexo for?
EU and DACH enterprises deploying AI agents in regulated settings — insurance, banking, industrial — and the consultancies that build agents for them. Later, insurers underwriting agent risk.
How does Annexo verify an AI agent?
Point the verify console at your own AI agent endpoint or run a built-in sample agent. A live probe battery runs against it — prompt injection, tool poisoning, guardrails under pressure, AI disclosure, PII handling, request logging — and resolves into an evidence dashboard. Your agent’s API key is held in memory for that one request only and is never stored.
Does Annexo certify or guarantee that an AI agent is compliant?
No. Annexo is not a notified body and does not certify, guarantee, or give legal advice. Every result is observed behaviour at the time of testing, reported as a status — holding, watch, or surfaced — never a pass/fail verdict or a conformity assessment.
What about EU regulations like the EU AI Act, GDPR, DORA and NIS2?
Annexo also produces done-for-you EU conformity dossiers — the evidence and technical documentation mapped to the EU AI Act, GDPR, DORA and NIS2, produced from your system and audit-ready. It is the deliverable, not a substitute for your own counsel or a conformity assessment body.
Where is Annexo’s data processed?
In the EU. Compute runs in the Frankfurt (fra1) region and persisted data uses an EU-region store, in line with EU data-residency expectations.