Back to home

Koi vs Am I Being Pwned

Koi (Koidex) vs Am I Being Pwned

Koi genuinely runs dynamic analysis - the closest tool to what we do. The differences are narrow: free-tool depth, where the run happens, and the evidence you can inspect.

Is Koi (Koidex) doing dynamic analysis of browser extensions?

Yes - more than most tools here. Koi's free scanner, Koidex (formerly ExtensionTotal), unpacks an extension, reads its code with AI, runs vulnerability and dependency checks, and flags external communication. Koi's enterprise engine, Wings, goes further: it runs the software itself and captures network and endpoint activity, and Koi describes using sandboxing. Of everyone on our comparison pages, Koi is the closest to genuine behavioural analysis. Koi was acquired by Palo Alto Networks in 2026.

So the differences are narrower here, and worth stating precisely. Koi's runtime signal is captured on your real endpoints, through its agent watching extensions on live machines. Am I Being Pwned runs each extension in an isolated, instrumented browser before it's trusted, and the free scan hands you the captured requests and DOM changes per extension, not just a rating.

And code-reading, the core of the free Koidex tool, has a blind spot that shows up in practice. Koidex rated WhatRuns - a Featured, Verified extension with 400k users - a middling Medium, and described its data collection as 'consistent with its functionality'. What it never surfaced is that WhatRuns was uploading users' ChatGPT and Claude conversations on every page. We found that by running it and watching the traffic leave.

What Koi gives you

  • Koidex (formerly ExtensionTotal): a free scanner that unpacks an extension, reads the code with AI, and runs vulnerability and dependency checks
  • A flag for whether the extension communicates externally
  • Wings (enterprise): runs the software and captures network and endpoint activity on real machines, with sandboxing in the mix
  • Proactive scanning of marketplaces and registries, and blocking before software reaches an endpoint
  • The backing of Palo Alto Networks, which acquired Koi in 2026

Where it stops

  • The free Koidex scan is code-reading and vulnerability checks; the captured-run detail lives in the enterprise product
  • Its runtime signal is gathered from extensions running on your real endpoints, not from an isolated run before you trust one
  • Code-reading, Koidex's core, is blind to obfuscated or runtime-assembled payloads until something executes them
  • What Koidex hands you is a risk assessment, not a per-extension record of the captured requests and DOM changes
  • A CRX scan stops at the extension's own code - the native-messaging bridge it opens, where we found Signer.Digital's CVSS 9.3 drive-by RCE, is outside its reach

Koi vs Am I Being Pwned

Capability
Koi
Am I Being Pwned
Free scanner
Yes - Koidex (formerly ExtensionTotal)
Yes - a free scan, no account
Reads the code with AI
Yes - plus vulnerability and dependency checks
Yes, and then runs it
Genuine dynamic analysis
Yes - Wings runs software, captures activity
Yes - an isolated, instrumented run
Sees real in-the-wild behaviour on your fleet
Yes - its endpoint agent watches live machines
No - we run it in isolation, not on your users
Captured evidence in the free tool
Code-read assessment; run capture is enterprise
The free scan includes the captured traffic
Per-extension evidence you can inspect
Rolled into a risk assessment
The requests and DOM changes, per finding

How to confirm a Koidex result

Koidex reads the code and checks dependencies. Here's how to add the captured-run evidence, free.

  1. 1

    Scan the extension in Koidex

    Koi's free tool unpacks the extension, reads it with AI, and checks its dependencies. Strong for what's visible in the source.

  2. 2

    Mind the static blind spot

    Reading code reports what's visible. Payloads that are obfuscated, built at runtime, or fetched after install stay hidden until something executes them.

  3. 3

    Add the captured run

    Paste the extension ID into Am I Being Pwned to run it in an isolated browser and capture the live traffic and DOM writes - free, and per extension - or scan your whole fleet.

  4. 4

    Confirm and block

    Keep what behaves; remove what doesn't. Push blocks through your MDM or Chrome policy.

  5. 5

    Re-run on updates

    Code that passed a read can ship a hostile update. Re-running it catches the change a re-read might not.

From our published research

Frequently asked questions

What is Koidex / ExtensionTotal?

Koidex (formerly ExtensionTotal) is Koi Security's free browser-extension scanner. It unpacks an extension, uses AI to read the code, runs vulnerability and dependency checks, and flags external communication. Koi's enterprise engine, Wings, adds runtime capture on real endpoints. Koi was acquired by Palo Alto Networks in 2026.

Does Koi run extensions dynamically, or just read the code?

Both, depending on the product. The free Koidex scan is AI code-reading plus vulnerability checks. Koi's enterprise Wings engine runs the software and captures network and endpoint activity on real machines, and Koi describes using sandboxing. The practical difference from Am I Being Pwned: Koi captures behaviour on your live endpoints, while we run each extension in isolation before it's trusted and include the captured evidence in the free scan.

Is AI code-reading enough on its own?

It's powerful for what's in the source, but blind to what's assembled at runtime, fetched from a server after install, or hidden under obfuscation. MultiPassword's flaw was in how its code handled messages from other origins - a logic bug a code summary can miss that surfaces the moment you exercise it.

Koi was acquired by Palo Alto Networks - does that matter?

For now Koidex remains available as a free scanner, and Koi's technology is folding into Palo Alto's platform. If you already run Palo Alto, that consolidation may suit you well. If you want a standalone, browser-extension-focused check with the captured evidence attached, that's the gap Am I Being Pwned fills.

Triage every extension in your fleet, with evidence.

Free scan of your Google Workspace in under 48 hours.