You shipped it with AI.
Now find out what's exposed.
Security assessment for AI-built apps. From $129. Same-day results.
In independent research, 2,000+ vulnerabilities were found across 5,600 vibe-coded apps. 170 databases were exposed through a single misconfiguration pattern.
AI coding tools let you build and ship a real product in days. The code works. Users are signing up. Maybe you're charging money.
But AI writes code that functions, not code that's secure. It generates auth middleware that passes your tests but has bypass routes. API endpoints that work but accept anything. Database queries that return the right data — and everyone else's too. Academic research shows only 10.5% of functionally correct AI code passes security review.
You don't know what you don't know. And neither does your AI.
What AI-generated code gets wrong
These aren't theoretical risks. They're documented patterns from real AI-built applications, backed by independent research.
Auth that looks right but isn't
AI generates login flows and middleware that work in the happy path. But: expired tokens still accepted, role checks missing on API routes, password reset tokens that never expire, session handling that lets you access other accounts. In one Lovable app, auth logic was literally inverted — it blocked authenticated users and allowed anonymous access, exposing 18,697 records.
Secrets shipped to the browser
NEXT_PUBLIC_ vars containing API keys. Database connection strings in client components. Service tokens baked into JavaScript bundles. Anyone can open DevTools and read them. Lovable alone blocks ~1,200 API key insertions per day from its own users.
API routes with no protection
No rate limiting, no input validation, no auth checks on sensitive endpoints. AI focuses on making the endpoint work, not on who can call it or what they can send. A study of 15 AI-built apps found 69 vulnerabilities across 5 tools — authorization failures were the most common category.
Broken access control
Change the user ID in a URL and see someone else's data. AI rarely generates ownership checks — it trusts the client to only request its own resources. A scan of 5,600 vibe-coded apps found 2,000+ vulnerabilities and 400+ exposed secrets .
Database rules wide open
Supabase RLS disabled “to get it working.” Firebase security rules set to allow all reads and writes. AI suggests permissive defaults because they don't throw errors. In 2025, a Supabase RLS misconfiguration exposed 170 Lovable databases to unauthenticated access (CVE-2025-48757).
Business logic that doesn't add up
AI generates code that handles the happy path. But it doesn't think about edge cases: negative prices on checkout, unrestricted admin actions, referral loops. In academic testing, only 10.5% of functionally correct AI code was also secure.
None of this means AI tools are bad. They're transformative. But they optimise for “does it work,” not “is it safe.” That's a different question — and it's the one we answer.
How it works
Drop your URL
Give us your domain. For a code review, share repo access too. Sign our authorisation form and we start within 24 hours.
We scan everything
API routes, auth flows, environment variables, database access, file exposure — we check what AI tools typically get wrong.
Plain-English report
Every finding with real proof, severity rating, and exact steps to fix it. No security jargon.
Pricing
Fixed pricing. No scoping calls. Buy online, we start within 24 hours.
Compliance Check
Know where you stand — legally and technically.
$129
Same day turnaround
- GDPR / CCPA applicability assessment
- Privacy policy & cookie consent review
- Data collection and storage audit
- Third-party data flow map (analytics, payments, AI APIs)
- Exposed .env files, sensitive URLs, backup files
- Security headers & SSL configuration check
- Plain-English gap report with fix steps
Codebase Review
Find out what your AI missed.
$329
1–2 days turnaround
- Everything in Compliance Check
- Full source code security review
- Hardcoded secrets & API key detection
- Auth & session management audit
- API route protection assessment
- Database access control check (RLS, Firebase rules)
- Basic live testing (auth bypass, IDOR, API tampering)
- Dependency vulnerability scan
- Prioritised report with fix-by-fix guidance
Requires codebase access
Do nothing vs. find out
The only way to know your app is secure is to test it.
What you know about your security
Nothing
Exactly what’s exposed
Time investment
None
Drop your URL, we do the rest
When something goes wrong
Find out from your users
Find out before they do
Regulatory exposure
Unknown
Documented and prioritised
Cost
Free until a breach
$129 once
This is already happening
Independent researchers are documenting real breaches in AI-built apps. These aren't edge cases.
170
databases exposed
Lovable apps with misconfigured Supabase RLS accessible to anyone. Emails, phone numbers, API keys, and payment data — all public. CVE-2025-48757, CVSS 9.3. Source: Matt Palmer
18,697
records breached
Single Lovable app exposed student and enterprise data from UC Berkeley and UC Davis. AI-generated auth logic was inverted — blocked logged-in users, allowed anonymous access. Source: The Register
1,200+
production records deleted
Replit AI agent fabricated 4,000 fake records, deleted a production database of executive contacts, and produced misleading status messages — while ignoring explicit instructions to stop. Source: Fortune
2,000+
vulnerabilities discovered
Security researchers scanned 5,600 vibe-coded apps and found 400+ exposed secrets and 175 instances of exposed PII — including medical records, phone numbers, and financial data.
74,000 records exposed in a single day
This was a legacy PHP application we assessed for a client. The vulnerability patterns — no auth on API routes, no access control, no input validation — are the same ones researchers are now finding in AI-generated code at scale.
74,000+
Records exposed
12
Critical findings
2-day
Assessment
Same day
Endpoints blocked
Key findings
Entire database readable
A single unauthenticated URL returned all rows from any database table — 197 tables, 74,678 customer records, employee pay rates, credit card data.
SQL injection on payments
One modified URL returned every payment transaction. We reconstructed the previous day’s revenue: $17,129 across 40 invoices at 4 locations.
Database password on a public page
A debug page left in production displayed the database connection credentials to anyone who visited it.
254 scanned documents exposed
A public directory contained scanned invoices showing customer names, home addresses, full credit card numbers, and handwritten signatures.
Critical endpoints were blocked within hours. Credentials were rotated within days. The same patterns exist in AI-generated code. CVE-2025-48757 proved it across 170 exposed databases. We find them before your users do.
Our methodology
OWASP-based methodology
Our testing follows the OWASP Testing Guide and OWASP Top 10, the industry standard for web application security assessment.
Read-only testing
We never modify your data or systems. All testing is non-disruptive — your users won't notice anything.
Human engineer review
AI handles the scanning and pattern matching. Every finding is verified and written up by a human security engineer.
Advisory service
Our assessment identifies security risks and provides remediation guidance. It is not a formal compliance certification (PCI DSS QSA, SOC 2 Type II, ISO 27001). If you need formal certification, we can recommend a certified assessor — and our report gives them a head start.
Frequently asked questions
We're an AI company — of course we have a chatbot. Ask it anything about the service, or browse the common questions below.
Hit Enter to send
Not sure what you need?
Tell us what you built.
Describe your app and we'll recommend the right scan.
Ready to find out what's exposed?
Pick a tier and get your report in days — or talk to us first.