Security Scanner is now open to the public. If you ship apps built with Cursor, Claude Code, Lovable, Bolt, v0, or Replit — the tool is built for you.
Why we built it
Six months ago we set out to inventory the attack surface of our own side projects. We had 7 services running — a few on EC2, a couple on Vercel, one on Render. Standard stuff for a small team. We ran the usual checks: TLS config, nmap, nuclei templates, a quick header audit. Found three critical issues inside an hour.
Then we scanned everything we'd shipped with AI assistants over the previous year. The hit rate was noticeably higher.
What Security Scanner does
You point it at a URL. It runs 50+ modules against that URL in parallel — from classic ones like nmap + TLS audit + nuclei to the ones that matter for vibe-coded apps specifically:
- Extracts Supabase anon keys from JS bundles and probes every real table name for Row Level Security misconfigurations
- Detects AI provider keys (Anthropic, OpenAI, Google) that shouldn't be client-side
- Probes GraphQL schemas for
passwordfields and dangerous mutations - Checks subdomain takeover risks across Vercel, Netlify, Unbounce, GitHub Pages, and S3
- Fingerprints the CDN / WAF stack and flags origins with no edge protection
When it finds something, it writes a SECURITY-FIX.md your AI assistant can read and execute against your codebase.
Pricing
One free scan, no credit card. After that: $9 per scan, $29/mo for weekly auto-scans, or $99/mo for small teams. The first year is on us if you're actively building — just email [email protected] with the app you're shipping.
Try it at /signup.