Why should I pay when the first scan is free?

The free scan shows your top 5 issues. The Vibe Check ($99 one-time) gives you a full outside-in report with fix instructions. The Security Report ($499 one-time) adds inside-out testing with 7 specialized agents, verified findings, and a 30-day retest. The Pentest ($2,500 one-time) runs 10 agents with human-verified proof-of-concepts, a written remediation guide, and a 60-day retest. Continuous ($999/month) runs a weekly inside-out scan on up to 5 apps with 24-hour critical alerts.

VibeArmor — AI Security Scanner for Vibe-Coded Apps

[scan] Checking https://my-saas-app.vercel.app... [secrets] FOUND: Supabase service_role key in client bundle [auth] No rate limiting on /api/auth/login [headers] Missing Content-Security-Policy [access] User 123 can see User 124's data [deps] 3 packages with known vulnerabilities [rls] RLS disabled on users table [scan] Grade: C+ — 3 things to fix before launch [fix] Generating Cursor-ready fixes...

100% on XBOW benchmark· beats XBOW's own 85% · Shannon 96%

The only AI pentester that scores 100% on the industry-standard XBOW benchmark — white-box and black-box. From vibe-coded MVPs to production SaaS, we find the exact vulnerabilities that get apps hacked, and hand you the exact fix.

Free scan • No signup • Results in 3 minutes

→ Verify the 100% XBOW score on our public benchmarks page

0security checks

100% XBOW Benchmark

Tests Real Hackability

SOC 2 Mapped

Built for Vibe Coders

100% on XBOW— beats XBOW's own 85% and Shannon's 96%. Verified on 104 public scenarios.

60% of AI-built apps ship with exposed API keys. We'll find yours in 3 minutes.

Works with apps built in

Claude Code

Cursor

Lovable

Bolt

Windsurf

Replit

We test hackability, not hygiene

Tests for the vulnerabilities that actually get apps hacked. No jargon. No noise.

TIER 1 — CRITICAL

“Can someone steal your data?”

The checks that matter most. Exposed secrets, auth bypass, and injection attacks are how apps actually get hacked. If you fail here, nothing else matters.

Exposed API keys & service role secrets
Authentication bypass
SQL / NoSQL injection
Cross-user data access (IDOR)

TIER 1 — CRITICAL

“Can someone break into your login?”

We test if your login page can be brute-forced, sessions can be hijacked, and admin routes are actually protected. Client-side-only auth is no auth.

Brute-force login attacks
Broken session management
Client-side-only auth checks
XSS in forms and inputs

TIER 2 — DEFENSES

“Are your defenses solid?”

HTTPS, Content-Security-Policy, rate limiting, and cookie flags. These stop real attack techniques like session hijacking and content injection.

HTTPS & TLS configuration
Content-Security-Policy header
Rate limiting on sensitive endpoints
Cookie security flags & CORS

TIER 2 — DEFENSES

“What are you leaking?”

Error messages that reveal your stack, debug routes left in production, exposed admin panels, and config files anyone can download.

Verbose error messages
Exposed /admin & /debug routes
Server version & framework info leaks
Open database dashboards

TIER 3 — WON'T HURT YOUR GRADE

“Best practices (informational)”

Good-to-know items that don't indicate hackability. Missing X-Frame-Options on a page with no sensitive content isn't a vulnerability — it's trivia.

Informational security headers
Dependency version suggestions
Performance-related security hints
Non-exploitable configuration notes

Calibrated against real apps

Stripe scores A+. Shopify scores A. If your app has real vulnerabilities, we'll find them.

SOC 2 mappedOWASP Top 10AI-pattern aware

Three steps. No signup needed.

No agents to install. No code access needed. Just a URL.

Paste your URL

Drop in any live URL or staging link. Vercel previews, Netlify deploys, Railway apps, or any public endpoint. No signup required.

We test what actually gets apps hacked

Exposed API keys, broken auth, injection attacks, open databases, and the real vulnerabilities attackers exploit. Tailored for AI-generated code patterns.

Get your grade + one-click fixes for Cursor

A letter grade (A through F), a prioritized fix list, and copy-paste code fixes you can drop straight into Cursor or Claude Code.

This app got a C+ — 3 things to fix before launch

Here is what a typical AI-built app looks like after a VibeArmor scan. Every finding comes with a fix you can paste into Cursor.

vibearmor scanmy-saas-app.vercel.app

2m 47s

C+Security Grade

3 things to fix before launch

Your app works but has security holes that attackers can find in minutes. The good news: all 3 fixes take under 30 minutes total.

2 Fix Now1 Fix Soon

Fix This First

FIX NOW

Your Supabase service_role key is visible to everyone

Anyone who visits your site can open DevTools and find your SUPABASE_SERVICE_ROLE_KEY in the JavaScript bundle. This gives them full database access.

Cursor-ready fix

// Move this to a server-side API route or edge function
// BEFORE (in your React component — bad):
const supabase = createClient(url, process.env.NEXT_PUBLIC_SUPABASE_SERVICE_ROLE_KEY)

// AFTER (in /app/api/data/route.ts — safe):
import { createClient } from '@supabase/supabase-js'
const supabase = createClient(url, process.env.SUPABASE_SERVICE_ROLE_KEY) // no NEXT_PUBLIC_

Copy

FIX NOW

Anyone can brute-force your login page

Your /api/auth/login endpoint accepts unlimited requests. An attacker can try thousands of passwords per minute.

Cursor-ready fix

// Add rate limiting with Upstash (works on Vercel)
// npm install @upstash/ratelimit @upstash/redis
import { Ratelimit } from "@upstash/ratelimit"
import { Redis } from "@upstash/redis"

const ratelimit = new Ratelimit({
  redis: Redis.fromEnv(),
  limiter: Ratelimit.slidingWindow(5, "60 s"), // 5 attempts per minute
})

Copy

FIX SOON

Other users can see each other's data

Changing the user ID in /api/users/123 to /api/users/124 returns someone else's profile. No ownership check is performed.

Cursor-ready fix

// Add ownership verification
const { data: { user } } = await supabase.auth.getUser()
if (params.id !== user.id) {
  return Response.json({ error: "Not authorized" }, { status: 403 })
}

Copy

Built BY vibe-coders FOR vibe-coders

Why VibeArmor?

We found 64 vulnerabilities across our own 17 production apps. Then we built a tool so you don't have to learn security the hard way.

Traditional Pentest

VibeArmor

Time to first result

2-4 weeks

3 minutes

Cost

$5,000 - $30,000

From $99

What you get

PDF nobody reads

Fixes you paste into Cursor

Frequency

Once per quarter

Every deploy

Understands AI-generated code

Rarely

Built for it

Setup

Weeks of scoping calls

Paste a URL

Calibrated against the best

Our scoring makes sense because we tested it on the best

Stripe, Shopify, and Supabase earn top grades. If our scanner says your app has a problem, it really does.

100%

104/104

XBOW (White-Box)

Industry-standard AI pentesting eval

XBOW's own system: 85%

100%

104/104

XBOW (Black-Box)

HTTP only, no source access

Shannon competitor: 96%

9/9 XSS

46/111 total

Juice Shop

OWASP flagship — every XSS challenge solved

Including D6 Video XSS + D6 JWT forgery

417+

learned beliefs

Agent Brain

Compounds with every scan

Zero agent failures on XBOW

Open methodology

We test hackability, not hygiene. Our AI agent swarm scored 100% on the XBOW benchmark (the industry standard for AI pentesting), beating XBOW's own 85% score. Every finding comes with a reproducible proof-of-exploit, not a theoretical advisory. We simulate real attacks across 17+ vulnerability categories.

XBOW 100%17+ Vuln CategoriesCompound Learning BrainZero Agent Failures

→ Verify the scores yourself (public SQL queries)

100 checks, 3 tiers

TIER 1

Critical exploits

Exposed secrets, auth bypass, injection, cross-user data access

TIER 2

Active defenses

HTTPS, CSP, rate limiting, cookie security, CORS configuration

TIER 3

Best practices

Informational only — does not affect your grade

Real example

Here's what a real scan looks like

This is what we find in a typical vibe-coded app. One exposed secret, two missing defenses, and the exact code to fix each one.

vibearmor scanyourapp.example.com

3m 12s

B-72 / 100

yourapp.example.com

1 critical vulnerability, 2 defense gaps, 1 informational note. The critical issue drops your score by 25 points alone.

1 Hackable2 Fix This1 Info

HACKABLE

Supabase service_role key exposed in JavaScript bundle

-25 pts

Your SUPABASE_SERVICE_ROLE_KEY is in the client bundle. Anyone with DevTools has full database access.

FIX THIS

Missing Content-Security-Policy header

-2 pts

No CSP header means attackers can inject scripts via XSS and exfiltrate data to any domain.

FIX THIS

No rate limiting on auth endpoints

-2 pts

Your /api/auth/login endpoint accepts unlimited requests. Attackers can brute-force passwords at scale.

INFO

Missing Permissions-Policy header

no effect

The Permissions-Policy header is not set. This is informational and does not affect your score.

Fix This First— recovers 25 points instantly

// BEFORE (exposed in client bundle — bad):
const supabase = createClient(url, process.env.NEXT_PUBLIC_SUPABASE_SERVICE_ROLE_KEY)

// AFTER (server-side only — safe):
// Move to /app/api/data/route.ts
import { createClient } from '@supabase/supabase-js'
const supabase = createClient(
  process.env.SUPABASE_URL!,
  process.env.SUPABASE_SERVICE_ROLE_KEY! // no NEXT_PUBLIC_ prefix
)

Paste this into Cursor or Claude Code. Rescan to verify the fix.

Scan Your App Free

No signup • Results in 3 minutes

Simple, transparent pricing

Start free. Upgrade when you need continuous protection.

100% on XBOW benchmark • Enterprise-grade AI pentesting • 100% refund if zero findings

Vibe Check

One-time

$99one-time

Built with Lovable, Bolt, or Cursor? We check your RLS, exposed keys, and auth gaps.

Full 120-check outside-in scan
Branded PDF report
Supabase RLS audit
Exposed API key detection
Fix instructions for every finding
Instant (5 min turnaround)

Get Vibe Check

Frequently asked questions

We test if your app can actually be hacked — not just whether it's missing HTTP headers. Our checks are organized into 3 tiers: Tier 1 tests if someone can steal your data (exposed secrets, auth bypass, injection). Tier 2 tests if your defenses are solid (HTTPS, CSP, rate limiting). Tier 3 covers best practices that don't affect your grade but are good to know. Every check is tailored to patterns we see in code generated by AI tools like Cursor, Claude Code, Lovable, and Bolt.

No. VibeArmor scans your live application from the outside, the same way an attacker would. You paste a URL and we do the rest. No GitHub integration, no CLI, no agent installation. We test what is publicly accessible because that is what hackers see.

We never access your source code or database. We only test publicly accessible endpoints, headers, and responses. Scan results are encrypted at rest and you can delete them at any time.

Those tools are built for security professionals. Snyk requires code access and CI/CD setup. ZAP produces thousands of findings with no prioritization. VibeArmor is built for people who build with AI tools: paste a URL, get a letter grade, copy-paste fixes into Cursor. No jargon, no setup, no 200-page PDF. Our fixes are formatted as code blocks you can drop directly into your AI coding tool.

That is exactly why VibeArmor exists. Every finding comes with a plain-English explanation and a Cursor-ready code fix. Most critical issues can be fixed in under 30 minutes. Rescan for free after fixing to watch your grade improve. A C+ today can be a B+ by tomorrow.

The Vibe Check ($99 one-time) gives you a full 120-check outside-in report with fix instructions -- instant turnaround. The Security Report ($499 one-time) adds inside-out testing with 7 specialized agents, verified findings, and a free 30-day retest. The Pentest ($2,500 one-time) runs 10 agents with human-verified proof-of-concepts, a written remediation guide, a 1-hour call, and a free 60-day retest. Continuous ($999/month) runs a weekly inside-out scan on up to 5 apps with 24-hour critical alerts and a monthly summary call.

Yes. We test Supabase RLS policies by attempting actual cross-user data access with your anon key. We check Firebase storage rules and Firestore rules. These database-specific checks catch the #1 vulnerability in AI-built apps: open databases that expose all user data.

Pre-launch security check

About to deploy? Run your security check first.

Most AI-built apps have 3+ critical vulnerabilities. Find yours in 3 minutes — before your users do.

Free scan • No signup • Results in 3 minutes