Free Security Scan for AI Apps: Find Vulnerabilities Before Hackers Do
You built an app with Cursor, Lovable, Bolt, or v0. It works. Users are signing up. But you have not tested its security because security testing sounds expensive, complicated, and time-consuming. It does not have to be. A free security scan takes 3 minutes, requires no signup, and tells you exactly which vulnerabilities your app has and how to fix each one.
Scan your app now — paste your deployed URL and get results in 3 minutes. The rest of this article explains what the scan checks, why it matters, and what to do with the results.
Why AI-Built Apps Need Security Scanning
AI coding tools generate code that works on the first try more often than ever. They also generate security vulnerabilities at a predictable rate. Research shows that 45-62% of AI-generated code contains OWASP vulnerabilities. The tools are getting better at functionality, but they are not getting better at security — because security requires context that spans your entire application, and AI tools generate each feature independently.
Here is what that means in practice: Cursor might generate a perfectly secure login flow. Then you ask it to add an admin dashboard, and it creates unprotected routes because it does not remember the auth system from the previous session. Or Lovable sets up Supabase with RLS policies that look correct but use USING(true), granting access to anonymous users.
These are not edge cases. We find these patterns in the majority of AI-built apps we scan. The only way to know if your app is affected is to test it.
What the Free Scan Checks: 120 Security Tests
Our scanner runs 120 individual security checks organized into three tiers based on real-world exploitability, not theoretical risk.
Tier 1: Can Someone Steal Data Right Now? (38 checks)
These tests determine whether your app has exploitable vulnerabilities that an attacker could use today. Tier 1 findings are the reason most AI-built apps score D or F on their first scan.
- Secret Exposure: Scans your client-side JavaScript bundles for API keys that should be server-only. Detects Supabase service_role keys, Stripe secret keys, OpenAI keys, and dozens of other provider keys. If found, an attacker can use your key to access your database, charge your Stripe account, or consume your API credits.
- Authentication Bypass: Tests whether admin routes, dashboard pages, and API endpoints are accessible without logging in. Probes for common unprotected paths that AI tools create:
/admin,/dashboard,/api/admin, and framework-specific admin routes. - Injection Testing: Tests input fields, URL parameters, and API endpoints for SQL injection, cross-site scripting (XSS), command injection, and server-side template injection (SSTI). Our injection engine has solved 104 out of 104 XBOW benchmark scenarios, including XSS with 15 different filter bypass techniques and SQL injection with WAF evasion.
- Access Control: Verifies that users can only access their own data. Tests for IDOR (Insecure Direct Object Reference) by probing whether manipulating IDs in API requests returns other users' data.
- RLS Validation: For Supabase apps, tests whether Row Level Security policies actually restrict access. Detects
USING(true)policies, missingWITH CHECKon updates, and tables with RLS enabled but no policies configured.
Tier 2: Are Your Defenses Solid? (34 checks)
These findings do not prove data theft is possible today, but they make attacks significantly easier or indicate missing defense layers.
- HTTPS Configuration: Verifies full HTTPS deployment with no mixed content. Checks HSTS headers and SSL certificate validity.
- Content-Security-Policy: Tests whether CSP headers are present and correctly configured. Without CSP, any XSS vulnerability becomes an instant data exfiltration channel.
- Rate Limiting: Probes login, signup, and API endpoints for rate limiting. Without it, an attacker can brute-force passwords at thousands of attempts per minute.
- CORS Configuration: Checks whether your API allows requests from any origin (
*) or restricts to your own domain. Permissive CORS lets any website make authenticated requests to your API. - Cookie Security: Verifies HttpOnly, Secure, and SameSite flags on session cookies. Missing flags enable session hijacking via XSS, cookie theft over HTTP, and CSRF attacks.
- Error Handling: Tests whether error responses leak stack traces, database schemas, or internal file paths. AI-generated code frequently exposes detailed errors in production.
Tier 3: Good Hygiene (48 checks)
Informational findings that traditional scanners obsess over but that rarely lead to actual exploitation. We show these but they never affect your score. They include: missing optional security headers, server version disclosure, and DNS configuration details. These are real things, but they are not how apps get hacked.
How Scoring Works: Hackability, Not Hygiene
Most security scanners measure hygiene: headers, SSL configuration, server version strings. This leads to absurd results where Stripe gets an F (missing X-Frame-Options) and a Supabase app with exposed service_role key gets a B+ (nice headers though!).
Our scoring measures hackability: can someone actually steal data or compromise this application? The system works like this:
- Tier 1 findings (critical/high): Heavy score deductions (-25 for critical, -15 for high). A single exposed secret key drops your score significantly, as it should.
- Tier 2 findings (medium): Moderate deductions (-10 to -2). Missing CSP or rate limiting weakens your defenses but does not prove exploitation.
- Tier 3 findings (informational): Zero score impact. We report them so you know, but they never lower your grade.
- Score floors: If you have no Tier 1 findings, your score cannot go below 75. If you have no Tier 1 or Tier 2 findings, your floor is 90. This prevents header noise from giving a secure app a bad grade.
This approach means your grade reflects actual risk, not scanner noise. When you see a D, it means there are real exploitable issues. When you see an A, it means we tried to break in and could not.
Fix Prompts: Paste Into Cursor and Done
Every finding comes with a fix prompt — a specific instruction you can paste directly into Cursor, Lovable, Bolt, or any AI coding tool to fix the vulnerability. No security expertise required.
Example fix prompt for an exposed API key:
Move the OPENAI_API_KEY from client-side code to a server-side API route.
1. Remove the NEXT_PUBLIC_ prefix from the environment variable
2. Create /app/api/ai/route.ts that imports the key server-side
3. Have the frontend call this API route instead of OpenAI directly
4. Rotate the key in your OpenAI dashboard since it was exposedDevelopers tell us the fix prompts are the most valuable part of the scan. You do not need to understand the vulnerability in depth. You need to know exactly what to change, and the prompt tells you.
What to Do After Your First Scan
If You Score A or B
Your app's defenses are solid. No exploitable vulnerabilities found. Review any Tier 2 findings at your convenience and consider setting up weekly auto-scans to catch regressions when you add new features.
If You Score C
You have some security gaps that need attention. Typically this means missing authentication on some routes or a CORS misconfiguration. Follow the fix prompts, re-deploy, and scan again. Most C-grade apps reach B+ after one fix cycle.
If You Score D or F
You have exploitable vulnerabilities. This is the most common first-scan result for AI-built apps, and it does not mean your app is doomed. It means you have specific things to fix before taking more users.
- Fix every Tier 1 (critical) finding immediately. These are typically exposed secrets, broken RLS, and unprotected admin routes.
- Re-deploy and scan again to verify fixes.
- Move to Tier 2 findings (CSP, rate limiting, CORS).
- Follow our step-by-step hardening guide for a complete walkthrough.
Most apps go from F to B+ in a single afternoon of focused work.
How VibeArmor Compares to Other Free Scanners
Several free security scanners have emerged for AI-built apps. Here is what differentiates VibeArmor:
| Capability | VibeArmor | Typical Free Scanner |
|---|---|---|
| Security checks | 120 | 15-30 |
| Injection testing (XSS, SQLi, SSTI) | Yes, with filter bypass | Basic or none |
| Supabase RLS validation | Yes, policy-level analysis | No |
| Secret detection in JS bundles | Yes, 50+ provider patterns | Basic pattern match |
| Authentication bypass testing | Yes, probes admin routes | No |
| Hackability scoring (not hygiene) | Yes, tier-based | No, header-focused |
| Fix prompts for AI tools | Yes, per finding | Generic advice |
| Benchmark validation | 104/104 XBOW (100%) | Not benchmarked |
| False positive rate | Under 3% | 20-40% |
The core difference is depth. Free scanners that check 15-20 things are testing whether your server sends the right headers. VibeArmor is testing whether someone can steal your users' data. These are fundamentally different questions. Headers matter, but they are not how AI-built apps get hacked. Broken access control, exposed secrets, and injection vulnerabilities are how they get hacked, and those require application-level testing, not header checks.
When Free Is Not Enough
The free scan gives you a complete picture of your app's security posture. For most developers, scanning after each major deploy is enough. When you need more:
- Starter ($99): 5 scans per month, scan history to track improvements, all 120 checks with fix prompts.
- Pro ($99/mo): Unlimited scans, weekly auto-scans that catch regressions even when you forget, priority scanning, and a security badge for your site.
- Pentest ($2,500 one-time): 10-agent deep inside-out assessment with human-verified PoCs, remediation guide, 60-day retest.
- Continuous ($999/mo): Weekly inside-out scan of up to 5 apps, 24-hour critical alerts, monthly summary call.
All plans include the same 120 security checks. The difference is scan frequency, automation, and reporting. See our full cost comparison for how this fits into the broader security testing landscape.
For apps that need fixes done for them, our Pentest service handles remediation: Quick Fix ($500) covers up to 5 critical findings same-day, Full Hardening ($2,500) covers everything, and Ongoing ($1,000/mo) includes continuous monitoring plus fix implementation.
Run Your Free Scan
Paste your deployed URL. Get results in 3 minutes. No account needed. See exactly what an attacker would find.
If you want to understand more about what we test for, read our 15-item security checklist or the 7 most common vulnerabilities in AI-generated code.
Frequently Asked Questions
Is the free scan actually free, or is it a limited trial?
It is free. No credit card. No account required. You get the full 120-check scan with your hackability grade, all findings, and fix prompts. Paid plans add scan frequency, automation, and reporting — the scan itself is the same.
What do you do with the scan data?
Scan results are stored encrypted and associated with the URL you scanned. We do not share scan data with third parties. We do use aggregated, anonymized data to improve our detection engine (for example, identifying new vulnerability patterns across AI-built apps). You can delete your scan data at any time.
Can the scan break my app?
No. The scan sends read-only HTTP requests to your public URL. It does not modify data, inject persistent payloads, or perform denial-of-service testing. It is equivalent to a thorough user visiting every page of your app and checking the responses. Your users will not notice any difference during a scan.
My app is behind authentication. Can you still scan it?
The free scan tests your public-facing surface: login pages, public API endpoints, client-side JavaScript bundles, headers, and unauthenticated route access. This catches the majority of critical vulnerabilities (exposed secrets, unprotected admin routes, missing headers). Authenticated scanning — where the scanner logs in and tests as a user — is available on paid plans and catches cross-user data access, privilege escalation, and authenticated injection points.
I scanned my app and got an F. Am I in trouble?
An F means exploitable vulnerabilities exist, but it does not mean someone has exploited them yet. The most common F-grade findings (exposed secrets, broken RLS) can each be fixed in 15-30 minutes. Follow the fix prompts, re-deploy, re-scan. Most apps reach B+ within a few hours. See our step-by-step guide for the full process.
Related reading
- Why Your AI-Built App Gets an F (And How to Get an A)
Most security scanners grade on hygiene, not hackability. That is why Stripe scores an F and your todo app gets a B. We ...
- Vibe Coding Security Checklist: 15 Things to Check Before You Ship
A prioritized checklist of security issues we find in 70%+ of AI-built apps. Organized by severity so you fix what matte...
- AI Security Audit Cost in 2026: What You Will Actually Pay (and What You Get)
Manual pentests cost $10K-$50K. Enterprise platforms cost $50K-$500K/year. AI-powered scanning starts at $99 (one-time)....
- Run Your Free Scan Now
- Plans Starting at $99
Scan your app free
Paste a URL, get a letter grade and Cursor-ready fixes in 3 minutes. No signup required.
Start Free Scan