Perfai Security - Find & fix live vulnerabilities in Vibe Apps with 1-prompt.
byβ’
Autonomous access control security for Vibe-coded apps. Our platform finds and fixes live vulnerabilities in your vibe-apps built on Replit, Lovable, Claude Code, Cursor, and other AI-coding tools. 1-prompt makes your app production-ready in minutes without requiring security expertise.
Replies
Perfai Security
Hey Product Hunt!Β π Qutub here from Perfai Security.
Β
Over the last 18 months, I've found vibe-coders β including myself β opening Replit, Lovable, Cursor, Copilot, Claude Code (any of the various AI-coding tools) and within a few hours, they have something that looks and functions like a real product, with login, dashboards, payments, database records, admin screens, user roles, and the foundations for handling customer data.
Β
And that's awesome because the app looks finished!
The Problem
Every app has permissions about who can do what. Customer X should only see X's own data, not someone else's. A normal user should not gain admin access. These permissions are also called access controls.
The problem is that even a small app will have thousands of access controls. Here is the simple math:
These access controls live in three places: the app pages people click on, the API endpoints (where the app sends and gets data), and the database (where the data is stored). AI tools build apps fast. But they skip most of these checks in all three places. That is how data leaks and hacks happen.
The Solution: Perfai Security
Autonomous security for AI & vibe-coded Apps
You just paste your app's URL. No code needed. Then our AI agents do three things:
It also keeps watching. Every time you update your app, a locked door can open by accident. We check again after each update, and tell you what broke before anyone else can find it.
And since all of this is done in minutes (relative to what would previously take dev teams weeks to accomplish), the entire loop can be run again with every new update.
Direct Benefits of using Perfai Security?
You save $100K+ in breach costs.
Find vulnerabilities no other tools cover.
Find live issues before users, attackers, or bug bounty hunters do.
Secure your apps against the excessively growing attack-surfaces.
Protect enterprise deals and funding rounds by showing what is being covered, continuously.
Reduce compliance and privacy risks.
Save $10Kβ$40K in manual testing time and effort by automating.
Prevent customer churn and reputation damage associated with logic issues.
Early Traction:
So far we have secured 4,000+ apps. We found and fixed 28,400+ vulnerabilities. We saved our customers $27.5M in bug bounties. And for our contributions to the overall security field, we have been awarded Innovator of the Year by CloudX.
Product Hunt Offer:
For the Product Hunt community, Perfai Security's Pro-plan is offered at 50% discount with the discount code
You can start testing by pasting your app URL β no source-code access required β and getting your first vulnerability results within minutes.
Thanks for checking out Perfai Security.
Build fast. But donβt ship blind.
@qutub_syedΒ Many congratulations Qutub, Intesar and team on the launch! :)
How I met the maker: I met Qutub a few weeks ago when he pitched me the product. We had a few back-and-forth conversations on the messaging and assets before the launch was ready to go live, and I really enjoyed brainstorming and discussing it with him.
What is the product?
Perfai Security is an autonomous security platform for vibe-coded apps. It finds and fixes live access-control vulnerabilities in apps built with tools like Replit, Lovable, Claude Code, Cursor, and other AI coding platforms.
Why I endorse it?
I endorse it because it tackles a real problem for modern builders: shipping fast often means shipping blind on security. Perfai makes it much easier to catch and fix vulnerabilities before they reach users, without needing a security expert on hand.
Enter your vibe-coded app's URL and find vulnerabilities in minutes: https://perfai.ai/
Release AI
Hey ProductHunt! π Intesar here β CEO of Perfai Security.
This is my third company (DCHQ was acquired by HyperGrid and APIsec), and out of everything I've built, this is the one that keeps me up at night in a good way β because the timing is so obviously right.
Here's the thing about vibe coding that most people miss: the AI coding tools are incredible at making an app look and function like a real product in a few hours. What they're not good at is remembering that "User A shouldn't be able to see User B's invoices" is a rule that has to be enforced in three separate places β the UI, the API, and the database β every single time you ship an update. Nobody's shipping blind on purpose. They just don't have a security team checking access control on every prompt-to-deploy cycle, and honestly, neither did I on my first two companies until it hurt.
So we built Perfai Security as a pre-launch security testing platform for exactly this moment β the gap between "it works on my screen" and "it's live with real users." Paste a URL, our agents map your app, attack its access controls the way a real bad actor would, and hand your AI coding tool (Cursor, Replit, Lovable, Claude Code, whatever you're using) the exact fix β before you ship, not after someone finds it for you. They keep watching every future deploy too, so regressions don't sneak back in. No security background required on your end.
Huge credit to the team who actually built this: Hai, Dr. Abdullah (engineering), Dr. Habeeb (AI), Ghouse (customer success), and Qutub, who wrote the comment above and has been carrying GTM on his back.
If you're vibe-coding anything that touches real user data, I'd genuinely love for you to run it through Perfai Security and tell me what you find (or what we got wrong). I'm in the comments all day β ask me anything about the product, the roadmap, or what "6,000+ access controls in a small app" actually means in practice.
Thanks for checking us out. Build fast, ship safe. π
β Intesar CEO, Perfai Security (perfai.ai)
GrowMeOrganic
Congrats. How does Perfai distinguishes between intentional permissions and actual access control vulnerabilities?
Perfai Security
Great question @iamanantguptaΒ
We start by learning what access is intended. Perfai Security reads the app's UI and role structure to find the base for who's meant to see what before building a permission map from it. Then we replay the same API calls as different users, roles, and tenants and compare what actually comes back.
The distinction is in the response. We only flag it when a user actually receives unauthorized data they were never meant to see. If the endpoint returns their own data, an error, or empty results, that's intended behavior and we leave it alone. We go a step further by excluding resources that are shared by design.
Above all of this, we surface permission anomalies such as cases where the app's real behavior contradicts its own intended access model (a user who should be blocked isn't, or an authorized user is wrongly denied). That's how we separate deliberate permissions from genuine broken-access-control, IDOR, and privilege-escalation issues.
Do you think you can add a GitHub Actions integration to automatically trigger scans after each deployment??
Perfai Security
@ankur_jeswaniΒ Appreciate the comment! This integration already works today. Drop in a GitHub Actions step (our CI/CD API is built for it): it triggers a scan, waits, and fails the build on new Criticals with a dedicated CI service-account role, job-id idempotency so retries don't double-scan, and auto-created GitHub issues for findings. It's a copy-paste snippet from our docs right now; one-click Marketplace Action is next. Happy to send you the snippet
Congrats on the launch. How much time does it typically take to generate report? I am guessing it may vary based on the complexity of the app?
Perfai Security
Thank you@zerotoxΒ You can get the first results in minutes, but yes it scales with complexity and may take up to 1 hour based on the load. The work is proportional to your access-control matrix (roles Γ data objects Γ actions), so a small app is minutes and a large multi-role one takes a bit longer. But we're talking minutes-to-hours vs. the weeks a manual pentest of the same surface would need. And because it's that fast, you can re-run the whole thing on every deploy.
Documentation.AI
Can Perfai detect business logic vulnerabilities, or is it mainly focused on authorization issues? BTW, congrats on shipping..
Perfai Security
@roopreddyΒ thank you, and great distinction to draw. Access control is business logic. It's the highest-value slice of it, and the one missed most often. So that's where we go deepest: BOLA/BFLA/IDOR, privilege escalation, cross-tenant isolation, multi-step workflow authz.
But we don't test at the "is there an auth check?" level. The Vision Agent builds a semantic model of your app with the roles, objects, actions, state... all taken into account. And our Security Agent can reason about the intended rules and then try to break them, such as:
skip a workflow step
replay a state transition
mutate an object you own to reach one you don't
chain a privilege escalation
That's all 'logic'-level attacking. Pure economic-logic abuse (price/coupon/quota manipulation, business-invariant races) is what we're expanding into next. Want to see what it flags on yours? You can use our discount code to get 50% off on the Pro plan (in pinned comment)
Perfai reduces the barrier to security testing as the workflow is as easy as pasting the URL. Congrats on launching today.
Perfai Security
Much appreciated @himani_sah1Β
Thatβs exactly what weβre trying to solve. With so many vibe-coded apps going live, security testing needs to fit the builderβs workflow. Perfai Security makes it possible for solo founders and small teams to deep-test access controls in live apps without needing enterprise security teams, long setup cycles, or manual testing expertise.
Nas.com
Does Perfai support authentication providers like Clerk, Auth0, or Supabase Auth out of the box?
Perfai Security
@nuseir_yassin1Β yes! Because we test black-box from your app's URL, we authenticate through your real login flow using the test credentials you provide for each role. This way, Clerk, Auth0, Supabase Auth and the rest all work. We meet your app wherever it lives instead of needing a separate integration per provider. If you've got a specific setup in mind, let us know and we can confirm the exact flow.
Would genuinely love to have you run something through it.
ConnectMachine
How well does Perfai handle multi-tenant SaaS applications with complex permission hierarchies?
Perfai Security
Hi! This is our home turf @syed_shayanur_rahmanΒ Multi-tenant SaaS is where access control gets brutal, and it's what we test hardest. The Vision Agent builds a per-tenant identity map with every role across your hierarchy (org β workspace β team β resource, plus nested roles and inherited/overridden permissions) and the Security Agent then attacks on two axes: horizontal being classic cross-tenant isolation breaks and vertical being whether a member can escalate to admin/owner inside a tenant. It reasons over the effective permission, not the declared one, so inheritance quirks and role-override edge cases get exercised. Cross-tenant leakage is the highest-severity class we hunt.
Dropping a major upvote, qq does the security agent test for complex injection flaws (like SQLi or NoSQL injection) alongside the broken object-level access controls? congrats π @qutub_syed
Perfai Security
Really appreciate the kind words,@vikramp7470Β !!
Our access control testing platform compliments DAST / SAST testing tools that already test for injection flaws. And so as to not compete, but rather ensure the un-addressed majority of threat categories are secured against, we built Perfai Security around access control vulnerability testing.
@qutub_syedΒ Thanks for raising this, all the best for your launchπ