Perfai Security - Find & fix live vulnerabilities in Vibe Apps with 1-prompt.
by•
Autonomous access control security for Vibe-coded apps. Our platform finds and fixes live vulnerabilities in your vibe-apps built on Replit, Lovable, Claude Code, Cursor, and other AI-coding tools. 1-prompt makes your app production-ready in minutes without requiring security expertise.
Replies
This launch caught my eye since every other product is vibe-coded now sometimes without even involvement of a technical team member. However, for teams with devs, can developers customize scan depth for staging versus production environments?
Perfai Security
@divya_kothari1 great question, and yes. You run different profiles per environment. You can go deep and aggressive in staging with seed test tenants, exercise state-changing and destructive attack paths, full-matrix coverage... because nothing's at risk. On production it runs in a safe, non-destructive mode (read-only checks, no mutating actions) so always-on monitoring never touches live data.
EverTutor AI
Vibe coding made building apps 10x faster, but security has become the biggest blind spot. Love that you're solving this with a single prompt approach. This could save builders countless hours of manual audits. Congrats on the launch
Perfai Security
@suryansh_tiwari2 thank you!! 🙏 and you framed it exactly right: vibe coding made building 10x faster, but nothing made to secure at that same speed. That's a gap we close, and aim to improve. Those "countless hours of manual audits" are the real cost... enumerating 6,000+ access controls across UI, API, and DB by-hand takes a pentest team weeks, but our agents run the same matrix autonomously in minutes.
Since EverTutor's likely handling real student data, I'd love for you to try it out. You can sign up free or get 50% off on the pro plan at perfai.ai
Congrats! Is Perfai Security looking at the running app, the codebase, or both? The “live vulnerabilities in Vibe Apps” wording makes me curious about where it plugs into a developer workflow, especially for teams using AI agents or vibe coding tools to ship fast.
Perfai Security
Much appreciated!! @crystalmei Perfai Security looks at the running app from the URL you give it. That's exactly what "live vulnerabilities" means. We test the deployed, running system the way an attacker actually hits it, not static source analysis, andso we need zero codebase access to find issues. Where it plugs into your workflow is the fix side. The findings flow back through an MCP server (perfai-mcp-server) you drop into your IDE (Cursor, VS Code, Claude Code…), and into CI/CD via a GitHub Actions step so every deploy auto-re-tests.
Scanning live deployed vibe apps rather than static source is the right call. Most tools miss runtime behavior entirely. We've run into situations where AI-generated code introduces subtle auth gaps that only surface under specific API call sequences. How does your scanner handle stateful multi-step exploits? Can it chain requests across endpoints to trigger a vulnerability that no single request would expose?
Most of my codebase was written with AI coding agents, so security is honestly the thing I think about the most. Product logic I can verify just by using the app, but auth edge cases never show up that way. One question, when the fix agent ships a patch, do I get to review it before it lands? A one prompt fix sounds great until it touches something load bearing :) Congrats on the launch!
This is the right problem to aim at. The scary part of AI-built apps is not the rough edge in the UI; it is the invisible permission model across pages, APIs, and data. A useful security pass has to prove what each role cannot do, not just what the happy path can do.
The “paste your app URL” workflow is appealing because it removes a lot of the friction around security testing. I’m wondering how you decide which vulnerabilities to prioritize first—do you rank them by severity, exploitability, or something else?
Hi Qutub Syed, nice idea and the site looks good, I like the “test a live app by URL” approach, especially for small builders who don’t have a security team.
I tried entering my app URL and clicking “Test now”, but nothing seemed to happen on my end. I may be missing a step, or it could be a browser issue. Just wanted to flag it in case it helps with the launch feedback.