Launching today

Perfai Security
Find & fix live vulnerabilities in Vibe Apps with 1-prompt.
245 followers
Find & fix live vulnerabilities in Vibe Apps with 1-prompt.
245 followers
Autonomous access control security for Vibe-coded apps. Our platform finds and fixes live vulnerabilities in your vibe-apps built on Replit, Lovable, Claude Code, Cursor, and other AI-coding tools. 1-prompt makes your app production-ready in minutes without requiring security expertise.










Perfai Security
Hey Product Hunt! 👋 Qutub here from Perfai Security.
Over the last 18 months, I've found vibe-coders — including myself — opening Replit, Lovable, Cursor, Copilot, Claude Code (any of the various AI-coding tools) and within a few hours, they have something that looks and functions like a real product, with login, dashboards, payments, database records, admin screens, user roles, and the foundations for handling customer data.
And that's awesome because the app looks finished!
The Problem
Every app has permissions about who can do what. Customer X should only see X's own data, not someone else's. A normal user should not gain admin access. These permissions are also called access controls.
The problem is that even a small app will have thousands of access controls. Here is the simple math:
These access controls live in three places: the app pages people click on, the API endpoints (where the app sends and gets data), and the database (where the data is stored). AI tools build apps fast. But they skip most of these checks in all three places. That is how data leaks and hacks happen.
The Solution: Perfai Security
Autonomous security for AI & vibe-coded Apps
You just paste your app's URL. No code needed. Then our AI agents do three things:
It also keeps watching. Every time you update your app, a locked door can open by accident. We check again after each update, and tell you what broke before anyone else can find it.
And since all of this is done in minutes (relative to what would previously take dev teams weeks to accomplish), the entire loop can be run again with every new update.
Direct Benefits of using Perfai Security?
You save $100K+ in breach costs.
Find vulnerabilities no other tools cover.
Find live issues before users, attackers, or bug bounty hunters do.
Secure your apps against the excessively growing attack-surfaces.
Protect enterprise deals and funding rounds by showing what is being covered, continuously.
Reduce compliance and privacy risks.
Save $10K–$40K in manual testing time and effort by automating.
Prevent customer churn and reputation damage associated with logic issues.
Early Traction:
So far we have secured 4,000+ apps. We found and fixed 28,400+ vulnerabilities. We saved our customers $27.5M in bug bounties. And for our contributions to the overall security field, we have been awarded Innovator of the Year by CloudX.
Product Hunt Offer:
For the Product Hunt community, Perfai Security's Pro-plan is offered at 50% discount with the discount code
You can start testing by pasting your app URL — no source-code access required — and getting your first vulnerability results within minutes.
Thanks for checking out Perfai Security.
Build fast. But don’t ship blind.
@qutub_syed Many congratulations Qutub, Intesar and team on the launch! :)
How I met the maker: I met Qutub a few weeks ago when he pitched me the product. We had a few back-and-forth conversations on the messaging and assets before the launch was ready to go live, and I really enjoyed brainstorming and discussing it with him.
What is the product?
Perfai Security is an autonomous security platform for vibe-coded apps. It finds and fixes live access-control vulnerabilities in apps built with tools like Replit, Lovable, Claude Code, Cursor, and other AI coding platforms.
Why I endorse it?
I endorse it because it tackles a real problem for modern builders: shipping fast often means shipping blind on security. Perfai makes it much easier to catch and fix vulnerabilities before they reach users, without needing a security expert on hand.
Enter your vibe-coded app's URL and find vulnerabilities in minutes: https://perfai.ai/
the "mutate an object you own to reach one you don't" part is what caught my attention. if that attack succeeds against a live production app, the agent didn't just find the vulnerability, it exploited it for real against real data. is there a safe/sandboxed mode where the mutation attempts happen against a snapshot or shadow copy, or does running this against a production app with real customers mean you're accepting some risk of the test itself causing the exact damage you're trying to prevent
Perfai Security
@galdayan great question, you decide what Perfai Security points at. You hand us any base path or app URL. The aggressive, state-changing pass runs against a staging environment, a preview deploy, or a clone/snapshot, not necessarily your live prod. The blast radius is your call, not ours.
And even then, proving an access-control break almost never requires destroying data. For "mutate an object you own to reach one you don't," the vuln is proven the moment the system authorizes the cross-boundary action for the wrong principal... making the 'authorization' the finding. We assert that the boundary is crossable but we don't complete the destruction to prove it. So the check never depends on a destructive write, and anything genuinely state-changing you route to the staging/clone URL you give us.
You can sign up free at perfai.ai (or 50% off the Pro plan with our Product Hunt discount) and I'd be happy to connect and walk you through pointing it at a staging clone.
Scanning live deployed vibe apps rather than static source is the right call. Most tools miss runtime behavior entirely. We've run into situations where AI-generated code introduces subtle auth gaps that only surface under specific API call sequences. How does your scanner handle stateful multi-step exploits? Can it chain requests across endpoints to trigger a vulnerability that no single request would expose?
Perfai Security
@anand_thakkar1 that's exactly the right question, and yes 🔥. It's one of the biggest reasons we built the Vision Agent. Instead of looking at isolated endpoints, it learns how your app actually works by mapping the workflows and request sequences it uses, like create → update → approve → read
The Security Agent then replays those flows and mutates them to uncover things like multi step privilege escalation, state transition abuse, creating an object as role A and accessing it as role B, or skipping an approval step a few calls earlier. These are the kinds of stateful authorization issues that only show up across a sequence of requests, so most scanners never see them.
Every finding comes with the exact request chain needed to reproduce it. Business logic chaining is an area we're continuing to push hard on.
Give it a try and see what sequences it surfaces in your app. It's free: perfai.ai
Ran it on a small Replit app and it flagged an exposed API key plus a sketchy redirect I genuinely missed, super easy fix flow. Wish I'd had this a few months ago when I shipped something embarrassingly broken.
Perfai Security
@tarkb3lu Thanks for sharing that.. an exposed API key and an open redirect are exactly the kind of issues that can slip through when you're shipping quickly with AI. It's usually not carelessness, just not having time to inspect every endpoint and flow.
Glad Perfai caught them in one pass. If you've got a larger app with multiple roles and real user data, that's where it starts finding the more interesting access control issues too. Give it a run and see what it turns up.
Thanks again for sharing the results!
Documentation.AI
Can Perfai detect business logic vulnerabilities, or is it mainly focused on authorization issues? BTW, congrats on shipping..
Perfai Security
@roopreddy thank you, and great distinction to draw. Access control is business logic. It's the highest-value slice of it, and the one missed most often. So that's where we go deepest: BOLA/BFLA/IDOR, privilege escalation, cross-tenant isolation, multi-step workflow authz.
But we don't test at the "is there an auth check?" level. The Vision Agent builds a semantic model of your app with the roles, objects, actions, state... all taken into account. And our Security Agent can reason about the intended rules and then try to break them, such as:
skip a workflow step
replay a state transition
mutate an object you own to reach one you don't
chain a privilege escalation
That's all 'logic'-level attacking. Pure economic-logic abuse (price/coupon/quota manipulation, business-invariant races) is what we're expanding into next. Want to see what it flags on yours? You can use our discount code to get 50% off on the Pro plan (in pinned comment)
Release AI
Hey ProductHunt! 👋 Intesar here — CEO of Perfai Security.
This is my third company (DCHQ was acquired by HyperGrid and APIsec), and out of everything I've built, this is the one that keeps me up at night in a good way — because the timing is so obviously right.
Here's the thing about vibe coding that most people miss: the AI coding tools are incredible at making an app look and function like a real product in a few hours. What they're not good at is remembering that "User A shouldn't be able to see User B's invoices" is a rule that has to be enforced in three separate places — the UI, the API, and the database — every single time you ship an update. Nobody's shipping blind on purpose. They just don't have a security team checking access control on every prompt-to-deploy cycle, and honestly, neither did I on my first two companies until it hurt.
So we built Perfai Security as a pre-launch security testing platform for exactly this moment — the gap between "it works on my screen" and "it's live with real users." Paste a URL, our agents map your app, attack its access controls the way a real bad actor would, and hand your AI coding tool (Cursor, Replit, Lovable, Claude Code, whatever you're using) the exact fix — before you ship, not after someone finds it for you. They keep watching every future deploy too, so regressions don't sneak back in. No security background required on your end.
Huge credit to the team who actually built this: Hai, Dr. Abdullah (engineering), Dr. Habeeb (AI), Ghouse (customer success), and Qutub, who wrote the comment above and has been carrying GTM on his back.
If you're vibe-coding anything that touches real user data, I'd genuinely love for you to run it through Perfai Security and tell me what you find (or what we got wrong). I'm in the comments all day — ask me anything about the product, the roadmap, or what "6,000+ access controls in a small app" actually means in practice.
Thanks for checking us out. Build fast, ship safe. 🚀
— Intesar CEO, Perfai Security (perfai.ai)
Tools like this are usually judged by what they catch, but the harder part is what slips through.
Do you have a sense of that side - cases where something looked clean but was found later? That would matter more to me than the total number of vulnerabilities found.
Congrats on the launch!
Perfai Security
Hello@jared_salois I'm particularly excited to answer your question!
Raw vuln counts are a vanity metric. And you're right... what slips through is the real test. A few ways we attack the false-negative problem head-on:
We measure against a known denominator. The Vision Agent enumerates the full access-control matrix (roles × objects × actions), so we report coverage (what share of that surface we actually exercised) not just a pile of findings. You see what we tested, not only what we caught.
Gaps are reported as gaps, never as green. An auth wall we couldn't cross, or a path we lacked credentials for, or a flow needing business context we can't infer ("this discount should never apply to enterprise SKUs"), etc. All those surface as explicit coverage gaps, not a false "clean."
"Looked clean, found later" is a first-class case. Every deploy gets re-tested, and as our attack models improve, we re-scan existing apps. So yesterday's "clean" can legitimately become today's finding. Coverage is a living thing, not a one-time snapshot.
And every finding is exploit-verified, so what you do get isn't diluted by false positives. We'd rather hand you an honest "here's what we didn't reach" than a green checkmark that lies.