Launching today

Perfai Security
Find & fix live vulnerabilities in Vibe Apps with 1-prompt.
96 followers
Find & fix live vulnerabilities in Vibe Apps with 1-prompt.
96 followers
Autonomous access control security for Vibe-coded apps. Our platform finds and fixes live vulnerabilities in your vibe-apps built on Replit, Lovable, Claude Code, Cursor, and other AI-coding tools. 1-prompt makes your app production-ready in minutes without requiring security expertise.










Perfai Security
Hey Product Hunt!ย ๐ Qutub here from Perfai Security.
ย
Over the last 18 months, I've found vibe-coders โ including myself โ opening Replit, Lovable, Cursor, Copilot, Claude Code (any of the various AI-coding tools) and within a few hours, they have something that looks and functions like a real product, with login, dashboards, payments, database records, admin screens, user roles, and the foundations for handling customer data.
ย
And that's awesome because the app looks finished!
The Problem
Every app has permissions about who can do what. Customer X should only see X's own data, not someone else's. A normal user should not gain admin access. These permissions are also called access controls.
The problem is that even a small app will have thousands of access controls. Here is the simple math:
These access controls live in three places: the app pages people click on, the API endpoints (where the app sends and gets data), and the database (where the data is stored). AI tools build apps fast. But they skip most of these checks in all three places. That is how data leaks and hacks happen.
The Solution: Perfai Security
Autonomous security for AI & vibe-coded Apps
You just paste your app's URL. No code needed. Then our AI agents do three things:
It also keeps watching. Every time you update your app, a locked door can open by accident. We check again after each update, and tell you what broke before anyone else can find it.
And since all of this is done in minutes (relative to what would previously take dev teams weeks to accomplish), the entire loop can be run again with every new update.
Direct Benefits of using Perfai Security?
You save $100K+ in breach costs.
Find vulnerabilities no other tools cover.
Find live issues before users, attackers, or bug bounty hunters do.
Secure your apps against the excessively growing attack-surfaces.
Protect enterprise deals and funding rounds by showing what is being covered, continuously.
Reduce compliance and privacy risks.
Save $10Kโ$40K in manual testing time and effort by automating.
Prevent customer churn and reputation damage associated with logic issues.
Early Traction:
So far we have secured 4,000+ apps. We found and fixed 28,400+ vulnerabilities. We saved our customers $27.5M in bug bounties. And for our contributions to the overall security field, we have been awarded Innovator of the Year by CloudX.
Product Hunt Offer:
For the Product Hunt community, Perfai Security's Pro-plan is offered at 50% discount with the discount code
You can start testing by pasting your app URL โ no source-code access required โ and getting your first vulnerability results within minutes.
Thanks for checking out Perfai Security.
Build fast. But donโt ship blind.
@qutub_syedย Many congratulations Qutub, Intesar and team on the launch! :)
How I met the maker: I met Qutub a few weeks ago when he pitched me the product. We had a few back-and-forth conversations on the messaging and assets before the launch was ready to go live, and I really enjoyed brainstorming and discussing it with him.
What is the product?
Perfai Security is an autonomous security platform for vibe-coded apps. It finds and fixes live access-control vulnerabilities in apps built with tools like Replit, Lovable, Claude Code, Cursor, and other AI coding platforms.
Why I endorse it?
I endorse it because it tackles a real problem for modern builders: shipping fast often means shipping blind on security. Perfai makes it much easier to catch and fix vulnerabilities before they reach users, without needing a security expert on hand.
Enter your vibe-coded app's URL and find vulnerabilities in minutes: https://perfai.ai/
Release AI
Hey ProductHunt! ๐ Intesar here โ CEO of Perfai Security.
This is my third company (DCHQ was acquired by HyperGrid and APIsec), and out of everything I've built, this is the one that keeps me up at night in a good way โ because the timing is so obviously right.
Here's the thing about vibe coding that most people miss: the AI coding tools are incredible at making an app look and function like a real product in a few hours. What they're not good at is remembering that "User A shouldn't be able to see User B's invoices" is a rule that has to be enforced in three separate places โ the UI, the API, and the database โ every single time you ship an update. Nobody's shipping blind on purpose. They just don't have a security team checking access control on every prompt-to-deploy cycle, and honestly, neither did I on my first two companies until it hurt.
So we built Perfai Security as a pre-launch security testing platform for exactly this moment โ the gap between "it works on my screen" and "it's live with real users." Paste a URL, our agents map your app, attack its access controls the way a real bad actor would, and hand your AI coding tool (Cursor, Replit, Lovable, Claude Code, whatever you're using) the exact fix โ before you ship, not after someone finds it for you. They keep watching every future deploy too, so regressions don't sneak back in. No security background required on your end.
Huge credit to the team who actually built this: Hai, Dr. Abdullah (engineering), Dr. Habeeb (AI), Ghouse (customer success), and Qutub, who wrote the comment above and has been carrying GTM on his back.
If you're vibe-coding anything that touches real user data, I'd genuinely love for you to run it through Perfai Security and tell me what you find (or what we got wrong). I'm in the comments all day โ ask me anything about the product, the roadmap, or what "6,000+ access controls in a small app" actually means in practice.
Thanks for checking us out. Build fast, ship safe. ๐
โ Intesar CEO, Perfai Security (perfai.ai)
Tools like this are usually judged by what they catch, but the harder part is what slips through.
Do you have a sense of that side - cases where something looked clean but was found later? That would matter more to me than the total number of vulnerabilities found.
Congrats on the launch!
Congrats on the launch! The re-check on every update is the part that matters most, since a lot of these tools only catch access-control gaps once and then go stale. Does that re-scan run automatically after each deploy, or do you have to trigger it?
GrowMeOrganic
Congrats. How does Perfai distinguishes between intentional permissions and actual access control vulnerabilities?
Perfai Security
Great question @iamanantguptaย
We start by learning what access is intended. Perfai Security reads the app's UI and role structure to find the base for who's meant to see what before building a permission map from it. Then we replay the same API calls as different users, roles, and tenants and compare what actually comes back.
The distinction is in the response. We only flag it when a user actually receives unauthorized data they were never meant to see. If the endpoint returns their own data, an error, or empty results, that's intended behavior and we leave it alone. We go a step further by excluding resources that are shared by design.
Above all of this, we surface permission anomalies such as cases where the app's real behavior contradicts its own intended access model (a user who should be blocked isn't, or an authorized user is wrongly denied). That's how we separate deliberate permissions from genuine broken-access-control, IDOR, and privilege-escalation issues.
Nas.com
Does Perfai support authentication providers like Clerk, Auth0, or Supabase Auth out of the box?