Launching today

Perfai Security
Find & fix live vulnerabilities in Vibe Apps with 1-prompt.
147 followers
Find & fix live vulnerabilities in Vibe Apps with 1-prompt.
147 followers
Autonomous access control security for Vibe-coded apps. Our platform finds and fixes live vulnerabilities in your vibe-apps built on Replit, Lovable, Claude Code, Cursor, and other AI-coding tools. 1-prompt makes your app production-ready in minutes without requiring security expertise.










Perfai Security
Hey Product Hunt! 👋 Qutub here from Perfai Security.
Over the last 18 months, I've found vibe-coders — including myself — opening Replit, Lovable, Cursor, Copilot, Claude Code (any of the various AI-coding tools) and within a few hours, they have something that looks and functions like a real product, with login, dashboards, payments, database records, admin screens, user roles, and the foundations for handling customer data.
And that's awesome because the app looks finished!
The Problem
Every app has permissions about who can do what. Customer X should only see X's own data, not someone else's. A normal user should not gain admin access. These permissions are also called access controls.
The problem is that even a small app will have thousands of access controls. Here is the simple math:
These access controls live in three places: the app pages people click on, the API endpoints (where the app sends and gets data), and the database (where the data is stored). AI tools build apps fast. But they skip most of these checks in all three places. That is how data leaks and hacks happen.
The Solution: Perfai Security
Autonomous security for AI & vibe-coded Apps
You just paste your app's URL. No code needed. Then our AI agents do three things:
It also keeps watching. Every time you update your app, a locked door can open by accident. We check again after each update, and tell you what broke before anyone else can find it.
And since all of this is done in minutes (relative to what would previously take dev teams weeks to accomplish), the entire loop can be run again with every new update.
Direct Benefits of using Perfai Security?
You save $100K+ in breach costs.
Find vulnerabilities no other tools cover.
Find live issues before users, attackers, or bug bounty hunters do.
Secure your apps against the excessively growing attack-surfaces.
Protect enterprise deals and funding rounds by showing what is being covered, continuously.
Reduce compliance and privacy risks.
Save $10K–$40K in manual testing time and effort by automating.
Prevent customer churn and reputation damage associated with logic issues.
Early Traction:
So far we have secured 4,000+ apps. We found and fixed 28,400+ vulnerabilities. We saved our customers $27.5M in bug bounties. And for our contributions to the overall security field, we have been awarded Innovator of the Year by CloudX.
Product Hunt Offer:
For the Product Hunt community, Perfai Security's Pro-plan is offered at 50% discount with the discount code
You can start testing by pasting your app URL — no source-code access required — and getting your first vulnerability results within minutes.
Thanks for checking out Perfai Security.
Build fast. But don’t ship blind.
@qutub_syed Many congratulations Qutub, Intesar and team on the launch! :)
How I met the maker: I met Qutub a few weeks ago when he pitched me the product. We had a few back-and-forth conversations on the messaging and assets before the launch was ready to go live, and I really enjoyed brainstorming and discussing it with him.
What is the product?
Perfai Security is an autonomous security platform for vibe-coded apps. It finds and fixes live access-control vulnerabilities in apps built with tools like Replit, Lovable, Claude Code, Cursor, and other AI coding platforms.
Why I endorse it?
I endorse it because it tackles a real problem for modern builders: shipping fast often means shipping blind on security. Perfai makes it much easier to catch and fix vulnerabilities before they reach users, without needing a security expert on hand.
Enter your vibe-coded app's URL and find vulnerabilities in minutes: https://perfai.ai/
Documentation.AI
Can Perfai detect business logic vulnerabilities, or is it mainly focused on authorization issues? BTW, congrats on shipping..
Perfai Security
@roopreddy thank you, and great distinction to draw. Access control is business logic. It's the highest-value slice of it, and the one missed most often. So that's where we go deepest: BOLA/BFLA/IDOR, privilege escalation, cross-tenant isolation, multi-step workflow authz.
But we don't test at the "is there an auth check?" level. The Vision Agent builds a semantic model of your app with the roles, objects, actions, state... all taken into account. And our Security Agent can reason about the intended rules and then try to break them, such as:
skip a workflow step
replay a state transition
mutate an object you own to reach one you don't
chain a privilege escalation
That's all 'logic'-level attacking. Pure economic-logic abuse (price/coupon/quota manipulation, business-invariant races) is what we're expanding into next. Want to see what it flags on yours? You can use our discount code to get 50% off on the Pro plan (in pinned comment)
Tools like this are usually judged by what they catch, but the harder part is what slips through.
Do you have a sense of that side - cases where something looked clean but was found later? That would matter more to me than the total number of vulnerabilities found.
Congrats on the launch!
Perfai Security
Hello@jared_salois I'm particularly excited to answer your question!
Raw vuln counts are a vanity metric. And you're right... what slips through is the real test. A few ways we attack the false-negative problem head-on:
We measure against a known denominator. The Vision Agent enumerates the full access-control matrix (roles × objects × actions), so we report coverage (what share of that surface we actually exercised) not just a pile of findings. You see what we tested, not only what we caught.
Gaps are reported as gaps, never as green. An auth wall we couldn't cross, or a path we lacked credentials for, or a flow needing business context we can't infer ("this discount should never apply to enterprise SKUs"), etc. All those surface as explicit coverage gaps, not a false "clean."
"Looked clean, found later" is a first-class case. Every deploy gets re-tested, and as our attack models improve, we re-scan existing apps. So yesterday's "clean" can legitimately become today's finding. Coverage is a living thing, not a one-time snapshot.
And every finding is exploit-verified, so what you do get isn't diluted by false positives. We'd rather hand you an honest "here's what we didn't reach" than a green checkmark that lies.
Congrats on the launch! The re-check on every update is the part that matters most, since a lot of these tools only catch access-control gaps once and then go stale. Does that re-scan run automatically after each deploy, or do you have to trigger it?
Perfai Security
@irahimiam spot-on! Both modes exist, but automatic is the whole point. You can fire a run manually anytime (one prompt / paste-URL), but the real setup wires it into your pipeline so it runs automatically on a scheduled basis or with each deploy... GitHub Actions steps (or our CI/CD API / deploy webhook) can trigger the scan, wait, and fail the build on any new Critical. Each run diffs against your last clean baseline, so you only hear about what changed, not the same list again. Set it once and every future deploy can re-test itself.
This launch caught my eye since every other product is vibe-coded now sometimes without even involvement of a technical team member. However, for teams with devs, can developers customize scan depth for staging versus production environments?
Perfai Security
@divya_kothari1 great question, and yes. You run different profiles per environment. You can go deep and aggressive in staging with seed test tenants, exercise state-changing and destructive attack paths, full-matrix coverage... because nothing's at risk. On production it runs in a safe, non-destructive mode (read-only checks, no mutating actions) so always-on monitoring never touches live data.
Release AI
Hey ProductHunt! 👋 Intesar here — CEO of Perfai Security.
This is my third company (DCHQ was acquired by HyperGrid and APIsec), and out of everything I've built, this is the one that keeps me up at night in a good way — because the timing is so obviously right.
Here's the thing about vibe coding that most people miss: the AI coding tools are incredible at making an app look and function like a real product in a few hours. What they're not good at is remembering that "User A shouldn't be able to see User B's invoices" is a rule that has to be enforced in three separate places — the UI, the API, and the database — every single time you ship an update. Nobody's shipping blind on purpose. They just don't have a security team checking access control on every prompt-to-deploy cycle, and honestly, neither did I on my first two companies until it hurt.
So we built Perfai Security as a pre-launch security testing platform for exactly this moment — the gap between "it works on my screen" and "it's live with real users." Paste a URL, our agents map your app, attack its access controls the way a real bad actor would, and hand your AI coding tool (Cursor, Replit, Lovable, Claude Code, whatever you're using) the exact fix — before you ship, not after someone finds it for you. They keep watching every future deploy too, so regressions don't sneak back in. No security background required on your end.
Huge credit to the team who actually built this: Hai, Dr. Abdullah (engineering), Dr. Habeeb (AI), Ghouse (customer success), and Qutub, who wrote the comment above and has been carrying GTM on his back.
If you're vibe-coding anything that touches real user data, I'd genuinely love for you to run it through Perfai Security and tell me what you find (or what we got wrong). I'm in the comments all day — ask me anything about the product, the roadmap, or what "6,000+ access controls in a small app" actually means in practice.
Thanks for checking us out. Build fast, ship safe. 🚀
— Intesar CEO, Perfai Security (perfai.ai)
GrowMeOrganic
Congrats. How does Perfai distinguishes between intentional permissions and actual access control vulnerabilities?
Perfai Security
Great question @iamanantgupta
We start by learning what access is intended. Perfai Security reads the app's UI and role structure to find the base for who's meant to see what before building a permission map from it. Then we replay the same API calls as different users, roles, and tenants and compare what actually comes back.
The distinction is in the response. We only flag it when a user actually receives unauthorized data they were never meant to see. If the endpoint returns their own data, an error, or empty results, that's intended behavior and we leave it alone. We go a step further by excluding resources that are shared by design.
Above all of this, we surface permission anomalies such as cases where the app's real behavior contradicts its own intended access model (a user who should be blocked isn't, or an authorized user is wrongly denied). That's how we separate deliberate permissions from genuine broken-access-control, IDOR, and privilege-escalation issues.