Launching today

Perfai Security
Find & fix live vulnerabilities in Vibe Apps with 1-prompt.
169 followers
Find & fix live vulnerabilities in Vibe Apps with 1-prompt.
169 followers
Autonomous access control security for Vibe-coded apps. Our platform finds and fixes live vulnerabilities in your vibe-apps built on Replit, Lovable, Claude Code, Cursor, and other AI-coding tools. 1-prompt makes your app production-ready in minutes without requiring security expertise.










This launch caught my eye since every other product is vibe-coded now sometimes without even involvement of a technical team member. However, for teams with devs, can developers customize scan depth for staging versus production environments?
Perfai Security
@divya_kothari1 great question, and yes. You run different profiles per environment. You can go deep and aggressive in staging with seed test tenants, exercise state-changing and destructive attack paths, full-matrix coverage... because nothing's at risk. On production it runs in a safe, non-destructive mode (read-only checks, no mutating actions) so always-on monitoring never touches live data.
Congrats! Is Perfai Security looking at the running app, the codebase, or both? The “live vulnerabilities in Vibe Apps” wording makes me curious about where it plugs into a developer workflow, especially for teams using AI agents or vibe coding tools to ship fast.
Perfai Security
Much appreciated!! @crystalmei Perfai Security looks at the running app from the URL you give it. That's exactly what "live vulnerabilities" means. We test the deployed, running system the way an attacker actually hits it, not static source analysis, andso we need zero codebase access to find issues. Where it plugs into your workflow is the fix side. The findings flow back through an MCP server (perfai-mcp-server) you drop into your IDE (Cursor, VS Code, Claude Code…), and into CI/CD via a GitHub Actions step so every deploy auto-re-tests.
Release AI
Hey ProductHunt! 👋 Intesar here — CEO of Perfai Security.
This is my third company (DCHQ was acquired by HyperGrid and APIsec), and out of everything I've built, this is the one that keeps me up at night in a good way — because the timing is so obviously right.
Here's the thing about vibe coding that most people miss: the AI coding tools are incredible at making an app look and function like a real product in a few hours. What they're not good at is remembering that "User A shouldn't be able to see User B's invoices" is a rule that has to be enforced in three separate places — the UI, the API, and the database — every single time you ship an update. Nobody's shipping blind on purpose. They just don't have a security team checking access control on every prompt-to-deploy cycle, and honestly, neither did I on my first two companies until it hurt.
So we built Perfai Security as a pre-launch security testing platform for exactly this moment — the gap between "it works on my screen" and "it's live with real users." Paste a URL, our agents map your app, attack its access controls the way a real bad actor would, and hand your AI coding tool (Cursor, Replit, Lovable, Claude Code, whatever you're using) the exact fix — before you ship, not after someone finds it for you. They keep watching every future deploy too, so regressions don't sneak back in. No security background required on your end.
Huge credit to the team who actually built this: Hai, Dr. Abdullah (engineering), Dr. Habeeb (AI), Ghouse (customer success), and Qutub, who wrote the comment above and has been carrying GTM on his back.
If you're vibe-coding anything that touches real user data, I'd genuinely love for you to run it through Perfai Security and tell me what you find (or what we got wrong). I'm in the comments all day — ask me anything about the product, the roadmap, or what "6,000+ access controls in a small app" actually means in practice.
Thanks for checking us out. Build fast, ship safe. 🚀
— Intesar CEO, Perfai Security (perfai.ai)
GrowMeOrganic
Congrats. How does Perfai distinguishes between intentional permissions and actual access control vulnerabilities?
Perfai Security
Great question @iamanantgupta
We start by learning what access is intended. Perfai Security reads the app's UI and role structure to find the base for who's meant to see what before building a permission map from it. Then we replay the same API calls as different users, roles, and tenants and compare what actually comes back.
The distinction is in the response. We only flag it when a user actually receives unauthorized data they were never meant to see. If the endpoint returns their own data, an error, or empty results, that's intended behavior and we leave it alone. We go a step further by excluding resources that are shared by design.
Above all of this, we surface permission anomalies such as cases where the app's real behavior contradicts its own intended access model (a user who should be blocked isn't, or an authorized user is wrongly denied). That's how we separate deliberate permissions from genuine broken-access-control, IDOR, and privilege-escalation issues.
Do you think you can add a GitHub Actions integration to automatically trigger scans after each deployment??
Perfai Security
@ankur_jeswani Appreciate the comment! This integration already works today. Drop in a GitHub Actions step (our CI/CD API is built for it): it triggers a scan, waits, and fails the build on new Criticals with a dedicated CI service-account role, job-id idempotency so retries don't double-scan, and auto-created GitHub issues for findings. It's a copy-paste snippet from our docs right now; one-click Marketplace Action is next. Happy to send you the snippet
Congrats on the launch. How much time does it typically take to generate report? I am guessing it may vary based on the complexity of the app?
Perfai Security
Thank you@zerotox You can get the first results in minutes, but yes it scales with complexity and may take up to 1 hour based on the load. The work is proportional to your access-control matrix (roles × data objects × actions), so a small app is minutes and a large multi-role one takes a bit longer. But we're talking minutes-to-hours vs. the weeks a manual pentest of the same surface would need. And because it's that fast, you can re-run the whole thing on every deploy.
Nas.com
Does Perfai support authentication providers like Clerk, Auth0, or Supabase Auth out of the box?
Perfai Security
@nuseir_yassin1 yes! Because we test black-box from your app's URL, we authenticate through your real login flow using the test credentials you provide for each role. This way, Clerk, Auth0, Supabase Auth and the rest all work. We meet your app wherever it lives instead of needing a separate integration per provider. If you've got a specific setup in mind, let us know and we can confirm the exact flow.
Would genuinely love to have you run something through it.