Launching today

Perfai Security
Find & fix live vulnerabilities in Vibe Apps with 1-prompt.
178 followers
Find & fix live vulnerabilities in Vibe Apps with 1-prompt.
178 followers
Autonomous access control security for Vibe-coded apps. Our platform finds and fixes live vulnerabilities in your vibe-apps built on Replit, Lovable, Claude Code, Cursor, and other AI-coding tools. 1-prompt makes your app production-ready in minutes without requiring security expertise.










ConnectMachine
How well does Perfai handle multi-tenant SaaS applications with complex permission hierarchies?
Perfai Security
Hi! This is our home turf @syed_shayanur_rahman Multi-tenant SaaS is where access control gets brutal, and it's what we test hardest. The Vision Agent builds a per-tenant identity map with every role across your hierarchy (org → workspace → team → resource, plus nested roles and inherited/overridden permissions) and the Security Agent then attacks on two axes: horizontal being classic cross-tenant isolation breaks and vertical being whether a member can escalate to admin/owner inside a tenant. It reasons over the effective permission, not the declared one, so inheritance quirks and role-override edge cases get exercised. Cross-tenant leakage is the highest-severity class we hunt.
Perfai Security
Hi @thys_beesman , thanks for asking. Perfai Security offers both, and this is where Perfai Security really shines. We don't just stop at a list of vulnerabilities.
We ship an MCP server (perfai-mcp-server) you drop into your IDE (Cursor, VS Code, or any MCP-compatible agent). Once connected, it pulls your reported issues directly into the editor, and for any issue it generates a context-rich fix prompt with exact endpoint, vulnerability, remediation contexts. Your IDE's coding agent then implements the fix right in your codebase, following your existing patterns and architecture.
We deliberately keep the developer in the loop rather than auto-patching your repo. This way, we never require any code-access. And so the fix lands in your editor where you review and merge it like any other change.
So it's detection → guided remediation → fix, without Perfai Security ever writing to your code behind your back.
TL;DR — Perfai Security maps your app, detects vulnerabilities, provides the fixes, and then retests to verify the issues are patched.
Do I paste the URL and walk away, or set up test accounts first?
Perfai Security
@oliver_hayes1 you can paste-and-go for a fast first look 🙂, but for the real value, hand it a couple of test accounts. Access control is all about who can do what, so the high-severity findings like cross-tenant data access, privilege escalation, BOLA will only surface when the agent can log in as different roles and try to cross the boundaries between them.
If UI hides an admin route that's still live on the backend, does Vision Agent even catch it?
Perfai Security
@calvin_russell1 yes, that's what it's built for. The Vision Agent doesn't just click the UI — it maps the underlying API surface (every endpoint it can discover), so a route that's hidden from the interface but still live on the backend gets found and attacked anyway. That "hidden-but-live admin function" is a class we explicitly hunt, known as shadow functionality (and broken function-level authorization (BFLA)). If the backend still honors it, we'll call it, prove it with a reproducible request, and hand you the fix.
Voquill
Congratulations! Does this work with any deployed web app, or is it mainly built for apps created with AI coding tools?
Perfai Security
@henry_habib It works with any deployed web app that has a URL. We test black-box from the outside, so we're fully stack-agnostic. It doesn't care whether you hand-wrote it, vibe-coded it, or inherited it. The "vibe-coded" framing is where our solution is needed most right now, but the engine tests any app with roles, APIs, and a database. The only place the AI-coding tool matters is the fix handoff... our Fix Agent delivers remediation through an MCP server you drop into any IDE (Cursor, VS Code, Claude Code…), and it works even if you just want the exact patch to apply yourself. Point it at any URL and see. You can sign up for free or get 50% off our pro plan using the discount code (in pinned comment).
Scanning live deployed vibe apps rather than static source is the right call. Most tools miss runtime behavior entirely. We've run into situations where AI-generated code introduces subtle auth gaps that only surface under specific API call sequences. How does your scanner handle stateful multi-step exploits? Can it chain requests across endpoints to trigger a vulnerability that no single request would expose?
Is the report readable solo, or do I need to already know what IDOR means?