Launched this week

Autonomous access control security for Vibe-coded apps. Our platform finds and fixes live vulnerabilities in your vibe-apps built on Replit, Lovable, Claude Code, Cursor, and other AI-coding tools. 1-prompt makes your app production-ready in minutes without requiring security expertise.










This is a very timely problem. Vibe-coded apps can get to “working demo” incredibly fast, but access control and production security are exactly where small mistakes can become painful later.
I like the idea of making security checks feel as lightweight as pasting in a URL instead of requiring a full security workflow. When Perfai finds a live vulnerability, how much of the fix is automated versus guided for the developer to review and apply?
Release AI
@klein1
Great question! If you built with Replit, Lovable, or any AI coding tool, just run "Fix all Perfai issues" and it will instantly fix them. Each finding comes with the exact context your coding agent needs to apply the fix.
For everything else, our Fix Agent writes a suggested fix for each issue, with the permission gap explained and proof of how we exploited it. Your developer reviews and applies it. We keep a human in the loop on purpose, since access control changes can break real user flows if applied blindly.
Every finding ships in a pentest-style report, and we run drift detection too, so if a new gap shows up as your app changes, you'll catch it.
Try it free at perfai.ai. Use code PHLAUNCH50 for 50% off any paid plan, and if you want extra credits or onboarding help, just message me!
This is going to be huge as vibe coding takes off. Speed of building goes way up but security review doesn't keep pace. One prompt to find live vulnerabilities is a compelling pitch. What types of vulnerabilities are you catching most often?
Release AI
@masato_furuno1
Thank you! You nailed the gap. Building got 10x faster, security review didn't.
We test 80+ access control categories in total. The most common issues we catch:
Cross-tenant data leaks: OrgA reading OrgB's data through IDOR and BOLA gaps. This is the scariest one and shows up constantly in vibe-coded apps.
Broken role checks: A viewer or basic user doing admin actions, like deleting records or changing settings they shouldn't touch.
Same-tenant leaks: User1 seeing User2's private data inside the same org.
Unprotected APIs: The UI hides a button, but the API behind it accepts the request anyway. AI coding tools do this a lot.
So far we've tested 4,000+ apps, found 28,000+ vulnerabilities, and saved teams $27M in bug
bounty payouts. Every finding comes with proof in a pentest-style report, and drift detection keeps testing as you ship.
Try it free at perfai.ai. Code PHLAUNCH50 gets 50% off paid plans. Want extra credits or onboarding help? Just message me!
@intesar_mohammed1 28,000 vulnerabilities across 4,000 apps is a scary hit rate. The cross-tenant data leak one especially, that's the kind of bug that ends companies. Makes sense that it shows up more with AI-generated code since the model doesn't think about multi-tenancy by default. Nice work.
Congrats on the launch this is such a timely product given how fast vibe coding tools are scaling without security guardrails. Curious, when your platform finds and fixes vulnerabilities automatically how do you handle edge cases where a fix could break existing app logic? Is there a approval step before changes go live?
Release AI
@aymi_malik
Thank you! And great question. Yes, there's always an approval step. We never push changes to your app ourselves.
Here's the flow: Perfai finds the issue, shows you proof of how we exploited it, and writes a suggested fix with full context. Your developer (or your AI coding tool) reviews and applies it. If you built with Replit, Lovable, or Cursor, you can run "Fix all Perfai issues" and your coding agent applies the fixes, but you still review before deploying.
We keep a human in the loop on purpose. Access control changes can break real user flows if applied blindly, exactly the edge cases you're describing. After you apply a fix, just re-run the test. Perfai verifies the issue is gone and your other permission checks still pass. Drift detection also keeps testing as your app changes, so if a fix causes a new gap later, you'll catch it.
The live vulnerabilities in vibe apps angle is useful, but I would want to know where the fix boundary is. Does Perfai mostly generate a patch suggestion, or can it prove the vulnerable path is no longer reachable after the one-prompt fix? That verification loop is where these tools usually get messy.
Release AI
@xiaosong001
Here's the reply with the loop framing:
Great question! Perfai works in a simple loop: Test, Fix, Retest.
Test: enter your app URL and our agents test your live app like a real pentester. Fix: say "Fix all Perfai issues" or "Fix critical Perfai issues" in Replit, Lovable, or any code agent, and it instantly generates the fixes for you to review. Retest: say "run security" and Perfai retests your live app to confirm issues are fixed and nothing is broken.
So the proof is a real retest against your running app, not just a code diff. We also do drift detection, so every release gets tested for new gaps.
Every finding comes with proof in a pentest-style report. There's a free tier if you want to try it, and I'm happy to share a 50% discount code plus extra credits. Ping me if you need help onboarding!
For apps built on Lovable or Replit specifically, where the developer often doesn't have direct access to the underlying infrastructure or can't freely modify server-side auth logic, how does Perfai actually apply fixes? Those platforms have constraints on what you can change and where, curious whether the "1-prompt fix" works within those constraints or requires exporting the project first.
Release AI
@ansari_adin
Great question! No export needed. The fixes work within the platform itself.
Perfai doesn't touch your infrastructure. When you say "Fix all Perfai issues" in Lovable or Replit, the platform's own AI agent generates the fixes in your app code, the same code you already own and can edit there. Most access control gaps in vibe-coded apps live in that app layer, like missing auth checks on API routes or client-side-only permission logic, so they're fixable right inside the platform.
After you review the fixes, say "run security" and Perfai retests your live app to confirm the issues are fixed and nothing is broken. Test, Fix, Retest.
Every finding comes with proof in a pentest-style report. There's a free tier if you want to try it on your own app, and I'm happy to share a 50% discount code plus extra credits. Ping me if you need help onboarding!
Perfai Security
Hi @thys_beesman , thanks for asking. Perfai Security offers both, and this is where Perfai Security really shines. We don't just stop at a list of vulnerabilities.
We ship an MCP server (perfai-mcp-server) you drop into your IDE (Cursor, VS Code, or any MCP-compatible agent). Once connected, it pulls your reported issues directly into the editor, and for any issue it generates a context-rich fix prompt with exact endpoint, vulnerability, remediation contexts. Your IDE's coding agent then implements the fix right in your codebase, following your existing patterns and architecture.
We deliberately keep the developer in the loop rather than auto-patching your repo. This way, we never require any code-access. And so the fix lands in your editor where you review and merge it like any other change.
So it's detection → guided remediation → fix, without Perfai Security ever writing to your code behind your back.
TL;DR — Perfai Security maps your app, detects vulnerabilities, provides the fixes, and then retests to verify the issues are patched.
Release AI
@thys_beesman
Great question! Both. We detect and fix.
Every finding comes with an instant fix you can apply with one prompt in your code agent, like "Fix All", "Fix Critical", or "Fix #2". You don't need to be a security expert or spend hours figuring out how to patch each issue yourself. The Fix Agent hands you exactly what to do.
That's the full loop: our agents test your live app across UI, API, data, and roles, find the gaps, and give you one-prompt fixes. And with drift detection, we catch new issues as your app changes, so you're never relying on a stale report.
All this without paying thousands for a pentest. You get a full pentest-style report on the free tier at perfai.ai. We're also giving away 50% discount codes for the launch. Need extra credits or help onboarding your app? Just reach out. Happy to help!
Is the report readable solo, or do I need to already know what IDOR means?
Perfai Security
@paige_lauren2 readable solo 🙌. You do NOT need to possess technical knowledge on what IDOR means — each finding is plain language with OWASP/CVSS/CWE detail tucked in for the dev folks who want to go deeper. And you don't have to interpret it to fix it. The Fix Agent hands the exact patch to your AI coding tool (Cursor, Claude Code, Replit, Lovable…) and re-tests to confirm it's closed. Security expertise is optional... that's the whole point. Try it free at perfai.ai, first finding in ~20 min.
Release AI
@paige_lauren2
Totally readable solo! We built the report for people shipping apps, not just security pros.
Every finding is written in plain language: what the issue is, why it matters, and what could happen if you leave it. So instead of just "IDOR detected", you'll see something like "a viewer account was able to open another user's private records by changing an ID in the request". You see the exact request that triggered it, so nothing feels like a mystery.
And you don't need to know how to fix things either. Every finding comes with a one-prompt fix for your code agent, like "Fix Critical" or "Fix #2". Find, understand, fix, done.
For those who want depth, findings also map to standards like OWASP and CWE. But you never need that to act on the report.
Try it free at perfai.ai and get a full pentest-style report. We're giving away 50% discount codes for the launch too. Need extra credits or help onboarding your app? Just reach out. Happy to help!