Launched this week

Autonomous access control security for Vibe-coded apps. Our platform finds and fixes live vulnerabilities in your vibe-apps built on Replit, Lovable, Claude Code, Cursor, and other AI-coding tools. 1-prompt makes your app production-ready in minutes without requiring security expertise.










Faster than a manual pentest sure, but does it catch the weird edge cases a human would?
Perfai Security
@trevor_nicholas2 honest answer: if a manual pentester checks ~50 permission combinations before the clock runs out, Perfai Security tests all 6,000+ (across every role × data × action) ...including the weird ones, including chained privilege escalation, cross-tenant ownership quirks, admin functions live under a hidden route. These "edge cases" are usually just cases nobody had time to reach by hand, but in practice, we've surfaced findings a decade of manual pentests had missed. Where a creative human still shines is open-ended business logic, and we're pushing into that too.
Release AI
@trevor_nicholas2
Fair question, and the honest answer is: humans and machines catch different things.
A skilled pentester might spot a weird one-off flaw with creativity. But humans have limited time. They test for a few days, sample some endpoints, and move on. Our agents test everything: every role against every data type and action, thousands of combinations a human would never have time to try. Weird edge cases often live exactly in those untested combinations.
And here's why our focus matters: Gartner reports that access control issues account for about 50% of breaches and security incidents. That's precisely what we go deepest on. In total we cover 75+ AI-threat categories, spanning access control, auth, and classic categories.
Plus a pentest is a snapshot. With drift detection, we keep testing as your app changes, so you're covered next month too, not just today.
Try it free at perfai.ai and get a full pentest-style report. We're giving away 50% discount codes for the launch too. Need extra credits or help onboarding your app? Just reach out. Happy to help!
If UI hides an admin route that's still live on the backend, does Vision Agent even catch it?
Perfai Security
@calvin_russell1 yes, that's what it's built for. The Vision Agent doesn't just click the UI — it maps the underlying API surface (every endpoint it can discover), so a route that's hidden from the interface but still live on the backend gets found and attacked anyway. That "hidden-but-live admin function" is a class we explicitly hunt, known as shadow functionality (and broken function-level authorization (BFLA)). If the backend still honors it, we'll call it, prove it with a reproducible request, and hand you the fix.
Release AI
@calvin_russell1
Yes, and this is one of our favorite bugs to catch!
Hidden-but-live routes are classic access control gaps. The UI hides the admin page from regular users, but the backend never checks who's asking. Code review misses it, and clicking around the app misses it, because the door is invisible to the eye.
Here's how we catch it: our Vision Agent maps your app from higher-privilege views too, so it knows the admin routes exist. Then the Security Agent tries reaching those routes and APIs as lower roles. If a viewer account can hit a live admin endpoint the UI never showed them, that's a finding, with the exact request that proved it.
Hiding a button isn't security. The backend has to enforce it, and we test that it does. And with drift detection, if a new route ships next week without protection, we catch that too.
Try it free at perfai.ai and get a full pentest-style report. We're giving away 50% discount codes for the launch too. Need extra credits or help onboarding your app? Just reach out. Happy to help!
Voquill
Congratulations! Does this work with any deployed web app, or is it mainly built for apps created with AI coding tools?
Perfai Security
@henry_habib It works with any deployed web app that has a URL. We test black-box from the outside, so we're fully stack-agnostic. It doesn't care whether you hand-wrote it, vibe-coded it, or inherited it. The "vibe-coded" framing is where our solution is needed most right now, but the engine tests any app with roles, APIs, and a database. The only place the AI-coding tool matters is the fix handoff... our Fix Agent delivers remediation through an MCP server you drop into any IDE (Cursor, VS Code, Claude Code…), and it works even if you just want the exact patch to apply yourself. Point it at any URL and see. You can sign up for free or get 50% off our pro plan using the discount code (in pinned comment).
Release AI
@henry_habib
Thank you!
It works with any deployed web app. If it runs in a browser and has a URL, we can test it. Doesn't matter if it was built by AI agents, a dev team, or ten years ago by a contractor nobody remembers.
We talk a lot about vibe-coded apps because they're the most at risk: shipped fast, often with no security review, and full of access control gaps. But the testing itself doesn't care who wrote the code. Our agents test the running app across UI, API, data, and roles, so any stack works: React, Rails, PHP, whatever.
Same simple flow for everyone: paste your URL, our agents explore, sign up their own test accounts, and get to work. Drift detection keeps coverage fresh as the app changes.
Try it free at perfai.ai and get a full pentest-style report. We're giving away 50% discount codes for the launch too. Need extra credits or help onboarding your app? Just reach out. Happy to help!
Great concept. My team runs into this problem consistently. Even with AI guardrails and instructions, we have to spend valuable hours testing for vulnerabilities.
Release AI
@zohaib_akmal
Thank you! Your team's experience is exactly why we built this. AI guardrails help, but they can't replace real testing, and doing it by hand eats hours.
Perfai Security does that testing for you. Just enter your app URL. Our agents sign up their own test accounts, then test thousands of permission combos across roles and actions. You get a pentest-style report with proof for every issue. We also run drift detection, so new gaps get caught as your app changes.
Try it free at perfai.ai. Use code PHLAUNCH50 for 50% off any paid plan. If your team wants extra credits or onboarding help, just message me!
Wristband
Congratulations to the whole @Perfai Security team!! In the AI era, auth and access control issues have become an epidemic, and they're often some of the hardest vulnerabilities to catch before they reach production.
We're actually using Perfai ourselves to help ensure the Dashboard for @Wristband's multi-tenant auth platform is configured correctly and that tenant isolation and authorization rules behave as expected. It's been a great addition to our development process, and seeing it in action has given me an even greater appreciation for what the team is building.
Having personally watched the evolution of this platform, I'm especially excited to see this launch. Huge congratulations to @intesar_mohammed1 and the entire team. Beyond building a great product, they're genuinely friendly people and a pleasure to work with. Looking forward to seeing where Perfai goes from here! 🚀
Release AI
@jim_verducci
Thank you so much! This comment made our day.
Wristband is exactly the kind of use case we love: a multi-tenant auth platform where tenant isolation has to be right, every time. Watching your team use Perfai to prove authorization rules behave as expected, across every update, is the product working exactly as we dreamed. Auth platforms hold everyone else's front door keys, so the bar is highest there.
And the kind words about the team mean just as much as the product praise. Working with you all has been a pleasure for us too.
For anyone reading: this is what Perfai does. Test your live app's access control across UI, API, data, and roles, with drift detection catching gaps as you ship. Try it free at perfai.ai and get a full pentest-style report. We're giving away 50% discount codes for the launch. Share your app URL and I'll get you a free report personally. Need extra credits or onboarding help? Just reach out!
Perfai reduces the barrier to security testing as the workflow is as easy as pasting the URL. Congrats on launching today.
Perfai Security
Much appreciated @himani_sah1
That’s exactly what we’re trying to solve. With so many vibe-coded apps going live, security testing needs to fit the builder’s workflow. Perfai Security makes it possible for solo founders and small teams to deep-test access controls in live apps without needing enterprise security teams, long setup cycles, or manual testing expertise.
Release AI
@himani_sah1
Thank you! That's exactly the goal.
Security testing has always had a high barrier: expensive pentests, complex tools, or needing an expert on the team. Most builders just skip it. So we made the barrier one paste. Drop in your URL, and our agents explore your app, sign up their own test accounts, and test everything across UI, API, data, and roles.
No setup project, no security background needed. And with drift detection, coverage stays fresh as your app changes, so it's not a one-time check.
Try it free at perfai.ai and get a full pentest-style report. We're giving away 50% discount codes for the launch too. Need extra credits or help onboarding your app? Just reach out. Happy to help!
API Governance
Congrats on the launch, team!
AI-coding tools let us build at lightning speed, but security usually gets left in the dust. Perfai fixing live vulnerabilities in vibe-coded apps with a single prompt is brilliant.
This bridges the gap between shipping fast and staying secure. Absolutely crushing it. Wishing you a huge success!
Release AI
@dr_mohammed_nadeem
Thank you so much! You nailed it. Vibe coding is fast, but security can't keep up. That's exactly why we built Perfai.
Just enter your app URL and our agents test it like a real pentester would. You get a pentest-style report with proof for every finding. We also do drift detection, so every new release gets tested for new gaps.