
Find & fix live vulnerabilities in Vibe Apps with 1-prompt.
By Qutub Syed, liyaquath ali, Atef A. Ahmed, Intesar Mohammed, Mihir Shaik
Perfai Security scannt live-deployete Apps, die mit KI-Coding-Tools wie Replit, Lovable oder Cursor erstellt wurden, automatisch auf Sicherheitslücken wie fehlerhafte Zugriffskontrollen oder exponierte API-Keys. Per Single-Prompt-Befehl werden gefundene Schwachstellen direkt behoben, ohne dass Sicherheitskenntnisse nötig sind. Für jemanden, der KI-Tools in Workshops oder Beratung einsetzt und dabei schnell funktionsfähige Demos oder Prototypen mit echten Nutzerdaten baut, ist das relevant, weil genau diese schnell erstellten Apps typischerweise unsichere Standardkonfigurationen mitbringen. Die Kommentare zeigen ein Mix aus echter Nutzererfahrung mit konkreten Ergebnissen, technischer Neugier rund um komplexe Angriffszenarien und verhaltener, aber sachlicher Skepsis bezüglich Messbarkeit und Durchlaufzeiten.
Hey Product Hunt! 👋 Qutub here from Perfai Security.
Over the last 18 months, I've found vibe-coders — including myself — opening Replit, Lovable, Cursor, Copilot, Claude Code (any of the various AI-coding tools) and within a few hours, they have something that looks and functions like a real product, with login, dashboards, payments, database records, admin screens, user roles, and the foundations for handling customer data.
And that's awesome because the app looks finished!
But that's when the serious builders ask:
"Is this actually safe to put on the internet?"
The Problem
Every app has permissions about who can do what. Customer X should only see X's own data, not someone else's. A normal user should not gain admin access. These permissions are also called access controls.
The problem is that even a small app will have thousands of access controls. Here is the simple math:
6 Roles x 10 Data x 100 Actions => 6,000+ access controls
These access controls live in three places: the app pages people click on, the API endpoints (where the app sends and gets data), and the database (where the data is stored). AI tools build apps fast. But they skip most of these checks in all three places. That is how data leaks and hacks happen.
The Solution: Perfai Security
Autonomous security for AI & vibe-coded Apps
You just paste your app's URL. No code needed. Then our AI agents do three things:
Vision Agent: Learns your app. It navigates through every page, API, and action, with every app role.
Security Agent: Tests every access control. It checks the pages, workflows, API endpoints, and the accessible database. It finds the doors that are open but should be locked.
Fix Agent: It tells your AI-coding tool (Replit, Lovable, Cursor, Claude Code, etc.) how to fix these vulnerabilities, and verifies the attack paths are patched.
It also keeps watching. Every time you update your app, a locked door can open by accident. We check again after each update, and tell you what broke before anyone else can find it.
And since all of this is done in minutes (relative to what would previously take dev teams weeks to accomplish), the entire loop can be run again with every new update.
Direct Benefits of using Perfai Security?
You save $100K+ in breach costs.
Find vulnerabilities no other tools cover.
Find live issues before users, attackers, or bug bounty hunters do.
Secure your apps against the excessively growing attack-surfaces.
Protect enterprise deals and funding rounds by showing what is being covered, continuously.
Reduce compliance and privacy risks.
Save $10K–$40K in manual testing time and effort by automating.
Prevent customer churn and reputation damage associated with logic issues.
Early Traction:
So far we have secured 4,000+ apps. We found and fixed 28,400+ vulnerabilities. We saved our customers $27.5M in bug bounties. And for our contributions to the overall security field, we have been awarded Innovator of the Year by CloudX.
Product Hunt Offer:
For the Product Hunt community, Perfai Security's Pro-plan is offered at 50% discount with the discount code
Discount Code: PRODUCTHUNT50
You can start testing by pasting your app URL — no source-code access required — and getting your first vulnerability results within minutes.
Thanks for checking out Perfai Security.
Build fast. But don’t ship blind.
Hey ProductHunt! 👋 Intesar here — CEO of Perfai Security.
This is my third company (DCHQ was acquired by HyperGrid and APIsec), and out of everything I've built, this is the one that keeps me up at night in a good way — because the timing is so obviously right.
Here's the thing about vibe coding that most people miss: the AI coding tools are incredible at making an app look and function like a real product in a few hours. What they're not good at is remembering that "User A shouldn't be able to see User B's invoices" is a rule that has to be enforced in three separate places — the UI, the API, and the database — every single time you ship an update. Nobody's shipping blind on purpose. They just don't have a security team checking access control on every prompt-to-deploy cycle, and honestly, neither did I on my first two companies until it hurt.
So we built Perfai Security as a pre-launch security testing platform for exactly this moment — the gap between "it works on my screen" and "it's live with real users." Paste a URL, our agents map your app, attack its access controls the way a real bad actor would, and hand your AI coding tool (Cursor, Replit, Lovable, Claude Code, whatever you're using) the exact fix — before you ship, not after someone finds it for you. They keep watching every future deploy too, so regressions don't sneak back in. No security background required on your end.
Huge credit to the team who actually built this: Hai, Dr. Abdullah (engineering), Dr. Habeeb (AI), Ghouse (customer success), and Qutub, who wrote the comment above and has been carrying GTM on his back.
If you're vibe-coding anything that touches real user data, I'd genuinely love for you to run it through Perfai Security and tell me what you find (or what we got wrong). I'm in the comments all day — ask me anything about the product, the roadmap, or what "6,000+ access controls in a small app" actually means in practice.
Thanks for checking us out. Build fast, ship safe. 🚀
— Intesar CEO, Perfai Security (perfai.ai)
Ran it on a small Replit app and it flagged an exposed API key plus a sketchy redirect I genuinely missed, super easy fix flow. Wish I'd had this a few months ago when I shipped something embarrassingly broken.
Scanning live deployed vibe apps rather than static source is the right call. Most tools miss runtime behavior entirely. We've run into situations where AI-generated code introduces subtle auth gaps that only surface under specific API call sequences. How does your scanner handle stateful multi-step exploits? Can it chain requests across endpoints to trigger a vulnerability that no single request would expose?
Congrats on the launch. How much time does it typically take to generate report? I am guessing it may vary based on the complexity of the app?
Do you think you can add a GitHub Actions integration to automatically trigger scans after each deployment??
Congrats. How does Perfai distinguishes between intentional permissions and actual access control vulnerabilities?
Dropping a major upvote, qq does the security agent test for complex injection flaws (like SQLi or NoSQL injection) alongside the broken object-level access controls? congrats 👏 @qutub_syed
the "mutate an object you own to reach one you don't" part is what caught my attention. if that attack succeeds against a live production app, the agent didn't just find the vulnerability, it exploited it for real against real data. is there a safe/sandboxed mode where the mutation attempts happen against a snapshot or shadow copy, or does running this against a production app with real customers mean you're accepting some risk of the test itself causing the exact damage you're trying to prevent
How well does Perfai handle multi-tenant SaaS applications with complex permission hierarchies?