Product Thumbnail

Perfai Security

Find & fix live vulnerabilities in Vibe Apps with 1-prompt.

Developer Tools
Security
Vibe coding
Visit WebsiteSee on Product HuntTwitter

Hunted byRohan ChaubeyRohan Chaubey

Autonomous access control security for Vibe-coded apps. Our platform finds and fixes live vulnerabilities in your vibe-apps built on Replit, Lovable, Claude Code, Cursor, and other AI-coding tools. 1-prompt makes your app production-ready in minutes without requiring security expertise.

Top comment

Hey Product Hunt!  👋 Qutub here from Perfai Security.

 

Over the last 18 months, I've found vibe-coders — including myself — opening Replit, Lovable, Cursor, Copilot, Claude Code (any of the various AI-coding tools) and within a few hours, they have something that looks and functions like a real product, with login, dashboards, payments, database records, admin screens, user roles, and the foundations for handling customer data.

 

And that's awesome because the app looks finished!

But that's when the serious builders ask:

"Is this actually safe to put on the internet?"

The Problem

Every app has permissions about who can do what. Customer X should only see X's own data, not someone else's. A normal user should not gain admin access. These permissions are also called access controls.

The problem is that even a small app will have thousands of access controls. Here is the simple math:

6 Roles x 10 Data x 100 Actions => 6,000+ access controls

These access controls live in three places: the app pages people click on, the API endpoints (where the app sends and gets data), and the database (where the data is stored). AI tools build apps fast. But they skip most of these checks in all three places. That is how data leaks and hacks happen.

The Solution: Perfai Security

Autonomous security for AI & vibe-coded Apps

You just paste your app's URL. No code needed. Then our AI agents do three things:

  1. Vision Agent: Learns your app. It navigates through every page, API, and action, with every app role.

  2. Security Agent: Tests every access control. It checks the pages, workflows, API endpoints, and the accessible database. It finds the doors that are open but should be locked.

  3. Fix Agent: It tells your AI-coding tool (Replit, Lovable, Cursor, Claude Code, etc.) how to fix these vulnerabilities, and verifies the attack paths are patched.

It also keeps watching. Every time you update your app, a locked door can open by accident. We check again after each update, and tell you what broke before anyone else can find it.

And since all of this is done in minutes (relative to what would previously take dev teams weeks to accomplish), the entire loop can be run again with every new update.

Direct Benefits of using Perfai Security?

  • You save $100K+ in breach costs.

    • Find vulnerabilities no other tools cover.

    • Find live issues before users, attackers, or bug bounty hunters do.

    • Secure your apps against the excessively growing attack-surfaces.

  • Protect enterprise deals and funding rounds by showing what is being covered, continuously.

  • Reduce compliance and privacy risks.

  • Save $10K–$40K in manual testing time and effort by automating.

  • Prevent customer churn and reputation damage associated with logic issues.

Early Traction:

So far we have secured 4,000+ apps. We found and fixed 28,400+ vulnerabilities. We saved our customers $27.5M in bug bounties. And for our contributions to the overall security field, we have been awarded Innovator of the Year by CloudX.

Product Hunt Offer:

For the Product Hunt community, Perfai Security's Pro-plan is offered at 50% discount with the discount code

Discount Code: PRODUCTHUNT50

You can start testing by pasting your app URL — no source-code access required — and getting your first vulnerability results within minutes.

Thanks for checking out Perfai Security.

Build fast. But don’t ship blind.

Comment highlights

Great idea! Quick question: how do we ensure this fix doesn't break anything or cause a regression in the application?

Great concept. My team runs into this problem consistently. Even with AI guardrails and instructions, we have to spend valuable hours testing for vulnerabilities.

This is a very timely problem. Vibe-coded apps can get to “working demo” incredibly fast, but access control and production security are exactly where small mistakes can become painful later.

I like the idea of making security checks feel as lightweight as pasting in a URL instead of requiring a full security workflow. When Perfai finds a live vulnerability, how much of the fix is automated versus guided for the developer to review and apply?

The decision to require just a single prompt to turn a freshly vibe-coded app into something production-ready is genuinely clever, cuts straight past the usual security onboarding friction.

Congratulations to the whole @Perfai Security team!! In the AI era, auth and access control issues have become an epidemic, and they're often some of the hardest vulnerabilities to catch before they reach production.


We're actually using Perfai ourselves to help ensure the Dashboard for @Wristband's multi-tenant auth platform is configured correctly and that tenant isolation and authorization rules behave as expected. It's been a great addition to our development process, and seeing it in action has given me an even greater appreciation for what the team is building.

Having personally watched the evolution of this platform, I'm especially excited to see this launch. Huge congratulations to @intesar_mohammed1 and the entire team. Beyond building a great product, they're genuinely friendly people and a pleasure to work with. Looking forward to seeing where Perfai goes from here! 🚀

As someone who watches teams ship fast with AI tools, closing the security gap before production without needing a dedicated security hire is exactly the kind of operational leverage I want.

this is a real gap. so many vibe-coded apps ship with auth or row-level security completely missing because the tool never surfaced it as a decision point. curious how deep the "fix" side goes though - does it actually patch broken access control rules in the code, or mostly flag the issue and leave the fix to you

Congrats on the launch!! this hits such a real gap honestly, so many people are shipping vibe-coded apps fast with replit/lovable/cursor and just... not thinking about access control until something breaks. paste-a-url-get-live-vulnerabilities is such a low-friction way to make security actually happen instead of being this thing people mean to get to eventually. rooting for you all.

Qutub, that little knot of worry right after you ship something fast is so familiar. Having something quietly watching your back so you can actually breathe afterward feels genuinely kind to the people building.

The three-places framing (app pages, API endpoints, DB) is the right mental model — most scanners only check the frontend guard and miss the API and row-level gaps. When the 1-prompt fix runs, does it patch the actual authz logic in my codebase (and where: API middleware vs a DB row-level policy), or does it just flag and hand me a diff to apply myself? And to exercise authenticated endpoints for broken access control, how does it get in without me handing over production credentials?

Congrats team! Half the tools launching right now are vibe-coded, so someone had to build this. The one-prompt fix is the part I want to poke at: after Perfai patches a vulnerability, does it re-scan to confirm the fix didn’t open a new hole? AI-generated fixes are how a lot of these bugs got in to begin with, so the verify step matters more than the fix step for me

Ran it on a small Replit app and it flagged an exposed API key plus a sketchy redirect I genuinely missed, super easy fix flow. Wish I'd had this a few months ago when I shipped something embarrassingly broken.

Most of my codebase was written with AI coding agents, so security is honestly the thing I think about the most. Product logic I can verify just by using the app, but auth edge cases never show up that way. One question, when the fix agent ships a patch, do I get to review it before it lands? A one prompt fix sounds great until it touches something load bearing :) Congrats on the launch!

Hi Qutub Syed, nice idea and the site looks good, I like the “test a live app by URL” approach, especially for small builders who don’t have a security team.

I tried entering my app URL and clicking “Test now”, but nothing seemed to happen on my end. I may be missing a step, or it could be a browser issue. Just wanted to flag it in case it helps with the launch feedback.

The “paste your app URL” workflow is appealing because it removes a lot of the friction around security testing. I’m wondering how you decide which vulnerabilities to prioritize first—do you rank them by severity, exploitability, or something else?

This is the right problem to aim at. The scary part of AI-built apps is not the rough edge in the UI; it is the invisible permission model across pages, APIs, and data. A useful security pass has to prove what each role cannot do, not just what the happy path can do.

vibe coded apps have a real security problem that nobody talks about enough. the same speed that lets you ship in hours also means access control and input validation are usually the last things anyone thinks about. autonomous fixing is the interesting part here though. most security scanners find vulnerabilities and then leave you to figure out the fix. does perfai actually apply the fix to the codebase directly or does it generate a patch you review first before anything changes?

Scanning live deployed vibe apps rather than static source is the right call. Most tools miss runtime behavior entirely. We've run into situations where AI-generated code introduces subtle auth gaps that only surface under specific API call sequences. How does your scanner handle stateful multi-step exploits? Can it chain requests across endpoints to trigger a vulnerability that no single request would expose?

If UI hides an admin route that's still live on the backend, does Vision Agent even catch it?

About Perfai Security on Product Hunt

Find & fix live vulnerabilities in Vibe Apps with 1-prompt.

Perfai Security launched on Product Hunt on July 9th, 2026 and earned 243 upvotes and 116 comments, earning #3 Product of the Day. Autonomous access control security for Vibe-coded apps. Our platform finds and fixes live vulnerabilities in your vibe-apps built on Replit, Lovable, Claude Code, Cursor, and other AI-coding tools. 1-prompt makes your app production-ready in minutes without requiring security expertise.

Perfai Security was featured in Developer Tools (515.5k followers), Security (2.7k followers) and Vibe coding (561 followers) on Product Hunt. Together, these topics include over 81.3k products, making this a competitive space to launch in.

Who hunted Perfai Security?

Perfai Security was hunted by Rohan Chaubey. A “hunter” on Product Hunt is the community member who submits a product to the platform — uploading the images, the link, and tagging the makers behind it. Hunters typically write the first comment explaining why a product is worth attention, and their followers are notified the moment they post. Around 79% of featured launches on Product Hunt are self-hunted by their makers, but a well-known hunter still acts as a signal of quality to the rest of the community. See the full all-time top hunters leaderboard to discover who is shaping the Product Hunt ecosystem.

Want to see how Perfai Security stacked up against nearby launches in real time? Check out the live launch dashboard for upvote speed charts, proximity comparisons, and more analytics.