Loading...
Deep security audit for AI-built apps, including the MCP servers they connect to. 13 providers + AI-powered analysis + site crawler find leaked keys, scan your database rules, check CORS and rate limiting, and give you a Ship/Block verdict with fix prompts. Scan from web, API, or Telegram.
Free account required. 10 scans/month on free tier.
13
Security checks
55
Secret patterns
AI
Security review
$0
To get started
How it works
We fetch your app's HTML and JavaScript, scan for exposed secrets, check HTTP headers, and query OSV for dependency CVEs.
Link Supabase or Firebase. We analyze every RLS policy, parse Firestore rules, check auth config, and audit storage buckets.
Copy-paste fix prompts tailored for Cursor, Lovable, and Claude Code. Fix each issue in seconds, not hours.
Security checks
Every scan runs these checks in parallel. Results in under 20 seconds.
Secrets Scanner
55 patterns — AI keys, payments, cloud, auth, DBs
Supabase RLS
Policy logic — catches USING(true)
Firebase Rules
Firestore, RTDB, Storage rules audit
Auth & IDOR
Unprotected endpoints, CSRF, cookies, IDOR
DAST / Nuclei
Headers, XSS, open redirects, injections
CORS Audit
Wildcard origins, reflected origins, credential leaks
Rate Limiting
Brute-force protection on login, signup, reset
Payments
Stripe keys, unsigned webhooks
Dependencies
CVE scanning via OSV querybatch
Blast Radius
$/day cost if each key leaks
GDPR Compliance
Cookie consent, privacy policy, trackers, PII
MCP Security
Tool poisoning, rug pull, exfiltration
Site Crawler
Discovers subpages, APIs, forms across your domain
Scheduled re-scans at your chosen frequency. We monitor your production headers, check for newly discovered CVEs in your dependencies, and track configuration drift. Email and Telegram alerts the moment a new vulnerability hits your app.
Discovers every page, API endpoint, and form on your domain. Scans the full attack surface, not just the homepage.
Scan via /scan command, get results + PDF in chat. Create support tickets with /support.
Daily, weekly, or monthly. Catch regressions after every deploy.
Instant alerts on score drops, critical findings, and downtime. Choose your channel.
Auto-scan on every Vercel deploy. Block insecure code before it reaches production.
The problem
USING(true) = RLS "enabled" but database fully open.What other scanners see
✓ RLS: enabled ✓ Policies: 3 found ✓ Auth: configured Result: PASS ✓
What Sekrd finds
⚠ CRITICAL: users table
Policy: USING (true)
→ Anyone with anon key
can read ALL user data
Fix: USING (auth.uid() = id)Why Sekrd
See it in action
BLOCK
3 critical issues
SHIP
All issues fixed
Binary verdict. No letter grades, no ambiguity. Critical finding = BLOCK. Fix it, rescan, get SHIP.
We know you're trusting us with access to your backend. Here's how we handle it.
Read-only access
We never modify your database, RLS policies, or security rules. Strictly read-only audit.
Credentials secured
Credentials kept during your plan period for re-scans, then auto-deleted. Delete anytime from settings.
Encrypted in transit
All data transmitted over HTTPS/TLS. Scans run in isolated environments.
Works with your stack
Pricing
Start free. Upgrade when you need deep auditing.
Find the bugs
Fix the bugs
Stay secure
$288/year (save $60)
Join developers who ship with confidence. Sign up in 10 seconds, scan for free.