Blog

Security research, case studies, and guides for AI-built apps.

ResearchApril 20268 min read

100 vibe apps, one scanner: what a random sweep of the AI-built web actually finds

AI coding tools ship faster than any IDE in history. Platform defaults haven't caught up. We scanned 100 random production apps from 12 AI-coding hosting platforms: 5% had critical live leaks (Stripe keys in the browser, full Supabase table exposure), 57% shipped with no Content-Security-Policy at all. The fix is continuous scanning in CI — the same pre-commit discipline that stops typos from reaching production.

ResearchApril 20267 min read

98 vibe-coded apps, 967 findings: the security posture is the platform, not the app

We ran ~100 scans across vibe-coded apps and indie deployments from two different cohorts. 96% shipped, 4% got BLOCK, 21% bounced off their own WAF. Inside each cohort, scores clustered so tight it surprised us. The real risk doesn't come from the template — it comes from the 3–6% of apps where the developer reached past the template.

ResearchApril 20268 min read

50 sites, 444 findings: the 2026 state of shipping-fast security

April 2026. We scanned 50 production URLs — vibe-coded AI tools, small-business WordPress, auth-SaaS homepages. 41 scored, 9 bounced off modern WAF and we respected it. 88% SHIP, 12% BLOCK, median 76, 444 findings. Every site had findings. Here's what the shape of those findings says about how the web is being built right now, and why 'ship fast' can't keep ignoring the security layer.

Deep ScanApril 20265 min read

5 security checks a URL-only scanner will never catch

A URL scan checks your front door. Deep scans check whether the windows are locked. Here are the five classes of findings that only show up when you plug in your Supabase, Firebase, or MCP credentials.

SupabaseApril 20264 min read

Your Supabase RLS says "enabled." Here's why your database is still open.

A Row Level Security policy with USING(true) passes every dashboard check and leaks every row. We've seen it in production apps, in our own test projects, and in the Supabase docs themselves. Here's what it looks like and how to find it before someone else does.

FirebaseApril 20264 min read

"allow read, write: if true" — the Firestore rules gap nobody fixes in time

Firebase test-mode rules give you 30 days. A lot of apps get a year. We've scanned projects with wide-open Firestore, wide-open Storage, and surprisingly tight rules that just needed a matching deny-all fallback. Here's what the audit actually checks.

ResearchApril 20268 min read

We scanned 49 of the internet's biggest sites. Here's what we found.

GitHub, Google, Slack, Stripe, Notion, Vercel, and 43 others. 89% passed. 5 got BLOCK. Every single site had findings. The average score was 80/100. Full data and methodology inside.