Scanning… View ↓
Free · No signup · 90 seconds

Protect your
AI-built app before
hackers find it.

The security check every AI-built app needs. Paste your URL for an instant, free security scan. No signup required.

Add GitHub repo & Supabase for a deeper scan Free
GitHub Repo URL public only
Why?
Secret Scanner + Code Analysis
Finds hardcoded API keys in your git history (Gitleaks) and detects SQL injection, XSS, and insecure patterns in your code (Semgrep).
Your repo is cloned into a temp folder and deleted immediately after the scan. Never sent to any AI.
Supabase Credentials
Why? Is this safe?
Database Access Check
We use your anon key to test what an unauthenticated visitor can read or write in your database — the same key that already ships in every user's browser.
⚠️ Never enter your service_role key here. Anon key only.
Find your keys in Supabase dashboard →
10 security tools · OWASP-mapped findings · Plain English results
Scanning…
Initializing scan…
Cloning repository…
Live Findings
Scan complete
What we scan

Three levels of scrutiny

Start with a free URL scan. Add your repo and database credentials to go deeper — still free.

Free URL Scan
Surface Check
Web Fingerprint
Port Scanner
Header Analysis
SSL/TLS Check
Vuln Scan
Passive Scan
Free forever
Deep Scan
+ Repo & Database
Web Fingerprint
Port Scanner
Header Analysis
SSL/TLS Check
Vuln Scan
Passive Scan
Secret Scanner
Code Analysis
DB Access Check
Still free
Full Audit
Expert Review
Complete manual audit by our team
Client security dashboard
Embedded security seal for your site
Dedicated /security page for your app
Pre-SOC 2 & EU AI Act compliance readiness
Full findings report + remediation roadmap
1-on-1 walkthrough call
Why this matters

AI-built apps that shipped with real vulnerabilities

45%
of AI-generated code contains at least one security vulnerability
— World Economic Forum, 2025
Lovable
18,000 users exposed
Missing security headers and overly permissive CORS configuration allowed cross-origin attacks. Caught within 48 hours of launch.
Header Analysis
Moltbook
1.5M API keys leaked
Hardcoded API keys committed to a public GitHub repo during rapid prototyping. Keys were scraped within minutes of the first push.
Secret Scanner
EnrichLead
Forced shutdown
Supabase RLS policies not configured — any unauthenticated user could read and write the entire customer database via the public API.
DB Access Check
The process

Three steps to a security grade

01
Paste your URL
Enter your app's public URL — no account, no install, no credit card. Optionally add your GitHub repo or Supabase credentials for a deeper scan.
02
10 tools run in parallel
We fingerprint your stack, scan all ports, analyze headers, check SSL, probe for known CVEs, scan your code for secrets, and test your database permissions.
03
Get your grade
Receive a letter grade (A+ to F), severity-ranked findings in plain English, and a shareable link. Findings map to OWASP Top 10 categories. Want more than a grade? The Full Audit brings in a real security team — dashboard, embedded seal, compliance readiness, and a complete remediation roadmap, starting at $999.
Our commitments

Built to be trusted

No code storage
Cloned repositories are deleted immediately after the scan completes. We never store, index, or train on your source code.
Anon key only
We only accept your Supabase anon key — the same key that already ships to every visitor's browser. Never the service_role key.
Open methodology
Every tool we run is open-source: httpx, nmap, nuclei, Gitleaks, Semgrep. No black boxes. You can reproduce every finding.
$0
Free is actually free
The surface scan and deep scan are genuinely free. No freemium gating, no hidden limits beyond rate limiting. Pay only for expert human review.
Pricing

Transparent. Pay once.

No subscriptions. No seat licenses. Pay per audit, only when you need expert eyes.

Surface Scan
Free
$0
Always free
6 automated tools
Letter grade + score
Shareable result link
OWASP-mapped findings
3 scans per day
Full Audit
Full Audit
$999
One-time · per audit
Complete manual audit by our team
Client security dashboard
Embedded security seal for your site
Dedicated /security page for your app
Pre-SOC 2 readiness assessment
GDPR, EU AI Act & AI regulation readiness
Full findings report + remediation roadmap
1-on-1 walkthrough call
PDF audit report
Get the Full Audit →
You handle the fixes. We give you everything you need.
Done For You
Done For You
$3,000
One-time · per project
Everything in Full Audit
Our team fixes every vulnerability
Code-level remediation by security engineers
Re-scan after fixes to verify resolution
Updated security seal post-remediation
Priority turnaround
Get Full Remediation →
We fix everything. You do nothing.
Findings mapped to industry frameworks
From the blog

Security for builders

Research
Why AI-generated code ships with hidden vulnerabilities
LLMs optimize for working code, not secure code. Here's the OWASP patterns that appear most often in AI-built apps.
5 min read
Guide
Supabase RLS in 5 minutes: protect your tables before you launch
Row Level Security is disabled by default. This guide walks through setting up policies that actually work.
5 min read
Checklist
Security checklist for Lovable, Bolt, and Cursor apps before you go live
Ten steps every AI-built app should complete before sharing a public URL. Takes under 30 minutes.
4 min read
Questions

Common questions

Is the scan really free? What's the catch? +
Yes — the automated scan is completely free. No account, no credit card, no catch. When you want a real security team to go end-to-end — manual audit, dashboard, embedded seal, compliance readiness, and a full findings report — that's the Full Audit at $999. No freemium tricks.
Is it safe to give you my Supabase anon key? +
Your anon key is already public — it ships in your frontend JavaScript to every user's browser. We use it to test exactly what a real unauthenticated visitor can access. Never enter your service_role key. We don't store credentials after the scan.
How long does a scan take? +
A surface scan (URL only) takes about 60–90 seconds. A deep scan with a GitHub repo and Supabase credentials can take 3–5 minutes depending on repo size and SSL Lab's queue time.
What does a grade of F actually mean? +
An F means we found one or more critical severity vulnerabilities — issues that could lead to data exposure, account takeover, or complete compromise. The grade is calculated from a weighted score across all findings. F is rare; most apps land between C and B.
Can I scan someone else's app? +
Only scan apps you own or have explicit written authorization to test. Unauthorized security testing is illegal in most jurisdictions. By using this service you confirm you have authorization to scan the target URL.
My app scored a C — is that bad? +
A C means there are warnings worth addressing before a large public launch. It's not an emergency, but it indicates misconfigured headers, weak SSL settings, or open ports that an attacker could leverage. Most issues at this level are fixable in under an hour.
What's the difference between Full Audit and Done For You? +
Both plans include the same complete manual audit: security dashboard, embedded seal, a dedicated /security page for your app, and compliance readiness across SOC 2, GDPR, and the EU AI Act. The difference is simple — in the Full Audit, we give you a detailed remediation roadmap and you make the fixes yourself. In Done For You, our security team implements every fix, re-scans to verify everything is resolved, and updates your seal once you're clean.
What does "compliance readiness" mean? +
It means we assess your app against the requirements of SOC 2, GDPR, the EU AI Act, and other relevant frameworks — and tell you exactly where the gaps are. This is a readiness assessment, not a formal certification. It gives you a clear picture of where you stand and what you need to do before a formal audit or enterprise sales process.