What is VibeWShield? A 90-Second Explainer

If you're building with Cursor, Lovable, Bolt, v0, or Replit, your codebase looks different from a human-written one. AI assistants produce beautiful, working features — and a predictable set of blind spots that traditional security tools miss.

VibeWShield is the scanner built for that codebase.

What it does

Paste your deployed app URL at /scan. In three to ten minutes you get:

• 65+ security scanners running in parallel: SQL / NoSQL / command injection, SSRF, XSS, IDOR, CSRF, exposed secrets, JWT flaws, OAuth gaps, cloud misconfig, DNS intelligence, MCP server security — the full modern catalog.
• AI-powered attack chain detection via Claude: two medium-severity findings that combine into a critical exploit path are surfaced as a single chain.
• Business-logic abuse detection using an AI agent that tests price manipulation, workflow bypass, and privilege escalation patterns — the flaws no pattern-matching scanner can catch.
• Ready-to-paste fix prompts for every finding, formatted for Cursor, Claude, and ChatGPT — rip out the vulnerability in the same AI environment that introduced it.

What makes it different

Traditional DAST scanners (OWASP ZAP, Burp Suite, Detectify, Nuclei standalone) were built for the vulnerability catalog of 2015-2022. They look for known patterns in known frameworks.

AI-generated apps introduce new patterns:

• "use server" functions in Next.js that trust client input blindly.
• Supabase RLS policies scaffolded as USING (true) — fully public tables.
• Client-side admin checks (if (user.role === 'admin')) that hide the UI but not the /api/admin/* endpoints.
• Stripe test keys in production bundles because the dev env leaked.
• NEXT_PUBLIC_QSTASH_TOKEN publishing the queue auth token to the browser.

VibeWShield's scanner library covers all of the above out of the box. The base list of 65+ modules gets new entries weekly as we see new AI-generated mistakes in the wild.

Who is it for

• Solo founders shipping vibe-coded MVPs who want one honest scan before launch.
• Teams using AI coding tools who need a repeatable pre-release check.
• Security engineers who want an opinionated baseline for AI-generated stacks before pulling out Burp / ZAP.

Is it really free?

Quick Scan and Deep Scan are free forever, no signup. Aggressive Mode (invasive payloads) and Agentic Scan (the AI pentester) cost $3 per run — credits never expire, no subscription.

Next step

Paste your app URL at /scan. No credit card, no install, no source-code access. Three minutes. You'll know what's broken.