Your First VibeWShield Scan: A 5-Minute Walkthrough

Your first scan takes five minutes end-to-end — three minutes for VibeWShield to run, two minutes to skim the results. Here's what actually happens and what to look at.

Step 1. Pick a mode

At /scan you'll see four modes. For your first scan:

• Quick Scan (~3 min, free, no signup) — basic discovery, secrets, transport headers. Good for "is there something obviously on fire?"
• Deep Scan (~10 min, free with account) — all 65+ scanners plus AI enrichment and attack chain detection. Start here.

Leave Aggressive and Agentic for later — they're invasive tests and AI pentesting that cost a credit each.

Step 2. Paste your URL

Paste the deployed URL. https://yourapp.vercel.app or https://yourapp.com. No subdomains required; we discover them automatically.

Confirm the authorization checkbox — you're affirming you own this app or have permission to scan it. We don't scan apps without authorization, and the scanner refuses to run against internal IPs regardless.

Hit Start scan.

Step 3. Watch the progress

The scanner wall shows every module's status live. Discovery runs first (crawls the site, parses JS bundles), then all scanners run concurrently. A progress bar ticks up as scanners complete. Critical pages found (login, admin, api) are listed as discovery progresses.

Average timing:

• Quick Scan: 2 min 30 s.
• Deep Scan: 8 min.

Don't close the tab — we poll the backend every 2 seconds.

Step 4. Read the results

The results page groups findings by severity:

• Critical (red) — act today.
• High (orange) — act this week.
• Medium (yellow) — act this sprint.
• Low (blue) — good hygiene.
• Info — contextual, not bugs.

Above the findings you'll see a security score (0–100, lower = worse) and a severity breakdown. Below, an attack-chains section shows any multi-step exploits our AI assembled from individual findings.

Each finding card has:

• What it is: plain-language description.
• Attack scenario: how an attacker would exploit it, step by step.
• Evidence: the URL, parameter, HTTP response snippet, screenshot where relevant.
• Fix prompt: a ready-to-paste instruction for your AI coding tool that rewrites the vulnerable code.

Step 5. Apply the fix prompts

Open Cursor / Claude / ChatGPT. Copy the fix prompt. Paste. The prompt includes the file path and the exact code change expected.

For most findings, the fix is a 5-line patch — rename a NEXT_PUBLIC_ variable, add a Zod schema, replace findUnique with findFirst + ownership check. A Deep Scan with 15 findings usually turns into a 45-minute fix session for someone who wrote the code.

Step 6. Rescan

Hit Scan again after your commits are deployed. Same URL, same mode. Compare severities. Ship.

What to NOT do

• Don't run scans against someone else's app without permission.
• Don't panic about Info-level findings. Triage by severity.
• Don't ignore the fix prompts — they encode the actual secure pattern, not just "add validation here."

Five minutes to first finding. Thirty minutes to first fix. That's the loop.