I Audited My Own Vibe-Coded App. Here Is What I Found.
I built a SaaS with Cursor in a weekend. Then I ran our own security testing tool against it. 14 vulnerabilities in 45 minutes.
Intelligence Feed
Dispatches from the lab
The Sherlock Forensics Intelligence Feed provides expert analysis of AI code security, vibe coding vulnerabilities, CVE advisories and digital forensics methodologies from certified examiners with over 20 years of field experience in Vancouver, BC.
Featured Analysis
The Password Was Literally in a Text File
Took us 4 minutes to find the database password. passwords.txt in the public directory. A war story of escalating findings from one engagement.
The AI Coding Security Checklist Nobody Talks About
15 practical security checks for AI-generated code. Each item includes what to check, why it matters and a copy-paste fix you can use right now.
Your Cursor App Is Probably Leaking .env Variables
How .env files end up exposed in apps built with Cursor, Bolt and Lovable. How to check if yours is leaking and how to fix it in 5 minutes.
We Scanned 100 Websites Built With AI. Here Is What We Found.
92% had critical vulnerabilities. 78% stored secrets in plaintext. Data-driven analysis with visual breakdowns by vulnerability category and AI tool.
Why Choose a 20-Year Veteran Over a Startup Pentester
Experience catches business logic flaws, court-admissible documentation and auditor-ready reports. What 20 years and CISSP/ISSAP/ISSMP certifications actually deliver.
10 Questions to Ask Before Hiring a Penetration Tester
A buyer's guide covering certifications, manual testing, compliance reports, retesting, expert witness capability and more. With Sherlock's answers to each.
The Top 10 Things We Find in Every Penetration Test
Default credentials, missing rate limiting, exposed admin panels, SQL injection and more. The 10 most common findings from real pentests with severity ratings.
7 Security Prompts Every Vibe Coder Needs Before They Ship
Seven essential security prompts to paste into your AI coding tool before deploying. Catch broken auth, injection flaws, exposed secrets and more.
Corporations Are Mandating AI Coding. Who Audits the Output?
The security gap between mandating AI coding tools and auditing what they produce. References Linus Torvalds, Zuckerberg and the enterprise accountability problem.
How to Verify That AI-Suggested Packages Are Real (Not Hallucinated)
Practical npm and pip verification commands to confirm AI-suggested packages exist before installing them. Prevent supply chain attacks from hallucinated dependencies.
SOC 2 Pentest Checklist: What CPAs Need From the Penetration Tester
A 7-point checklist for CPAs reviewing SOC 2 pentest reports. Scope, methodology, CVSS findings, remediation status, retest evidence and red flags.
How Much Does a Pentest Cost in 2026? Real Pricing Breakdown
Transparent pricing from $1,500 to $25,000+ CAD. Four tiers compared to industry averages, cost factors and why cheap pentests are expensive.
Top 10 Things We Find in Every Penetration Test
Aggregate data from hundreds of engagements. Default credentials, SQL injection, broken access controls and more, with severity ratings and fixes.
Pentest vs. Vulnerability Scan: What Is the Difference and Which Do You Need?
Clear comparison of pentests, vulnerability scans, bug bounties and red teams. Table format with costs, use cases and a decision tree.
What a Pentest Actually Looks Like (No, It Is Not Like the Movies)
Step-by-step walkthrough of a real engagement. Scoping, reconnaissance, exploitation, reporting and debrief demystified for founders and CTOs.
What Is Penetration Testing? Explained for Non-Technical Founders
Penetration testing explained in plain language. What it is, why it matters, what happens during one, what the report looks like and how much it costs.
Penetration Testing vs. Bug Bounties: Which One Do You Need?
Side-by-side comparison for CTOs. Pros, cons, costs and a decision framework for choosing between pentests and bug bounty programs.
What Happens During a Penetration Test: Day by Day
A detailed day-by-day walkthrough of a standard penetration test. Scoping, reconnaissance, active testing, exploitation, reporting and debrief.
API Security Testing: Why Your Endpoints Are Probably Exposed
The most common API vulnerabilities mapped to the OWASP API Security Top 10. Broken auth, BOLA, mass assignment, rate limiting and SSRF with real findings.
Pentest Report Red Flags: What to Look For
How to tell a good pentest report from a bad one. Red flags, green flags and what to demand from your security vendor.
SOC 2 Pentest Requirements: What Your Auditor Actually Wants to See
SOC 2 penetration testing requirements for startups. What the standard requires, how to scope, timing and what auditors look for in the report.
State of AI Code Security: What We Found in 2026
Top 5 findings from the 2026 AI Code Security Report. 92% of AI-generated codebases have critical vulnerabilities. 88% lack rate limiting. 78% expose secrets.
What We Found Auditing 50 AI-Built Applications
Aggregate data from 50 AI code audits. 92% had critical vulnerabilities, 78% stored secrets in plaintext and 54% had SQL injection. Vibe-coded vs professional comparison.
How a $1,500 Audit Saved a Startup From a Data Breach
Anonymized case study. 3-person SaaS startup built with Cursor. 8 critical vulnerabilities found in a $1,500 quick audit and fixed in 2 days.
Security Audit vs. Doing Nothing: The Real Cost
$1,500 audit vs $4.88M breach. The math of prevention vs doing nothing, including PIPEDA fines, cyber insurance and reputation damage.
Is Your Vibe-Coded Login Page Actually Secure? (Probably Not)
The 10 most common security disasters in vibe-coded authentication. Plaintext passwords, client-side auth, exposed .env files and more.
The 5-Minute Security Check Before You Launch Your AI-Built App
Ten checks you can run right now. If you fail more than two you need a professional audit before launch.
Your AI-Built App vs. a Real Attacker: What Actually Happens
A realistic 60-minute attack walkthrough on a typical vibe-coded SaaS. From recon to database dump to Stripe access.
Do I Need a Pentest for My Side Project?
Decision tree for founders. If it handles user data, processes payments or has login, the answer is yes.
What Happens When You Store Passwords in Text Files
Directory traversal, server misconfiguration and zero hashing. Why flat file password storage is catastrophic and what to use instead.
Audit Your AI Slop Before It Costs You Everything
AI slop ships fast and breaks faster. Unreviewed AI-generated code carries injection flaws, hallucinated dependencies and hardcoded secrets that survive to production.
Your AI Masterpiece Might Be a Security Timebomb
Working code is not secure code. AI writes functional applications that hide auth bypasses, injectable queries and unprotected API endpoints.
Your Vibe-Coded App Got Hacked. Now What?
You built it in a weekend with Cursor. An attacker dismantled it in an afternoon. The incident response playbook for AI-built applications.
The 2026 AI Code Audit Checklist: What Every CTO Needs to Review
Nine security categories every CTO must check before shipping AI-generated code. Dependency verification, secrets scanning, auth review and more.
5 Vulnerabilities AI Code Assistants Introduce
Hallucinated packages, weak randomness, SQL injection, hardcoded secrets and insecure deserialization. The five patterns we find in every AI code audit.
Claude Mythos Just Changed the Threat Landscape
Anthropic's Claude Mythos found thousands of zero-days for under $50 each. Over 99% remain unpatched.
You Vibe Coded It. Now Secure It.
The rise of non-developers shipping production apps and why scanning alone is not enough to secure vibe coded software.
Why Every AI Product Needs a Security Audit Before Launch
EU AI Act, NIST AI RMF and investor expectations are making AI security audits a pre-launch requirement.
Real AI Attacks in 2026: What Actually Happened
Documented cases of AI systems being exploited in production. Prompt injection, model poisoning and supply chain attacks with real-world impact.
Can AI Be Hacked?
A forensic examination of AI attack surfaces. Model extraction, data poisoning, adversarial inputs and the security gaps most teams overlook.
Shadow AI: The Employee Risk You Are Not Tracking
Employees are using AI tools you did not approve on data you did not authorize. The compliance and security implications are significant.
Best Penetration Testing Tools in 2026
The tools our team actually uses on engagements. From reconnaissance to exploitation to reporting.
PIPEDA Compliance Guide for 2026
What Canadian businesses need to know about PIPEDA compliance, data breach notification and privacy impact assessments.
Encrypted Memory Forensics in the Post-Quantum Era
How evolving post-quantum encryption standards are reshaping volatile memory analysis and what forensic examiners must adapt.
AI-Generated Deepfakes in Legal Proceedings
A forensic methodology for authenticating digital evidence when AI-generated media enters the courtroom.
Why Your AI Startup Needs a Pen Test Before Demo Day
Investors are asking about security posture. Here is what a pre-funding penetration test actually covers and why waiting costs more.
CVE Intelligence
Latest CVE Alerts
High and critical vulnerabilities relevant to cloud, web and AI infrastructure. Updated daily from the National Vulnerability Database.
| CVE | Severity | CVSS | Affected Product | Vulnerability |
|---|---|---|---|---|
| CVE-2026-23696 | CRITICAL | 9.9 | Windmill CE/EE | SQL injection in folder ownership management |
| CVE-2021-4473 | CRITICAL | 9.8 | Tianxin Management System | Command injection in Reporter component |
| CVE-2026-22679 | CRITICAL | 9.8 | Weaver E-cology 10.0 | Unauthenticated RCE via debug endpoint |
| CVE-2026-3296 | CRITICAL | 9.8 | Everest Forms (WordPress) | PHP Object Injection via deserialization |
| CVE-2026-4631 | CRITICAL | 9.8 | Cockpit (Linux) | SSH command injection via login endpoint |
| CVE-2026-1346 | CRITICAL | 9.3 | IBM Verify Identity Access | Privilege escalation for local users |
| CVE-2026-22683 | HIGH | 8.8 | Windmill | Missing authorization bypasses operator restrictions |
| CVE-2026-3357 | HIGH | 8.8 | IBM Langflow Desktop | Insecure FAISS deserialization enables code execution |
| CVE-2026-1342 | HIGH | 8.5 | IBM Verify Identity Access | Local users can execute malicious scripts |
| CVE-2026-4788 | HIGH | 8.4 | IBM Tivoli Netcool Impact | Sensitive data exposure in log files |
| CVE-2026-4740 | HIGH | 8.2 | Red Hat ACM / Open Cluster Mgmt | Certificate forgery via improper validation |
| CVE-2026-5736 | HIGH | 7.3 | PowerJob | detailPlus endpoint manipulation |
| CVE-2026-5739 | HIGH | 7.3 | PowerJob | Code injection via OpenAPI workflow endpoint |
| CVE-2026-5741 | HIGH | 7.3 | docker-mcp-server | OS command injection via HTTP interface |
| CVE-2026-1343 | HIGH | 7.2 | IBM Verify Identity Access | SSRF exposes internal auth endpoints |
| CVE-2026-22682 | HIGH | 7.1 | OpenHarness | Improper access control exposes local files |