The Question Every Vibe Coder Asks
"It is just a side project." We hear this every week at Sherlock Forensics. A founder built something with Cursor, Bolt, Lovable or another AI tool. It works. It has users. But it is still "just" a side project. So they skip the security audit and keep building features.
Here is the decision tree. Answer these five questions honestly.
Question 1: Does Your App Handle User Data?
Does anyone create an account on your app? Do they enter their name, email address, phone number or any other personal information? Do they upload files, write messages or create content that is stored on your server?
If yes: You are responsible for protecting that data. In Canada, PIPEDA requires organizations to protect personal information they collect. In the EU, GDPR applies. In California, CCPA applies. The fact that your app is a "side project" does not exempt you from these regulations. If you suffer a breach and user data is exposed, you face notification requirements, potential fines and liability.
Even without regulatory pressure, you have a moral obligation. Your users trusted you with their information. If that information is compromised because you skipped a $1,500 security audit, that is on you.
Question 2: Does Your App Process Payments?
Do users pay for anything through your app? Do you integrate with Stripe, PayPal, Square or any other payment processor? Do you store any payment-related information?
If yes: You absolutely need a security audit. Payment processing involves PCI DSS compliance requirements. If an attacker accesses your Stripe secret key (which is a common finding in vibe-coded apps), they can issue refunds, create charges and access customer billing data. The financial and legal exposure is immediate and significant.
Your payment processor will not protect you from your own mistakes. Stripe's shared responsibility model means you are responsible for securing your server, your API keys and your application logic. Stripe handles the payment processing infrastructure. Everything else is on you.
Question 3: Does Your App Have a Login System?
Can users create accounts and log in? Do you have an admin dashboard? Are there different permission levels (regular users vs. admins)?
If yes: Authentication is the most attacked surface of any web application and AI-generated login systems are almost always vulnerable. If your login system can be bypassed, every other security control in your application is irrelevant. An attacker who can forge an admin session has access to everything.
Question 4: Is Your App Publicly Accessible?
Can anyone on the internet visit your app? Is it deployed to a public URL? Have you shared the link on social media, Product Hunt, Hacker News or anywhere else?
If yes: Your app is already being scanned. Automated bots crawl the internet 24/7 looking for exposed .env files, unprotected admin panels, SQL injection vulnerabilities and other common issues. These bots do not care that it is a side project. They do not care that you have only 50 users. They scan every URL they find.
The moment your app is publicly accessible, it is a target. The question is not whether someone will try to hack it. The question is whether they will succeed.
Question 5: Did AI Write the Code?
Was your application built using Cursor, Bolt, Lovable, Replit, v0, Claude, ChatGPT, Copilot or any other AI coding tool? Did you describe features in plain language and let the AI generate the implementation?
If yes: AI-generated code has a distinct vulnerability profile. AI tools optimize for making features work, not for making them secure. They generate SQL queries with string concatenation, store secrets in client-side code, skip authorization checks on API endpoints and use weak randomness for security-critical functions. These are not edge cases. They are the default behavior. Our AI code audits consistently find critical vulnerabilities in every vibe-coded application we test.
The Objections (and Why They Do Not Hold Up)
"It is just a side project"
A side project that stores user passwords and processes payments is not "just" anything. The word "side project" describes how you spend your time on it. It does not describe the risk to your users. A breach does not care about your organizational chart. If 50 users have their passwords exposed because you stored them in a text file, those 50 people are just as compromised as they would be if a Fortune 500 company leaked them.
"I only have 50 users"
Fifty breached accounts means 50 people whose credentials are now available for credential stuffing attacks across every service they use. If even one of those users reuses their password for their work email or banking, the downstream damage extends far beyond your application.
Also: you have 50 users now. If your app grows and you still have not fixed the security issues, you have the same vulnerabilities but more people affected. Fixing security gets harder and more expensive as the application grows. The cheapest time to audit is when the app is small.
"I will do it later"
Later is not free. Every day your app runs with unpatched vulnerabilities is a day an attacker could find them. The typical attack takes under an hour. "Later" might be after the breach, when "later" means incident response, user notification, legal consultation and reputation damage instead of a straightforward $1,500 audit.
Security debt works like financial debt. It accumulates interest. The longer you wait, the more code you build on top of insecure foundations, and the more expensive the remediation becomes.
"I cannot afford it"
Let us compare the numbers. A quick security audit at Sherlock Forensics starts at $1,500. The average cost of a data breach for small businesses exceeds $100,000 when you include:
- Breach notification costs (required by law in Canada, EU and most US states)
- Legal consultation
- Customer compensation and credit monitoring
- Lost revenue during incident response
- Reputation damage and customer churn
- Regulatory fines (PIPEDA, GDPR, CCPA)
- Forensic investigation to determine breach scope
A $1,500 audit is not an expense. It is insurance that costs less than 2% of the average breach cost. If you can afford to build and deploy an application, you can afford to verify that it is secure.
Pentest vs. Vulnerability Scan: What Is the Difference?
A vulnerability scan is an automated tool that checks for known issues. It compares your software versions against a database of known vulnerabilities and checks for common misconfigurations. Scans are fast, cheap and shallow. They find surface-level problems like outdated software versions and missing security headers.
A penetration test is a manual assessment conducted by a human security professional. The tester actively attempts to exploit vulnerabilities, chains findings together to escalate access and tests business logic that automated tools cannot understand. A pentest finds authentication bypasses, authorization flaws, data exposure through API endpoints and custom vulnerabilities specific to your application.
For vibe-coded applications, a vulnerability scan is not enough. The most critical vulnerabilities in AI-generated code are in the business logic: missing authorization checks, broken authentication flows and insecure data handling. These require a human tester who understands what the application is supposed to do and can identify where it fails to enforce those rules.
When to Get a Security Audit
Best time: After your MVP works but before you onboard real users.
Second best time: Now. If your app is already live with real users and has never been audited, schedule one immediately.
Worst time: After a breach. At that point you need incident response (more expensive), forensic investigation (much more expensive) and legal counsel (most expensive). The audit still has to happen, but now it happens under pressure and crisis conditions.
Run our 5-minute security checklist right now. If you fail more than two checks, you need professional help. Sherlock Forensics runs penetration tests specifically for vibe-coded applications starting at $1,500. Order online or call 604.229.1994.
Frequently Asked Questions
How much does a pentest cost?
Quick audits for vibe-coded and small applications start at $1,500 at Sherlock Forensics. This covers authentication, authorization, injection testing, secrets scanning and configuration review. Full penetration tests for larger applications are scoped based on complexity. Order a quick audit online or call 604.229.1994 to scope a full assessment.
Is a pentest worth it for a small app?
Yes, if your app handles user data, processes payments or has a login system. A $1,500 audit costs less than 2% of the average small business breach cost ($100,000+). The smaller the app, the faster and less expensive the audit. This is the cheapest time to find and fix security issues.
What is the difference between a pentest and a vulnerability scan?
A vulnerability scan is an automated check for known issues. A penetration test is a manual, human-led assessment that actively exploits vulnerabilities and tests business logic. For AI-generated code, the most critical vulnerabilities are business-logic flaws that only a human tester can find. Scanners miss the issues that matter most.
When should I get a security audit?
The best time is after your MVP works but before real users sign up. The second best time is now. Every day your app runs without an audit is a day attackers could exploit its vulnerabilities. If you have real users and have never been audited, schedule an audit today.