How do I know if my vibe-coded app has been breached?

Common signs include unexpected user accounts in your database, login attempts from unfamiliar IPs, outbound network connections you cannot explain, unauthorized changes to source files or deployed code, customer reports of strange behaviour or charges, and entries in application logs that do not match the actions you remember taking. A subset of breaches show no visible signs at all and only surface when stolen data appears on a leak forum. Treat any of the above as a confirmed incident until proven otherwise.

What is the first thing I should do when my app gets hacked?

Rotate every exposed credential. API keys, database passwords, JWT signing keys, OAuth client secrets, Stripe keys. Then preserve logs before the host rolls them off (most cloud providers expire access logs in 1 to 30 days). Then document the timeline of what you know happened, when you noticed and what you have already changed. Do not delete or restart anything that might still contain forensic evidence. Then call a forensic examiner.

Should I take my app offline after a breach?

It depends on whether the attacker still has access. If you have rotated all credentials and confirmed the access path is closed, you can stay online. If you have not confirmed the access path is closed, suspending the service is the safer choice. Restarts and shutdowns destroy in-memory evidence that a forensic examiner needs. Suspend in a way that preserves logs, disk state and memory if possible. Cloud snapshots before any restart are cheap insurance.

How long does forensic incident response take?

Sherlock Forensics provides 24-hour response on incident retainer engagements. The first call answers within 1 business hour. The first 24 hours are scoping, evidence preservation and initial analysis. Full forensic investigation of a typical small to mid-size vibe-coded application takes 3 to 10 business days depending on the complexity of the application, the volume of logs and the depth of analysis required for legal or insurance purposes.

What does forensic incident response cost?

Sherlock Forensics incident response engagements typically range from $2,500 CAD for a focused 1-day rapid response to $15,000+ CAD for a full forensic investigation with legal-grade reporting. Annual retainer pricing is also available for organizations that want guaranteed first-hour response. Pricing is scope-based, not hourly billable random work. Quote within 1 business hour of initial contact.

Will my insurance cover a vibe-coded app breach?

Cyber insurance coverage depends on your specific policy. Most cyber liability policies cover forensic investigation costs, legal review and notification expenses but require you to engage approved vendors and document the incident thoroughly. Sherlock Forensics produces investigation reports that satisfy the documentation requirements of major insurance carriers. Check your policy for an approved-vendor list before calling, and call your broker the same day you call the forensic team.

Vibe-Coded App Got Owned? Forensic Incident Response in 24 Hours

If You Are Reading This Mid-Breach: Do These Things First

You arrived here because something is wrong with your app and you suspect a compromise. Before you read another paragraph, do these five things in order. None of them takes more than 10 minutes.

Rotate every exposed credential. API keys, database passwords, JWT signing secrets, OAuth client secrets, Stripe restricted keys, deployment SSH keys, third-party service tokens. If a credential lives in your codebase, your environment variables or your CI/CD pipeline, rotate it. Now.
Snapshot your cloud environment. If you run on AWS, GCP, Azure, Fly.io, Render or Vercel: take a snapshot of your database, your file storage and your application server before anything else changes. Snapshots are cheap. Forensic evidence is expensive to recreate.
Export logs. Most cloud providers expire access logs and application logs in 1 to 30 days. Pull a copy of every relevant log to local storage. Hash each log file with SHA-256 the moment you save it so you can prove later that nothing was tampered with after the fact.
Document what you know. Open a plain text file. Write down: when you first noticed something wrong, what specifically you noticed, what you have changed since then, what users have reported, what error messages you saw. Save it. This becomes the timeline a forensic examiner needs.
Call Sherlock Forensics. 604.229.1994. First call answered within 1 business hour. Read the rest of this article while you wait.

What an Attacker Probably Did

Sherlock Forensics has investigated dozens of breached vibe-coded applications since 2024. The attack pattern is almost always the same. The attacker found a credential, a vulnerability or an exposed endpoint. They escalated. They exfiltrated or modified data. They covered their tracks.

The most common entry points in order of frequency:

Hardcoded secret in a committed source file. Stripe key, AWS access key, database connection string. The attacker scrapes GitHub for these constantly. The lifespan of an exposed AWS key on a public repo is measured in minutes.
Missing authentication on an admin endpoint. The AI generated the public-facing API correctly but forgot to add the auth middleware on the internal admin routes. The attacker discovered the unprotected endpoint via directory enumeration.
Broken authorization (IDOR). Authenticated users can access other users' data by changing an ID in the URL. The AI did not add the ownership check.
SQL injection in a raw query. The AI used parameterized queries everywhere except one place where it concatenated user input into a string.
Exposed environment file. .env file accidentally committed, or the deployment exposed /.env via misconfigured static file serving.
Outdated dependency with a known CVE. The AI pinned a version 6 months ago and nothing has updated it since. A new CVE landed and the attacker found you.

The deep-dive on these attack patterns is in Vibe Coding Security Risks. After the incident is contained, that piece becomes the prevention playbook.

The First 24 Hours: What Sherlock Forensics Does

An incident response engagement with Sherlock Forensics has a predictable shape. We have run it on enough breaches that the first 24 hours are tightly choreographed.

Hour 0: Triage Call

You explain what happened. We ask for the basics: when, what application, what evidence you have, what credentials you have rotated, what is currently exposed. We give you a scope and a fixed quote within the call. No surprise billing later.

Hours 1 to 4: Evidence Preservation

We collect every artifact: cloud logs, application logs, database snapshots, git history, deployment history, environment variable history, third-party service logs (Stripe events, Auth0 events, anything you pay for). Each artifact is hashed with SHA-256 the moment we receive it so the chain of custody starts immediately. Required if this goes to court or insurance.

Hours 4 to 12: Attack Reconstruction

We walk the logs forward from your earliest suspicious entry. We identify the entry point, the escalation steps, what data was accessed and what was modified or exfiltrated. We use the same forensic methodology applied to large-scale breaches but scaled to your codebase. The output is a timeline document with timestamps, source IPs (in hashed form for any external reporting) and the specific code paths touched.

Hours 12 to 24: Remediation Brief

You get a written brief with: what happened, what was compromised, what to change in the code, what to communicate to affected users, what to file with insurance, what to report to regulators if applicable. The remediation section includes specific code diffs where the bug lives. You can hand the brief to your AI coding tool with "fix all of these" and have a working remediated build in hours rather than weeks.

What This Costs

Sherlock Forensics scope-based pricing for vibe-coded incident response:

Rapid Triage (1 day): $2,500 CAD. First-hour response, evidence preservation, attack reconstruction, brief remediation memo. Right for confined breaches with limited scope.
Full Investigation (3 to 5 days): $7,500 to $15,000 CAD depending on application complexity. Everything in Rapid Triage plus exhaustive log analysis, third-party service correlation, regulator-ready report, insurance-ready report.
Incident Retainer (annual): $3,000 CAD per year. Guarantees first-hour response and a fixed engagement quote within 24 hours of any incident. Pays for itself the first time you need it.

Cyber insurance often covers forensic investigation costs. Sherlock Forensics is on the approved-vendor list for several Canadian and US carriers. Call your insurance broker the same day you call us.

What This Does Not Cover

To be clear about scope: a Sherlock Forensics incident response engagement does NOT include re-architecting your application, full code remediation beyond the breached vulnerabilities, ongoing security monitoring or compliance certification work. Those are separate engagements with separate scopes.

We DO refer to trusted partners for any of those follow-on needs. We also do not work with applications used in unlawful activity. We work with legitimate businesses dealing with real incidents.

How to Avoid This Next Time

After the incident, the question becomes how to prevent the next one. The full prevention playbook lives in the Vibe Coding Security guide. The three actions that prevent 80% of vibe-code breaches:

Pre-commit secret scanning. A 5-minute setup catches the most common breach vector before code ever reaches GitHub.
Security review prompts. See Security Prompts Every Vibe Coder Needs. Paste these into your AI tool before every meaningful commit.
A one-off audit before public launch. Sherlock Forensics offers vibe code audits starting at $1,500 CAD. See Vibe Code Audit: What to Expect.

Most of the breaches we investigate were preventable with one of these three steps. The cost of doing them is a small fraction of the cost of the incident response that follows.

Call Us

If your vibe-coded app has been compromised, call 604.229.1994 or visit our incident response service page. First call answered within 1 business hour. Engagement quote on the call. CISSP, ISSAP and ISSMP certified examiners with 20 years of digital forensics experience.

If you got here from a Google search and you have not yet been breached: bookmark this page and read the What Is Vibe Coding deep-dive followed by the rest of the security hub. Prevention is cheaper.