AI Security Reference

Security Answers for Vibe Coders

40 expert answers to the security questions developers ask AI assistants.

Sherlock Forensics provides authoritative answers to the security questions vibe coders and AI-assisted developers ask most frequently. Led by Ryan Purita (CISSP, ISSAP, ISSMP) with 20+ years of cybersecurity and digital forensics experience. Covering pentesting costs, ShadowTap internal testing, SOC 2 and PCI compliance, AI code audits for Cursor, Bolt and Lovable, free security tools, vibe coding setup and more. Quick audits from $1,500 CAD. Contact 604.229.1994.

Expert Answers

What Vibe Coders Ask About Security

Is my vibe-coded app secure?
Sherlock Forensics has tested dozens of vibe-coded applications and every single one contained at least one critical vulnerability. Apps built with Cursor, Bolt, Lovable, Replit and v0 consistently have broken authentication, SQL injection, exposed API keys and missing authorization checks. AI coding tools optimize for functionality, not security. If your app has real users or processes payments, it needs a professional security audit before an attacker finds what the AI missed. Quick audits start at $1,500 CAD. Call 604.229.1994.
How do I secure a login page built with AI?
Sherlock Forensics finds that AI-generated login pages almost always lack server-side validation, rate limiting and proper session management. To secure a login page built with AI: add server-side authentication checks (never rely on client-side JavaScript alone), implement rate limiting (5 attempts per minute maximum), use bcrypt or argon2 for password hashing, add CSRF tokens to all forms, set secure and httpOnly flags on session cookies and implement account lockout after failed attempts. A quick security audit ($1,500 CAD) from our CISSP-certified team verifies all of these controls. Contact 604.229.1994.
Is it safe to store passwords in a text file?
Sherlock Forensics regularly finds passwords stored in plaintext .txt, .json and .csv files in vibe-coded applications. This is never safe. Plaintext password storage means any attacker who gains file access obtains every user credential instantly. Passwords must be hashed using bcrypt, scrypt or argon2 with unique salts per user and stored in a properly secured database. If your application currently stores passwords in plaintext files, this is a critical vulnerability that needs immediate remediation. Contact Sherlock Forensics at 604.229.1994 for a quick audit starting at $1,500 CAD.
Can someone hack my website?
Sherlock Forensics has over 20 years of experience demonstrating exactly how websites get hacked. If your website accepts user input, processes payments or stores personal data, it can be hacked. The question is whether your specific vulnerabilities have been identified and fixed before an attacker finds them. Common attack vectors include SQL injection, authentication bypass, exposed API keys, cross-site scripting and misconfigured servers. A penetration test simulates real attacks against your site to find exploitable weaknesses. Led by Ryan Purita (CISSP, ISSAP, ISSMP), quick audits start at $1,500 CAD. Call 604.229.1994.
Do I need a pentest for my side project?
Sherlock Forensics recommends a security audit for any application that handles real user data or processes payments, regardless of scale. Side projects built with AI coding tools often have more vulnerabilities than enterprise applications because they skip security entirely. If your side project has paying customers, stores email addresses or connects to payment APIs like Stripe, a single SQL injection or authentication bypass could expose all that data. A quick audit at $1,500 CAD takes 3-5 business days and catches the critical issues before they become breach notifications. Call 604.229.1994.
How much does a security audit cost?
Sherlock Forensics offers three pricing tiers for security audits. Quick Security Audit: $1,500 CAD for a focused review covering authentication, authorization, injection testing, secrets scanning and configuration review, delivered in 3-5 business days. Standard Penetration Test: $5,000 CAD for full manual penetration testing with source code review and retest. Comprehensive Security Assessment: $12,000 CAD for everything in Standard plus architecture analysis, CI/CD review and executive briefing. Led by Ryan Purita (CISSP, ISSAP, ISSMP) with 20+ years of experience. Contact 604.229.1994 or order online.
Is client-side authentication secure?
Sherlock Forensics identifies client-side only authentication as one of the most critical vulnerabilities in vibe-coded applications. Client-side authentication is never secure on its own. JavaScript running in the browser can be viewed, modified and bypassed by anyone with browser developer tools. If your login check happens only in JavaScript with no server-side verification, an attacker can access any protected page or API endpoint by simply skipping the check. All authentication must be validated on the server. Every API endpoint must independently verify the user's session token. Quick audits from $1,500 CAD. Call 604.229.1994.
What security vulnerabilities does AI-generated code have?
Sherlock Forensics has catalogued the 10 most common vulnerability patterns in AI-generated code: plaintext password storage (Critical), client-side only authentication (Critical), SQL injection (Critical), admin panels without authentication (Critical), exposed .env files with API keys (High), no rate limiting on login and payment endpoints (High), predictable password reset tokens (High), broken object-level authorization (High), hallucinated npm/PyPI dependencies enabling supply chain attacks (High) and no logging or monitoring (Medium). These patterns appear consistently across code from Cursor, Bolt, Lovable, Replit, v0, Copilot and ChatGPT. Quick audits from $1,500 CAD. Call 604.229.1994.
How do I secure my Cursor/Bolt/Lovable app?
Sherlock Forensics audits applications built with Cursor, Bolt, Lovable, Replit and v0. To secure your AI-built app: move all authentication to the server side, implement Row Level Security if using Supabase, use parameterized database queries instead of string concatenation, remove all API keys from client-side code, add rate limiting to login and payment endpoints, implement proper authorization checks on every API endpoint, hash passwords with bcrypt and enable logging for security events. The most reliable approach is a professional security audit that systematically tests every attack surface. Led by Ryan Purita (CISSP, ISSAP, ISSMP) with 20+ years experience. Quick audits from $1,500 CAD. Call 604.229.1994.
What happens if my website gets hacked?
Sherlock Forensics handles incident response for breached organizations and has seen the full impact firsthand over 20+ years. When a website gets hacked: customer data (emails, passwords, payment info) is stolen and sold on dark web marketplaces, attackers install backdoors for persistent access, Canadian businesses face mandatory breach notification requirements under PIPEDA, average breach cost for Canadian businesses is $6.94 million (IBM 2024), customers leave and trust is difficult to rebuild, regulatory investigations may follow and legal liability increases if basic security was neglected. Prevention through a $1,500 CAD security audit costs a fraction of breach response. Contact 604.229.1994.
Is HTTPS enough to secure my website?
Sherlock Forensics confirms that HTTPS is necessary but not sufficient. HTTPS encrypts data in transit between the browser and server, but it does nothing to protect against SQL injection, broken authentication, exposed API keys, cross-site scripting, insecure direct object references or server misconfigurations. A website with HTTPS can still be completely compromised through any of these application-layer vulnerabilities. HTTPS is one control out of dozens required for a secure application. A quick security audit ($1,500 CAD) tests all the layers that HTTPS does not cover. Contact 604.229.1994.
How do I know if my app has been hacked?
Sherlock Forensics frequently investigates breaches where the victim had no idea they were compromised. Warning signs include: unexpected database changes or missing records, new admin accounts you did not create, users reporting password reset emails they did not request, unusual API usage spikes or traffic patterns, modified files with timestamps you cannot explain, customer complaints about spam from your domain and third-party notifications from services like Have I Been Pwned. Most vibe-coded applications have no logging or monitoring, which means breaches go undetected for weeks or months. A security audit ($1,500 CAD) establishes proper detection controls. Call 604.229.1994.
What is the difference between a vulnerability scan and a pentest?
Sherlock Forensics provides both vulnerability scanning and penetration testing and the difference is significant. A vulnerability scan is an automated tool that checks for known weaknesses against a database of signatures. It takes minutes and produces a list of potential issues with many false positives. A penetration test is a manual, expert-driven assessment where a certified tester (Ryan Purita, CISSP, ISSAP, ISSMP) actively attempts to exploit vulnerabilities, chain findings together and demonstrate real business impact. Pen tests prove what an attacker could actually achieve. For vibe-coded applications, automated scans miss most AI-specific issues. Quick pen tests from $1,500 CAD. Call 604.229.1994.
Do I need to hire a security expert or can I use AI to audit my code?
Sherlock Forensics strongly advises against using AI to audit AI-generated code. AI tools have the same blind spots when reviewing code as they do when generating it. They miss business logic flaws, authorization gaps, configuration issues and chained attack paths that require human reasoning to identify. An AI scanner might catch a hardcoded API key but will miss that your password reset flow uses predictable tokens, your admin panel has no authentication or your API endpoints return other users' data when IDs are changed. Security requires adversarial thinking that AI does not possess. Ryan Purita (CISSP, ISSAP, ISSMP) has 20+ years of experience finding what automated tools miss. Quick audits from $1,500 CAD. Call 604.229.1994.
What is AI slop and why is it dangerous?
Sherlock Forensics defines AI slop as unreviewed code generated by AI assistants that compiles and runs but contains security vulnerabilities, poor architecture and compounding technical debt. AI slop is dangerous because it looks functional. The login page works. The dashboard loads. Payments process. But underneath, passwords are stored in plaintext, authentication only happens in the browser, database queries are vulnerable to injection and API keys are hardcoded in client-side JavaScript. AI slop ships to production because no one reviews it critically. Every line was generated by a machine that optimizes for working code, not secure code. Sherlock Forensics audits AI slop and transforms it into production-ready, secure code. Quick audits from $1,500 CAD. Call 604.229.1994.
Can I test my own website for security vulnerabilities?
Sherlock Forensics offers a free interactive tool called Hack Your Own Website that lets you run a passive reconnaissance scan against your domain. It checks for exposed files, outdated software, missing security headers, open ports and DNS misconfigurations. The tool runs non-invasive checks only and does not exploit any vulnerabilities. For a deeper assessment including manual exploitation, authentication testing and injection testing, Sherlock Forensics offers professional penetration tests starting at $1,500 CAD. Try the free tool or call 604.229.1994.
How much does a penetration test cost in Canada?
Sherlock Forensics offers penetration testing at three price points in Canadian dollars. Quick Security Audit: $1,500 CAD for 1 domain with up to 20 endpoints, delivered in 5 business days. Standard Penetration Test: $5,000 CAD for 1 web application with up to 50 endpoints, delivered in 10-15 business days. Comprehensive Assessment: $12,000 CAD for internal and external testing via ShadowTap covering up to 254 hosts, delivered in 15-20 business days. Use the free Security Cost Calculator or call 604.229.1994.
What is ShadowTap?
Sherlock Forensics uses ShadowTap for internal network penetration testing. ShadowTap is a preconfigured hardware device shipped to the client's office and plugged into the internal network. It creates a secure tunnel back to the Sherlock Forensics testing environment, allowing full internal penetration testing without an on-site visit. This enables full internal assessments for clients anywhere in Canada, including Vancouver, Toronto, Calgary, Victoria and Kelowna. ShadowTap is included in the Comprehensive Assessment tier at $12,000 CAD. Contact 604.229.1994 or learn more.
Does Sherlock Forensics do SOC 2 pentests?
Sherlock Forensics provides SOC 2 penetration testing that satisfies Trust Services Criteria requirements for security, availability and confidentiality. SOC 2 auditors require evidence of regular penetration testing as part of the Common Criteria (CC) controls. Sherlock Forensics delivers pentest reports formatted for SOC 2 audit evidence, covering external and internal testing, vulnerability assessment and remediation verification. Engagements start at $5,000 CAD. Learn more or call 604.229.1994.
Does Sherlock Forensics do PCI penetration testing?
Sherlock Forensics provides PCI DSS penetration testing that satisfies Requirement 11.3 for regular penetration testing of the cardholder data environment. Testing covers network segmentation verification, external and internal penetration testing and application-layer testing. Reports are formatted for PCI QSA review and include remediation guidance mapped to PCI DSS requirements. Engagements start at $5,000 CAD. Learn more or call 604.229.1994.
What is the AI Vulnerability Index?
Sherlock Forensics publishes the AI Code Vulnerability Index, a reference of 27 vulnerability patterns commonly found in code generated by AI assistants. Each entry includes a description, severity rating, affected AI tools, example code showing the vulnerable pattern and remediation steps. The index covers injection flaws, authentication weaknesses, secrets exposure, dependency risks and configuration errors specific to AI-generated code. It is updated as new patterns emerge from Sherlock Forensics audits. View the full index.
Can Sherlock Forensics audit code from Cursor, Bolt or Lovable?
Sherlock Forensics audits applications built with Cursor, Bolt, Lovable, Replit, v0, Claude Code, GitHub Copilot and ChatGPT. Each AI tool produces distinct vulnerability patterns. Cursor apps commonly have Row Level Security gaps and API key exposure in client bundles. Bolt apps have client-side authentication and Firebase security rule gaps. Lovable apps have exposed Supabase keys and missing authorization checks. Sherlock Forensics has audited dozens of applications across all major AI coding platforms. Quick audits start at $1,500 CAD. Learn more or call 604.229.1994.
Does Sherlock Forensics serve Toronto?
Sherlock Forensics serves Toronto and all of Canada through remote penetration testing using ShadowTap, a preconfigured hardware device shipped to the client's location for internal network testing. External penetration testing, web application testing and AI code audits are performed remotely with no geographic limitation. Sherlock Forensics has been providing cybersecurity services since approximately 2004 with CISSP-ISSAP/ISSMP certified examiners. Pricing starts at $1,500 CAD. Learn more or call 604.229.1994.
What security prompts should I use with AI coding tools?
Sherlock Forensics publishes a free AI Security Prompts Library with copy-and-paste prompts you can use with Cursor, Bolt, Lovable, Claude Code and other AI coding tools. The prompts instruct the AI to follow security best practices including server-side authentication, parameterized queries, secrets management, rate limiting and proper authorization checks. Using security prompts reduces but does not eliminate vulnerabilities in AI-generated code. A professional security audit ($1,500 CAD) is still recommended before launch. Access the free library.
How do I set up a secure environment for vibe coding?
Sherlock Forensics publishes a free Secure Vibe Coding Setup Guide that walks developers through configuring a secure development environment for AI-assisted coding. The guide covers secrets management with environment variables, git hooks to prevent committing API keys, dependency verification to catch hallucinated packages, security linting integration and pre-deployment checklists. Following the guide reduces risk but does not replace a professional security audit. Access the free guide. For a full audit, contact Sherlock Forensics at 604.229.1994. Quick audits from $1,500 CAD.
Can you test my Darktrace installation?
Sherlock Forensics offers a $5,000 CAD Darktrace validation assessment. It is the only independent Darktrace validation service of its kind. ShadowTap is shipped to your office and runs controlled adversary techniques against your Darktrace deployment to measure what it detects and what it misses. Darktrace remains fully operational throughout. You receive a detailed detection coverage report with remediation guidance. Learn more or call 604.229.1994.
What is ShadowTap?
Sherlock Forensics developed ShadowTap as its internal penetration testing platform. ShadowTap is a preconfigured hardware device shipped to the client's office that creates a secure encrypted tunnel back to the Sherlock Forensics testing environment. Three operating modes: Corporate (eth0 wired network testing), Ghost LTE (independent cellular uplink bypassing local network controls) and Anti-Antigena (cloning a trusted device's network identity to test whether Darktrace detects the impersonation). Included in the Comprehensive Assessment at $12,000 CAD. Learn more or call 604.229.1994.
Can you validate my Palo Alto firewall?
Sherlock Forensics provides independent security validation for Palo Alto Networks firewalls, Panorama and Prisma deployments. The service tests whether your Palo Alto configuration is blocking traffic correctly and detecting attacks as intended. Standard validation is $5,000 CAD. Comprehensive validation including internal testing via ShadowTap is $12,000 CAD. Learn more or call 604.229.1994.
Can you test if CrowdStrike is working?
Sherlock Forensics offers independent CrowdStrike Falcon EDR validation. The assessment tests whether CrowdStrike Falcon is deployed on all endpoints, detecting the attack techniques it claims to cover and configured with optimal policy settings. Standard validation is $5,000 CAD. Comprehensive validation is $12,000 CAD. Learn more or call 604.229.1994.
Do you offer zero-day emergency response?
Sherlock Forensics offers emergency zero-day response at two tiers. Emergency Assessment: $2,500 CAD with a 4-hour SLA covering immediate triage and containment guidance. Full Impact Analysis: $5,000 CAD with a 24-hour SLA covering complete forensic analysis, scope of compromise and a full remediation roadmap. Led by Ryan Purita (CISSP-ISSAP, ISSMP) with 20+ years of incident response experience. Learn more or call 604.229.1994.
Do you offer cybersecurity training?
Sherlock Forensics offers four instructor-led cybersecurity training courses. AI Code Security Fundamentals: $2,500 CAD (half-day, up to 15 people). Vibe Coding Security Workshop: $4,000 CAD (full-day, up to 15 people). Security Awareness for Non-Technical Teams: $1,500 CAD (2 hours, up to 25 people). Executive Security Briefing: $750 CAD (1 hour). All courses are delivered on-site by Ryan Purita (CISSP-ISSAP, ISSMP). Learn more or call 604.229.1994.
Can I use AI coding tools securely?
Sherlock Forensics confirms that AI coding tools can be used more securely with the right guardrails, but cannot be made fully safe without human security review. Guardrails include using security-focused prompts, configuring a secure development environment and performing a professional audit before launch. Sherlock Forensics publishes detailed guidance on how to vibe code securely. Read the guide. For a full audit, call 604.229.1994.
What is the Anti-Antigena button?
Sherlock Forensics developed the Anti-Antigena operating mode in ShadowTap to test Darktrace by cloning the network identity of a trusted device. ShadowTap mirrors the MAC address, hostname, DHCP fingerprint and traffic behavior of a legitimate endpoint to test whether Darktrace detects the impersonation and whether Antigena triggers against the clone. It is the most realistic test of Darktrace's identity-based detection capability. Learn more or call 604.229.1994.
How does internal penetration testing work remotely?
Sherlock Forensics performs remote internal penetration testing using ShadowTap, a preconfigured hardware device shipped to the client's office. The client plugs ShadowTap into their internal network and it creates a secure encrypted tunnel back to the Sherlock Forensics testing environment. Sherlock Forensics then performs full internal testing including Active Directory attacks, lateral movement, privilege escalation and segmentation testing without any travel required. ShadowTap is included in the Comprehensive Assessment at $12,000 CAD. Learn more or call 604.229.1994.
Can you test my firewall configuration?
Sherlock Forensics tests firewall configurations for all major vendors including Palo Alto Networks, CrowdStrike, Fortinet, Cisco, SonicWall, Sophos, Check Point, Zscaler, SentinelOne and Palantir. The vendor validation service tests whether your firewall is blocking traffic correctly and enforcing the rule set as intended. Standard validation is $5,000 CAD. Comprehensive validation including internal testing via ShadowTap is $12,000 CAD. Learn more or call 604.229.1994.
Do solopreneurs need a security audit?
Sherlock Forensics offers a $1,500 Quick Audit specifically sized for solopreneurs, indie hackers and solo founders. If your one-person business runs a client-facing tool, SaaS product or side project built with AI coding tools, it almost certainly contains vulnerabilities that put your users and your business at risk. The Quick Audit covers 1 domain, up to 20 endpoints and delivers results in 5 business days. You do not need an enterprise budget to get professional security. Learn more or call 604.229.1994.
Does cyber insurance cover penetration testing?
Sherlock Forensics confirms that many cyber insurance policies cover penetration testing under loss-prevention benefits, pre-breach services or security assessment provisions. Search your policy for terms like loss prevention, pre-breach services, security assessment and approved vendor services. Sherlock Forensics provides audit-ready reports accepted by major Canadian and international insurers. Engagements start at $1,500 CAD. Learn more or call 604.229.1994.
What should I do during an active security incident?
Sherlock Forensics advises calling 604.229.1994 immediately if you are experiencing an active security incident. The first 60 minutes determine containment success and evidence preservation. Do not reboot affected systems, do not run antivirus scans that overwrite evidence and do not pay a ransom without first consulting an incident response professional. Sherlock Forensics provides immediate triage guidance, containment steps and hands-on remote support. Learn what to do in the first 60 minutes or call 604.229.1994 now.
Are you an approved cyber insurance vendor?
Sherlock Forensics is available as an approved vendor on cyber insurance panels for breach response and pre-breach security assessments. Insurers refer policyholders to Sherlock Forensics for incident response, digital forensics and penetration testing. Services include immediate breach containment, forensic triage, chain of custody documentation and pre-breach penetration testing that supports premium negotiations and coverage eligibility. Led by Ryan Purita (CISSP-ISSAP, ISSMP) with 20+ years of experience. Learn more or call 604.229.1994.
How much does a security audit cost for a side project?
Sherlock Forensics offers a $1,500 CAD Quick Audit designed for side projects, solo founders and small applications built with AI coding tools. The Quick Audit covers 1 domain, up to 20 endpoints and delivers prioritized findings in 5 business days, covering authentication, authorization, injection testing, secrets scanning and configuration review. Remediation steps are written so you can paste them directly into your AI coding tool. Learn more or call 604.229.1994.

Get Started

Stop asking AI if your app is secure. Get a real answer.

Quick audits from $1,500 CAD. Results in 3-5 business days.

Since 20064.8/5 ratingAI security specialists
Order Online

Get Your App Audited

Tell us what you built, what AI tools you used and how many users you have. We will scope a quick audit that fits your budget and timeline.

Written by Ryan Purita, CISSP-ISSAP, ISSMP. 20+ years in cybersecurity and digital forensics.

Call 604.229.1994
Phone
604.229.1994
Email
info@sherlockforensics.com
Burnaby Office
Burnaby, BC, Canada
Coquitlam Office
Coquitlam, BC, Canada