Penetration Testing
You built it with AI. We break it before someone else does.
Sherlock Forensics provides penetration testing for applications built with AI coding tools including Cursor, Bolt, Lovable, Replit, v0, Claude, ChatGPT and Copilot. We test authentication flows, data storage, API endpoints, file uploads, payment integration, admin access, session management and input validation. Quick audits start at $1,500 with results in 3-5 business days. Reports are written in plain language for non-technical founders.
AI coding tools let anyone ship a working product in days. But "working" and "secure" are not the same thing. Every vibe-coded application we have tested has had critical vulnerabilities that would take an attacker minutes to exploit. We find those vulnerabilities first and tell you exactly how to fix them.
What We Test
Login, registration, password reset, session management and multi-factor authentication. We test for client-side only auth, predictable tokens, missing rate limiting, session fixation and credential stuffing resistance. AI-generated login systems are almost always vulnerable.
How and where your application stores user data. We check for plaintext passwords in flat files, exposed database files, missing encryption, overly permissive database access and data leakage through API responses. If your data is stored in a .txt file, we will find it.
Every API endpoint your application exposes. We test for missing authentication, broken authorization (IDOR), injection vulnerabilities, mass assignment, excessive data exposure and rate limiting. AI tools frequently generate API endpoints that return more data than the frontend displays.
If your app accepts file uploads, we test for unrestricted file types, path traversal, web shell upload, oversized files and malicious content. Vibe-coded upload handlers typically accept any file type and store it in a publicly accessible directory.
Stripe, PayPal, Square and other payment integrations. We verify API keys are not exposed in client-side code, webhook signatures are validated, pricing cannot be manipulated, and subscription logic cannot be bypassed. A leaked Stripe key gives an attacker access to your entire payment infrastructure.
Admin dashboards, management endpoints and privilege escalation. We test whether admin functionality is protected on both the frontend and backend, whether regular users can access admin endpoints and whether admin actions are logged.
How your app handles user sessions after login. We test for session tokens in localStorage (vulnerable to XSS), missing HTTP-only flags on cookies, sessions that never expire, sessions that survive password changes and concurrent session handling.
Every form, URL parameter and API input in your application. We test for SQL injection, cross-site scripting (XSS), command injection, path traversal, server-side request forgery (SSRF) and template injection. AI tools generate code that trusts user input by default.
Why Vibe-Coded Apps Are Different
In a traditional development team, someone wrote every line of code and can explain what it does. In a vibe-coded app, the AI generated the implementation. The founder described what they wanted in plain language. Nobody reviewed the security implications of how the AI chose to implement it. Our testers understand AI code patterns and know exactly where to look.
AI coding tools are trained to make features work. They are not trained to make features secure. The shortest path to a working login page is client-side auth with plaintext passwords. The shortest path to a working API is no authentication at all. The AI takes the shortest path unless explicitly instructed otherwise, and non-technical founders do not know what to instruct.
After auditing hundreds of vibe-coded apps, we know the exact vulnerability patterns each AI tool produces. Cursor apps have specific Supabase RLS issues. Bolt apps have specific client-side auth patterns. Replit apps have specific configuration problems. Our methodology is calibrated for these patterns, which means faster audits and more thorough coverage.
Traditional pentest reports are written for CTOs and security engineers. Our vibe code audit reports are written for the person who built the app with AI. Every finding includes a plain-language explanation, the business impact in dollars and step-by-step remediation instructions that you can paste directly into your AI coding tool to fix.
Platform Coverage
| Tool | Typical Stack | Common Findings |
|---|---|---|
| Cursor | Next.js, Supabase, Vercel | Auth bypass, RLS gaps, API key exposure in client |
| Bolt | React, Node.js, Firebase | Client-side auth, missing server validation, IDOR |
| Lovable | React, Supabase, Netlify | Exposed Supabase keys, missing RLS, open APIs |
| Replit | Python/Flask, SQLite, Replit hosting | SQL injection, flat file databases, no HTTPS |
| v0 (Vercel) | Next.js, React, Tailwind | Frontend-only validation, unprotected API routes |
| Claude / Claude Code | Variable | Weak randomness, insecure deserialization, verbose errors |
| ChatGPT | Variable | SQL injection, hardcoded secrets, hallucinated packages |
| GitHub Copilot | Variable | Weak crypto, string-concatenated queries, CWE-502 |
Pricing
Frequently Asked Questions
Resources
Get Started
Quick audits from $1,500. Results in 3-5 business days. Reports written for non-technical founders.
Order OnlineTell us what you built, what AI tool you used and how many users you have. We will scope an audit that fits your budget and timeline.
Call 604.229.1994