Pentest for Vibecoding Apps
Security audit for products shipped with v0, Lovable, Bolt, Cursor, Claude Code, Replit and Supabase — before hackers do vibehacking.
Why now
The real pain
You did vibecoding. Hackers do vibehacking. service_role exposed in the client, RLS disabled in Supabase, IDOR in AI-generated routes, secrets in public env vars, weak auth. The code compiles. The app loads. And it's wide open.
Applicable regulation
/attack-surface
Vectors we test in vibecoding e apps gerados por ia
Every engagement is designed for your environment. The points below are part of our standard playbook for this sector — final scope is adapted to your stack and contract.
Supabase / Firebase / Convex
Disabled RLS, loose policies, service_role in the client, anonymous abuse and RLS bypass via view.
Secrets in release
NEXT_PUBLIC with private key, hardcoded JWT secret, .env committed, token in bundle.
Edge functions and webhooks
Missing signature validation, webhook replay, prompt injection in LLM handler.
Auth and session
Misconfigured provider, reusable magic link, no rate limit on login, poorly validated JWT.
IDOR and authorization
AI-generated routes without ownership check, guessable REST endpoints, trusted params.
Storage and upload
Public buckets by default, no MIME validation, path traversal, eternal signed URLs.
LLM integration
Prompt injection, prompt leak, open cost, accessible system prompt, OpenAI key drain.
Cost and abuse
No rate limit on paid endpoints, LLM DoS, free-tier quota abuse.
/methodology
Genuinely manual pentest
Automated scanners find what's documented. Real attackers find what isn't. 90% of the work is manual — performed by specialists holding OSCP, CISSP, CRTO and GPEN.
01 · Reconnaissance
Target mapping, OSINT, footprint, sector-specific threat modeling.
02 · Discovery
Deep enumeration, complementary scanning, manual exposure identification.
03 · Exploitation
Manual validation with controlled PoC, finding chaining, escalation.
04 · Report
Executive + technical, step-by-step replication, mapped to applicable regulation.
/why-trust
Who has trusted our work
Focus on early/mid-stage startups and no-code/low-code agencies shipping product in days on modern stacks.
Technical assessment recognized in highly regulated, mission-critical environments — the pentest that finds what nobody had found before.
Douglas Lopes
Founder · CEO · intrus.io
/faq
FAQ — Vibecoding e Apps Gerados por IA
Does the report come with a fix prompt?
Yes. Every finding ships with a reproducible PoC + a ready-to-paste Cursor/Claude Code prompt that applies the fix in your stack's patterns.
How long does it take?
1-3 weeks depending on surface. A v0 + Supabase + Stripe app usually takes 7-10 business days with one senior pentester.
/contact
Ready for a serious pentest in vibecoding e apps gerados por ia?
Schedule a confidential meeting. Within 48h we'll send a proposal with scope, timeline and pricing.