83% of vibecoded apps have critical vulnerabilities

Your app is beingscanned byhackers.

Scan it yourself first. Pentrust runs real AI pentests against your vibecoded app — in 5 minutes you know exactly what attackers will find, with copy-paste fixes for Cursor, Bolt, and Replit.

Free basic scan includedNo credit cardResults in 5 min
yourapp.com — security scan
Scanning 0%
34

Security score

Critical risk

2 Critical2 High2 Med
Critical

.env exposed to internet

Database password publicly readable

High

IDOR on /api/users/:id

Any user ID accessible without auth

High

No rate limit on /auth/login

Brute-force attack possible

Medium

Missing Content-Security-Policy

XSS injection risk on all pages

Medium

JWT stored in localStorage

Tokens stealable via XSS

Low

Server version header exposed

Reveals exact stack to attackers

Initializing agents…

6 findings · copy-paste fixes ready for each one

CursorBoltReplitLovablev0WindsurfCursorBoltReplitLovablev0WindsurfCursorBoltReplitLovablev0WindsurfCursorBoltReplitLovablev0Windsurf

Pentesting apps built with these tools

0+

Vulnerabilities found

across all scanned apps

0+

Apps secured

vibecoded and AI-assisted

0

Minutes to results

no setup, no SDK, just a URL

What Pentrust does

Security built for
the speed of vibecoding.

Not an enterprise scanner that emails PDFs. An attacker that shows up in minutes.

Core engine

Attacks like a real hacker

Multi-agent AI chains exploits methodically — IDOR, injection, broken auth, config leaks. Not a scanner. An attacker.

Multi-agent AI swarm

Dev-first

Copy-paste fixes for your stack

Every finding ships with a ready-to-paste fix snippet — tuned for Cursor, Bolt, and Replit. Paste, confirm, deploy.

Fix in minutes, not days

Zero friction

Results in 5 minutes

Drop in a URL. No SDK, no config, no agent installs. The scan kicks off instantly.

Zero setup required

Discovery

Full attack surface mapping

Crawls every endpoint, auth flow, and API route — including the ones you forgot about.

12 checks in parallel

Made for you

Built for vibecoded apps

Understands patterns from Cursor, Bolt, Lovable, and v0 — and the vulns they consistently create.

AI-pattern aware

The Pentrust badge

Show visitors you
take security seriously.

After a successful scan, display a trust badge on your marketing site or repo. It matches what you can embed in the product — same look, same verification link.

  • Earned, not bought

    Shown only after a real scan on a domain you verify — typically when your score reaches 85+.

  • Embed anywhere

    HTML for your site, Markdown for README, or a shields.io-style badge. Copy once, paste anywhere.

  • Public verification

    Every badge links to a live page that proves the scan happened — visitors can trust what they see.

Start free scanPlans with badge

Live preview

Example score for illustration. Your badge reflects your real scan result after you ship fixes and re-scan.

How it works

URL in.Vulnerabilities out.Fixes included.

From zero to a complete pentest report in under 5 minutes. No meetings, no contracts, no waiting.

“I shipped my SaaS in 3 days with Cursor. Pentrust found 2 critical bugs in 5 minutes that would have exposed all my users’ data.”

— Indie hacker, 400+ users
01

Paste your URL

Drop in your domain. No agent install, no config files, no SDK — just a URL. The scan kicks off immediately from the homepage.

Runs straight from the front page

02

Verify ownership

Create your free account and prove you own the domain — via DNS record, meta tag, or file upload. Takes under 2 minutes.

Prevents scanning sites you don't own

03

Pentrust attacks your app

Our AI agents chain exploits like a real attacker — testing auth flows, injection points, config leaks, and broken access control. Not keyword scanning. Real exploitation.

Free plan: 12 automated checks

04

Get your findings + fixes

Receive a scored report with every finding ranked by severity. Each one includes a copy-paste fix snippet tailored for your stack. Paste straight into Cursor, Bolt, or Replit.

Upgrade to unlock critical & high findings

Pricing

Simple pricing.

Start free during beta. Upgrade when you need the full picture and a trust badge.

Free

$0forever

Blind attack scan with basic AI. Medium, high, and critical findings stay hidden — upgrade to see the full picture.

Run a free scan
  • 1 free blind scan / month (blackbox)
  • Basic AI models
  • Medium / High / Critical — blurred
  • Trust badge & embed (85+ score)
  • Graybox / whitebox
Best value

Scan & Badge

$30/ month

Four full scans per month with our highest models. Earn a public trust badge when your score hits 85+ on a verified domain.

Subscribe
  • 4 full scans / month (highest models)
  • Badge after 85+ on a verified domain scan
  • All findings visible
  • Cancel anytime
  • Graybox & deep testing
Limited time

Scan only

$15per scan

Was $49 — limited-time deal. One full scan with highest models; no subscription.

Buy a scan
  • 1 full scan credit
  • Highest AI models
  • All findings visible
  • No trust badge (subscribe for badge)
  • Graybox & deep testing

Enterprise plans with custom SLAs, dedicated support, and on-prem options available. Contact us

Free scan · No setup · No credit card

Find your firstvulnerabilitybefore a hacker does.

Drop in your URL. In 5 minutes you'll know exactly what an attacker would find — and have the fix code ready to paste.

View pricing
Free basic scan includedNo credit card requiredResults in under 5 minutesCopy-paste fixes for every finding

Enterprise plans with custom SLAs available. Contact us