Q.01Field report
“Scanned my Cursor-built SaaS and found 14 critical issues the free tools missed. Deep Smart Scan patches were copy-paste ready — shipped the fixes same day.”
M
Marcus R.
@indie_hacker
// LOADING
32 industrial scanners filtered by Claude Sonnet 4.6 or Claude Opus 4.7 (1M context · MAX extended thinking). Multi-file reasoning takes 20-40 min · run it overnight, on every PR · we email you when it's done. Patches ready to paste into Cursor, Bolt, or Lovable. Pay only for the MB we read · zero noise · SOC 2 audit-prep format.
Same tooling indie hackers, studios, SaaS founders, and SOC 2 auditors trust. One stack. Thirty-two scanners across 19 languages. Claude AI auditor.
Reports formatted to align with SOC 2 Type II CC7.1 / CC8.1 audit categories · supports your existing auditor workflow (we are not a SOC 2 auditor).
Full coverage of injection, broken auth, SSRF, crypto failures and more.
Every finding mapped to a CWE identifier for ticketing and risk registers.
Aligns with Secure Software Development Framework practices PW.4-PW.8.
Sign in with GitHub or Google in one click — vibe coders, indie hackers, studios, SaaS teams all use the same flow. Your OAuth token grants scoped, read-only access to private repos · we never store credentials in plaintext. Enterprise SSO (SAML) available on request for studios > 10 seats.
OAUTH_SSOPaste a Git URL (GitHub / GitLab / Bitbucket) or push a compressed archive up to 2 GB via presigned R2 upload. Source is cloned into an ephemeral sandbox and shredded within 10 minutes of scan completion.
ISOLATED_SANDBOX32 scanners run in parallel across 19 languages (Semgrep, Trivy, Slither for Solidity, Brakeman for Rails, Detekt for Kotlin, +27). Pay-per-MB on the LLM layer · paid Levels share the SAME pipeline · only the model differs · Level 0 free (5/mo scanners only) · Level 1 at $1.50/MB (Haiku 4.5 budget triage) · Level 2 at $3.00/MB (Sonnet 4.6 full audit) · Level 3 at $6.00/MB (Sonnet 4.6 high-volume stages + Opus 4.7 · 1M · 32K thinking remediation · audit-prep tier). 1 MB minimum · price quoted before you commit.
PARALLEL_AUDITA–F grade, severity × CWE breakdown, line-accurate patches. Non-editable PDF evidence for auditors · SARIF export for your SIEM · REST API for CI/CD gating. Findings cross-validated between scanner and LLM agreement.
PDF · SARIF · API“Scanned my Cursor-built SaaS and found 14 critical issues the free tools missed. Deep Smart Scan patches were copy-paste ready — shipped the fixes same day.”
“Smart Scan runs on every client delivery now. Three hardcoded API keys in the last handoff — VibeGuardian caught them all before we shipped.”
“Our junior devs use Bolt and Lovable daily. Basic Free Scan on every PR + Deep Smart Scan before releases is the safety net that lets me sleep at night.”
“The Opus critique pass found a SQL injection pattern Semgrep alone missed. Plain-English explanation + diff-ready patch — exactly what I needed for a client audit.”
One human pass on a noisy scanner output burns a senior engineer for half a day. Claude Opus 4.7 does the same triage in minutes, with a measured false-positive rate under 10% · pay only for the MB of code we actually read.
Semgrep + Trivy + 9 others · noise included
Senior AppSec pass · classify / dismiss / ticket
Fully-loaded US senior engineer
Sonnet 4.6 FP filter · Sonnet parallel scan · Opus 4.7 remediation
End-to-end · scanners + parallel LLM audit
1 MB minimum · Anthropic Sonnet 4.6 80% coverage + Code Map + Cross-Reference
1 MB minimum · Sonnet 4.6 80% + Opus 4.7 1M MAX-thinking
Solo dev shipping a Cursor app : top up $20 and you ride for ~10 Smart Scans on a 10-MB repo. Studio handing off 40 PRs a week : $250 wallet → $290 with the 16% volume bonus. Either way, you pay only for the MB we read · no subscription · no seat math.
No. Every scan runs inside an isolated ephemeral sandbox we control. The Claude audit pipeline only sends the specific file slices its prompts require, never the full repository, and those requests are gated through our service contract with Anthropic (zero data retention, no training use). Source is shredded from our infrastructure within 10 minutes of scan completion — only finding metadata (file paths, line numbers, severity, CWE) is retained for your report.
Those products are signature-based scanners — they match patterns against a rules database. We run thirty-two of them underneath ours across 19 languages (Semgrep itself is one). Our differentiator is the Claude audit layer on top — 4 Levels share the SAME pipeline, only the model differs: Level 0 (free · scanners only · 5/mo), Level 1 (Haiku 4.5 · $1.50/MB · AI triage), Level 2 (Sonnet 4.6 · $3.00/MB · full audit), Level 3 (Sonnet 4.6 high-volume stages + Opus 4.7 deep-thinking remediation · 1M ctx · 32K thinking · $6.00/MB · audit-grade). Claude reads the actual code across files, reasons about business-logic vulnerabilities that no rule file can encode (broken authz, insecure deserialization, LLM-specific hallucinations in AI-generated code), and cross-validates findings against scanner output to drive false positives below 10%. Think of it as pairing Snyk with a senior AppSec engineer who actually reads the diff — at indie-hacker prices.
Level 0 is for first-look triage — scanners only, no AI, no charge. Level 1 (Haiku 4.5) is for indie devs / hobby projects who want AI eyeballs cheap — catches ~80% of obvious threats. Level 2 (Sonnet 4.6) is the default paid tier — full multi-file reasoning, fits CI/CD on every PR. Level 3 (Opus 4.7) is the audit-prep / pre-launch tier — every Level 3 scan ships as a non-editable PDF with file:line-level findings mapped to CWE and OWASP Top 10 identifiers, plus a SARIF export for your GRC tooling. The report format aligns with SOC 2 CC7.1 (system monitoring) and CC8.1 (vulnerability management) audit categories · designed to support your auditor’s evidence collection (not a replacement for an independent audit). If your auditor has a specific format requirement we haven’t seen yet, reach out — we iterate within the week.
Level 0 (scanner-only): p95 < 90 seconds. Level 1 (Haiku 4.5): p95 < 15 minutes. Level 2 (Sonnet 4.6): p95 < 40 minutes. Level 3 (Opus 4.7): p95 < 60 minutes for repositories up to 200k LOC (larger repos scale linearly · 5-10 MB scannable typical). Platform availability target is 99.9% measured monthly. Need higher SLA / dedicated queue / private deployment? Email founders@vibeguardian.dev — we quote a custom contract within 48h. (No formal Enterprise tier on pricing page · we keep things lean by default · custom contracts negotiated 1-on-1.)
Yes. The REST API accepts an arbitrary Git clone URL with an access token, so any self-hosted GitHub Enterprise, GitLab EE, Bitbucket Data Center, or Azure DevOps repo works the same way as the cloud versions. For air-gapped environments or on-prem Claude deployment via AWS Bedrock / Azure OpenAI, contact us about the dedicated-tenancy add-on (available on the Team plan).
Every finding from both the scanner pipeline and the Claude audit goes through a cross-validation step: if a (file, line, category) match exists on both sides, the finding is flagged `crossValidated: true` and the confidence is boosted. We compute precision weekly against a labeled sample of 2,000 findings reviewed by a third-party AppSec firm. The current running figure sits at 7.4% false positive rate on Level 3 (Opus) output, 11.2% on Level 2 (Sonnet), and ~18% on Level 1 (Haiku · the tradeoff of the budget tier). Our scan findings database schema exposes the `confidence` and `crossValidated` fields on every row — your team can audit the math on your own scans from day one.