// LOADING
Security has been gate-kept for too long behind enterprise sales cycles and six-figure invoices. We exist to put the same caliber of tooling that protects Fortune 500s into the hands of every developer who ships code to the internet.
A real security audit should cost a hundred dollars, not forty thousand. Pay-per-megabyte means a 5 MB MVP gets audited for $20 on Deep, not $40,000. Indie devs deserve the same protection a Series-B SaaS gets.
You ship multiple times a day with Cursor, Bolt, Lovable. Your security review can't take six weeks. Level 1 finishes in eight-to-fifteen minutes, Level 2 in twenty-to-forty minutes · both fit comfortably into PR-review cycles · Level 3 (deep audit-prep grade) in thirty-to-fifty minutes for audit-style evidence collection. Pick the Level that matches your urgency.
Every other security tool hides the real cost behind « contact sales ». We show the exact dollar amount of your scan before it starts, debit on completion, and refund the difference if the actual size is smaller than the estimate.
Six hundred findings with a 95% false-positive rate is worse than no scan at all — it teaches you to ignore alerts. Our pre-LLM filter (Haiku 4.5 on Level 1 · Sonnet 4.6 on Level 2 · Opus 4.7 on Level 3) drops the noise before it reaches you. The findings that survive are the ones a human auditor would have flagged.
Cloned to an ephemeral sandbox, scanned, deleted in under ten minutes. We run Anthropic and Google under zero-data-retention contracts — your code never trains a model. We keep the findings (file, line, severity) so your reports persist. We do not keep the source.
No monthly seat fees, no auto-renewal you forgot to cancel, no minimum contract. Top up your wallet when you need a scan, refill on demand, refund unused balance within thirty days. The relationship is yours to end at any moment.
Spring 2026. A solo dev in Montréal pushes a side project built almost entirely by Cursor & Claude. Three weeks later, his Stripe webhook is hijacked because the AI had written the signature check backwards. The hit was small — less than a thousand dollars — but the question wasn't.
He started asking around. A friend running a Bolt MVP had just shipped a SQL injection straight from a copy-pasted snippet. A studio in Toronto had handed off a client app with three API keys committed to git history. Six engineers in a private Discord said the same sentence, almost word for word : « the AI ships fast, but it doesn't know security ».
He looked at the alternatives. The audit firms quoted forty thousand dollars and six weeks. The enterprise SAST vendors wanted twenty thousand a year for six hundred findings, ninety-five percent of which were false positives. SOC 2 readiness platforms charged six figures and pretended their auto-generated checklists were an audit. Every tool was priced for a CISO — nobody had built one for the person actually shipping code.
VibeGuardian was the answer to a simple question : what would it look like if you took the same engines the auditors run, layered the best LLMs in the world on top, and charged a price an indie dev could actually afford ?
No subscriptions. No seat licenses. No enterprise sales call. You scan when you need to, you pay for the megabytes we read, and the next time the AI writes your auth flow backwards, you see it before your customers do.
Thirty-two industrial scanners across 19 languages — Semgrep, Trivy, Slither (Solidity), Brakeman (Rails), Detekt (Kotlin), SpotBugs (Java bytecode), Gitleaks, TruffleHog, OSV-Scanner, Grype, Checkov, KICS, Kubescape, hadolint, shellcheck, ast-grep, +17 — do the boring pattern-matching pass. They're the same engines a SOC 2 auditor runs, just orchestrated cleanly and with the noise stripped out.
Then a pre-LLM false-positive filter triages what the scanners produce — the genuine threats survive ; the i18n-string-looks-like-a-secret junk gets dropped. What remains gets read at full file context, in up to sixteen parallel zones — eighty percent code coverage, on the security-relevant slice.
Four Levels — same pipeline architecture (FP filter · Code Map · Discovery · Cross-Reference · Remediation) · only the model differs. Level 0 is scanners only (free · five per month). The three paid Levels run 100% of a single Anthropic model end-to-end — Level 1 uses Haiku 4.5 ($1.50/MB · budget triage), Level 2 uses Sonnet 4.6 ($3.00/MB · full audit), and Level 3 uses Opus 4.7 with one million tokens of context and extended thinking dialed to MAX ($6.00/MB · compliance-grade). The Level 3 patches are minimal, paste-able diffs with plain-English explanation — the model burns up to 32K private reasoning tokens on the hard cases (race conditions, constant-time compare, parameterized SQL edge cases) so what you paste actually fixes the bug instead of just suppressing the warning.
You see the price before the scan starts. You pay per megabyte we actually read. Your wallet is the hard ceiling — we cannot, by design, charge you more than you put in.
You ship Cursor / Bolt / Lovable / Replit code daily. You don't want to read 660 lint findings. You want to know if your app is breachable today.
Your MVP is live, your TAM is small, and the audit firms quote you more than your MRR. You need a real audit at indie-hacker prices.
Every client delivery deserves a security pass. Three hardcoded API keys in one handoff is one too many. Drop a Level 1 or Level 2 scan into the pre-handoff checklist.
You're a 5-15 person team shipping to production daily. Level 2 (Sonnet 4.6) in CI on every PR, Level 3 (Opus 4.7) before each release. Pay only for the MB.
You have 7 days to ship audit evidence. Level 3 (Opus 4.7) PDFs are formatted to align with SOC 2 CC7.1 (system monitoring) and CC8.1 (vulnerability management) audit categories · designed to support your existing auditor workflow (VibeGuardian is not a SOC 2 auditor itself).
Every paid scan touches up to thirty-two open-source engines across 19 languages (Sprint 33+ expansion · 2026-05) the Fortune 500 audit firms run, then layers the best LLMs in the industry on top. We tell you exactly what we use because trust requires it.
// every component is documented · every cost is logged · every finding is auditable down to the model that produced it
The repo lives in an ephemeral Fly.io VM, gets scanned, and is deleted in under 10 minutes. Anthropic runs us under a zero-data-retention contract — your code never trains a model. We keep only the findings (file:line, severity, CWE) so you can reference your past reports.
Paste a URL → we walk the repo on our side → we tell you exactly how many billable MB it is → you decide. If the actual scannable size ends up smaller than the estimate, the difference goes back to your wallet. If it ends up bigger than your wallet, the scan is refused with a $0 charge. No surprise invoices.
Each top-up is valid for 30 days. We drain the OLDEST batch first (Expiration-First) so you never lose credits you could have used. No subscription, no auto-renewal you forgot to cancel, no minimum monthly. Refill when you need it.
Every finding ships with a CWE, an OWASP Top 10 mapping, the exact file:line, and on Level 3 (Opus 4.7 · 1M context · MAX extended thinking) a patch you can paste into Cursor. We measure our false-positive rate weekly against a third-party labeled set : 7.4% on Level 3 (Opus), 11.2% on Level 2 (Sonnet), ~18% on Level 1 (Haiku · the tradeoff of the budget tier).
Free first scan. No credit card. Your code lives in an ephemeral sandbox and gets deleted in under 10 minutes.