Everything you need to know about SecuriSky
How the scanner works, what it detects, how AI fix prompts work, and what each plan includes.
What SecuriSky Is
What is SecuriSky?
SecuriSky is an automated product health scanner for web applications built with AI coding tools (Cursor, Lovable, Bolt, v0, Replit). It analyzes your deployed app across 6 categories — Security, Performance, UX, SEO, Accessibility, and Conversion Rate Optimization — in under 60 seconds, and gives you AI-generated fix prompts ready to paste into Cursor Agent or ChatGPT.
What is 'vibe coding' and why does it need a security tool?
Vibe coding refers to building software primarily with AI assistants. The result is working products shipped fast — but with predictable blind spots: exposed API keys, misconfigured database rules (Supabase RLS disabled, Firebase rules open), missing security headers, and broken conversion funnels. These are deployment-time issues that code review and linting miss. SecuriSky finds them by scanning the live, running application.
What is SecuriSky NOT?
SecuriSky is not a penetration testing service, a code review tool, a compliance certification service (SOC 2, ISO 27001), or a DAST scanner with active exploitation. It performs automated black-box checks — not manual hacking. It also cannot read your source code, GitHub repository, or internal files.
Is SecuriSky the same as Google Lighthouse?
No. Lighthouse covers performance, accessibility, and best practices for a single page in a browser. SecuriSky covers 27 checks across 6 categories including security (Lighthouse has none), Supabase/Firebase database misconfigurations, CORS vulnerabilities, API key exposure, admin route testing, conversion rate issues, and design quality. SecuriSky uses Lighthouse's performance category as one input but has 20+ checks Lighthouse doesn't run.
How the Scanner Works
Does SecuriSky need access to my source code?
No. SecuriSky is entirely black-box. It makes HTTP requests to your deployed public URL — the same way any internet user or attacker would. It does not require repository access, GitHub credentials, API tokens for your hosting platform, or any internal access.
How does SecuriSky detect Supabase RLS being disabled?
SecuriSky extracts your Supabase project URL and anon key from your JavaScript bundle (these are client-visible by Supabase design), then makes unauthenticated REST API requests to common table names (/rest/v1/users, /rest/v1/profiles, /rest/v1/posts, /rest/v1/orders). If the response is 200 with JSON data, RLS is disabled. Evidence shows the endpoint and HTTP status — not your data.
How does SecuriSky detect API key leaks?
SecuriSky downloads every JavaScript bundle file served by your app and applies 20+ regex patterns for known API key formats: Stripe (sk_live_, pk_live_), OpenAI (sk-proj-), Supabase (service role keys), AWS (AKIA...), GitHub (ghp_), Clerk, Twilio, SendGrid, Anthropic, Google, and more. When a match is found, the evidence shows only the token prefix (e.g., sk_live_4xAB...) to confirm the finding without exposing the full secret.
What is a 'deep scan' (Playwright)?
A deep scan uses a headless Chromium browser (Playwright) to fully render your app including client-side JavaScript execution. This detects issues that only appear after JS runs: dynamically injected content, client-side navigation routes, single-page application (SPA) rendering quality, and interactive UX elements. Deep scans are available on Team plan and as a one-time purchase ($39).
How accurate are the findings? What are the false positive rates?
Each finding includes a confidence level: CONFIRMED (evidence directly captured from the live HTTP response — very low false positives), POSSIBLE (indirect signal, ~5% false positive rate), or UNVERIFIED (weak signal, ~15% false positive rate). Confirmed findings like exposed API keys have near-zero false positives — we show you the actual token prefix. You can mark any finding as a false positive (suppress it) with a reason, and it won't appear in future scans.
Scoring & Results
How is the A–F health score calculated?
The composite score (0–100) uses weighted categories: Security 30%, Accessibility 16%, Conversion 15%, Performance 15%, UX 12%, SEO 12%. Security gates apply: if you have 1+ critical finding, your score is capped at 59 (grade C or lower) regardless of how good other categories are. This is intentional — you shouldn't get an 'A-rated app' while having a critical security hole. Grade thresholds: A ≥ 90, B ≥ 75, C ≥ 60, D ≥ 40, F < 40.
What does the 'Product DNA' analysis show?
Product DNA is a SecuriSky-specific analysis that identifies your app's design style, brand personality, value proposition clarity, and positioning uniqueness. It tells you whether your app looks like a generic template clone or a distinctive product — and gives specific suggestions to improve brand memorability and trust. This is not available in any other scanning tool.
What are 'WTF Insights'?
WTF Insights are AI-generated observations about non-obvious behaviors in your app — things that don't fit a standard finding category but indicate a real problem. Examples: 'Your error messages expose internal stack traces', 'Your pricing page has a contact form but no pricing', 'Your free tier includes a feature your paid tier doesn't'. Unique to SecuriSky.
How is the financial impact estimate calculated?
For security findings: scaled estimates based on IBM Cost of a Data Breach Report 2024 (global avg $4.88M) and Ponemon Institute 2024 SMB data ($108K–$1.4M for small SaaS). For non-security findings: estimated monthly revenue loss based on SaaS conversion and retention benchmarks (Baremetrics, ChartMogul 2024). These are statistical industry estimates — not guaranteed predictions for your specific app. The typical range for SaaS under $5M ARR is much lower than the IBM average ($50K–$500K for security incidents).
AI Fix Prompts
What are the AI fix prompts?
Every finding includes a ready-to-paste prompt optimized for Cursor Agent mode, Claude Projects, or ChatGPT. The prompt includes: your exact technology stack (detected from the scan), the specific file type and code pattern that caused the issue, the corrected version of the code, and any configuration changes needed. Most critical security fixes require one Cursor Agent turn.
Which AI tools can I use the fix prompts with?
The prompts are optimized for Cursor Agent (the primary workflow), but work well with Claude Projects (paste as context), ChatGPT (paste directly), GitHub Copilot Chat, and Lovable's AI editor. The prompts are plain text — no special formatting required.
How many AI fix prompts do I get per scan?
Free: 1 AI fix prompt per scan (highest severity finding). Starter: 3 AI fix prompts per scan. Pro: unlimited AI fix prompts (all findings). Team: unlimited.
Pricing & Plans
What's the difference between Free and Starter?
Free gives you the full health score (A–F grade across all 6 categories), your top 3 findings with severity labels, and 1 AI fix prompt. Evidence for findings is partially blurred on Free. Starter ($9/mo) gives 20 scans/month, full unblurred evidence for all findings (so you see the exact issue, not a redacted preview), PDF exports, and embeddable security badge.
What does Pro add that Free and Starter don't have?
Pro ($19/mo) adds: unlimited AI fix prompts (all findings), daily automated monitoring with email alerts (re-scans your app and notifies you of regressions), weekly AI action plan (5 prioritized quick wins generated every Monday), 180-day score trend history, competitor benchmarking (scan 1 competitor URL), and design originality score.
What is the Team plan for?
Team ($49/mo) is for agencies, engineering teams, and founders with multiple products. It adds: 10 team seats with role-based access, CI/CD quality gates (block GitHub Actions merges if security grade drops), Playwright deep scanning (JS-rendered SPA analysis), realtime monitoring (every 13 minutes), 10 competitor URLs, outgoing webhooks (Slack/HTTP), and audit log.
Is there a one-time scan option without a subscription?
Yes. A one-time Full Scan credit is $39. It includes all 26 static scanner modules, 5 AI fix prompts for your top findings, and a PDF report. Never expires — use it when you need it. No subscription required.
Can I cancel my subscription anytime?
Yes. Cancel anytime from your billing dashboard. You keep access until the end of your billing period. No cancellation fees.
Monitoring & Alerts
What does monitoring do?
Monitoring (Pro: daily, Team: 13-minute intervals) automatically re-scans your app on a schedule. If your health score drops or a new critical finding appears (e.g., a new deployment accidentally introduces a security regression), you receive an email alert. Team plan also supports Slack and HTTP webhook notifications.
What is the CI/CD quality gate?
Team plan includes a GitHub Actions integration that triggers a scan on every pull request or deployment. If the scan returns a security grade below your configured threshold (e.g., below B), the CI check fails and the merge is blocked. This prevents security regressions from shipping to production.
Privacy & Data
Does SecuriSky store my app's data or screenshots?
No. SecuriSky is a black-box scanner — it makes HTTP requests and analyzes responses. Scan results (findings, scores, evidence snippets) are stored in your account for your scan history. No page screenshots, no DOM snapshots, no persistent copies of your app's content are stored beyond the scan lifecycle.
Does SecuriSky share my scan results with anyone?
No. Scan results are private to your account. The only exception: if you explicitly generate a shareable public report link (feature on Starter+), that link contains your scan results and can be accessed by anyone with the link — you control whether to generate it.
Is SecuriSky GDPR compliant?
Yes. We use PostHog for anonymous usage analytics with IP anonymization and opt-in cookie consent. Payments are handled by Stripe or Paddle (PCI compliant). Authentication via Firebase (Google). Data is stored in EU-compliant infrastructure. See our Privacy Policy for full details.
Still have questions?
Use the AI Product Copilot (Pro+) to ask anything about your specific scan results, or reach out to support.