Field test
A no-account AI app security scan, tested on our own fixture
Published 2026-07-11
This is a controlled demonstration against VibeAudit's own inert public fixture, not a customer result and not a scan of a sourced prospect. The AI operator entered only the VibeAudit-owned scanner-liability URL and ran the same no-account flow available to any authorized visitor.
The recording is deliberately unglamorous: paste an origin, confirm you are authorized to assess it, run the passive public-surface check, and read what was actually observed. No VibeAudit account, source upload, card, checkout, or payment appears in the demo.
Watch the 67-second owned-fixture run
The video has no audio. The walkthrough below repeats the important result and scope details in text.
What the recorded free result showed
Those are observations from this recorded fixture run, not benchmark claims about other apps. The fixture is controlled by VibeAudit and exists to exercise the scanner's public-surface reporting.
- A completed passive public-URL scan of the exact VibeAudit-owned origin.
- A scoped B/86 result, severity counts, five issue categories, and explicit claim limits.
- A five-finding locked preview showing that detailed evidence remains a paid artifact.
- The no-account path from the scan form to pricing and the independent badge-verifier surface.
What this demo does not prove
This is a passive, browser-observed URL scan. It does not test active probes, authenticated user boundaries, private routes, source code, private dependencies, or business logic. It is not a penetration test and it does not establish that an app is secure.
A clean VibeAudit result is labeled Clear in Verified Scope. Unsupported surfaces remain Security Unverified. That smaller claim is intentional: the report should never outrun the evidence collected.
What the current paid handoff adds
The live production flow preserves the normalized exact origin through Stripe Checkout, the signed browser entitlement, the success handoff, and the paid rerun. A paid entitlement for one origin cannot be used to scan another.
Reveal unlocks exact finding locations. Launch Pass adds remediation, copy-paste AI-fix prompts, Markdown and HTML export, plus the separate browser-local Launch File and verifiable badge workflow. The demo did not purchase or generate any of these artifacts.
Run the same no-account check on an app you own
Enter your own public app origin and run the free scan yourself. VibeAudit's marketing operator does not submit prospect URLs, and the site requires you to confirm that you are authorized to assess the origin.
Questions people ask
- Did VibeAudit scan a prospect or customer app for this demo?
- No. The only target is VibeAudit's own inert scanner-liability fixture. No prospect URL, customer data, or customer result appears in the recording.
- Does the public URL scan upload my source code?
- No. The public Thorough Scan observes the authorized deployed origin. Source-backed workflows are separate and process the project locally before exporting redacted facts rather than raw source.
- Does a B/86 or clean result mean an app is secure?
- No. A score describes only the checks and evidence in the observed scope. VibeAudit never turns it into a blanket security guarantee; clean results are labeled Clear in Verified Scope.
Check your launch, not your luck.
The free Thorough Scan runs against your live URL - severity counts and categories in about a minute, no code upload, no card.
