%20(5).png)
We started by analyzing over 5,600 publicly available vibe-coded applications across multiple platforms. Using a layered discovery approach, we identified all exposed assets, including hosts, web apps, APIs, and schemas. This allowed us to map out the full attack surface of each application.
Given the structure of the integration between Lovable front-ends and Supabase backends via API, and the fact that certain high-value signals (exposed keys, for example, anonymous JWTs to APIs linking Supabase backends, client-side routes, embedded endpoints) only appear in frontend bundles or source output, we introduced a lightweight, read-only scan to harvest these artifacts and feed them back into the ASM inventory.
Once the attack surface was extracted and modeled, we applied targeted security testing using in-house dynamic application security testing (DAST) techniques (see more info on the web app scanner here and the API scanner here). The objective was not to exhaustively exploit weaknesses, but to identify recurring classes of misconfigurations and vulnerabilities in a safe manner.
%20(1).png){kind=logo}
