AI coding tools optimize for “does it run.” Security is a different question, and most agents skip it. Here's what we keep finding.
API keys hard-coded into the client bundle
Sentry tokens, Stripe keys that should never have been public, OpenAI tokens — credentials that belong on the server end up in the JavaScript that ships to every visitor.
Auth endpoints with no rate limit
A bot can guess passwords as fast as your hosting will accept the requests. AI agents rarely add rate limiting unless the prompt asks for it.
Backend permissions that let unauthenticated requests read everything
Default Supabase RLS, permissive Firebase rules, the settings AI agents leave in place — the database happily returns customer rows to a request with no authentication header.
CORS set to '*' in production
Convenient during development. Means any site on the internet can read responses from your endpoints.
Internal /health, /debug, or /admin routes exposed publicly
Returns environment names, version hashes, or — when it is bad — full database connection strings.
I'm Aatman Patel. I spent a decade in cybersecurity sales watching small businesses get hit because nobody scanned their public surface — and then watching the bills land. I built RiskMeter to be the scan I'd have wanted those clients to run, in the format I'd have wanted them to read.
I also run an experiment in AI continuity at existenceloop.com — three small models living together, each writing in its own voice, observing each other through their journals. If you're building with AI and curious about what these systems do when they're left to themselves, take a look. Same person, same care, different question.
— Aatman Patel, Founder, RiskMeter Cybersecurity
Common questions
Answers, briefly.
Can my AI agent fix what you find?
Yes. Each finding has a plain-English description, evidence, and a recommended fix path — most founders paste the report into Cursor or Claude Code and have the agent work through it. We don't re-test fixes for free, but a follow-up scan is $50 again or included in the monthly tiers.
I'm pre-revenue. Is this worth $50?
Honest answer — it depends on what you're shipping. If your site has a contact form or a Stripe checkout, yes. If it's a static landing page with an email signup, probably not yet. The single biggest reason a pre-revenue founder buys is when their first enterprise prospect or insurance carrier asks 'have you done a security scan?' and they need an answer that isn't 'no.'
Will this break my site?
No. We're external-only and non-destructive — same kind of probing a search-engine crawler does, plus targeted security checks. We rate-limit ourselves so we don't hammer your hosting, never run destructive payloads, and never touch your database.
How long does it take?
24 to 48 hours from when you authorize the scan to when you have the PDF in your inbox. Faster if your site is small; closer to 48 hours if you have multiple subdomains or heavy JavaScript.
What if you don't find anything serious?
You still get the full report. A clean report is a useful artifact in its own right — buyers, partners, investors, and insurance carriers all ask for evidence of recent security testing. 'We ran a third-party scan on [date], here's the report' is the answer they're looking for.
Do you support staging or preview environments?
Yes — give us the staging URL when you authorize. AI-built sites often have nontrivial production-vs-preview differences, so we'd actually recommend scanning both if you can.
Ready to see what we'd find?
A single $50 scan, 24-hour turnaround, plain-English report.