The security OS for AI-generated code

You write prompts. We write patches.

Your AI is a brilliant pattern-matcher and a terrible security engineer. Hardenator catches what it misses — at generation time, not six weeks after you ship to production.

Join the waitlist →See the OSS rules
$ npx hardenator scan
The state of vibe coding security, Q1 2026

The numbers nobody wants to print on the pitch deck.

91.5%
of vibe-coded apps have at least one AI-hallucination vulnerability
Q1 2026 study, 200+ apps
2.74×
vulnerability rate of AI-written code vs human-written
arXiv, 470 GitHub PRs
8M
Lovable users affected across three breaches in thirteen months
Public disclosures, Jan–Apr 2026
60%
of all new code expected to be AI-generated by end of 2026
Gartner forecast, 2026
How it works

Three layers of defense. One install.

01 / PREVENTION

Intercept at generation time

Plugin hooks into Claude Code and Cursor. When the AI tries to write a service_role key to a frontend file, we block it before the file hits disk.

  • Claude Code plugin
  • Cursor .mdc rules
  • VS Code extension (Bolt, Replit, Windsurf)
  • Claude Managed Agents skill
02 / DETECTION

Scan what already shipped

Semgrep-based CLI runs in your editor, pre-commit hook, and CI. 100+ rules tuned specifically for AI failure modes. False-positive rate under 8%.

  • @hardenator/cli (npm)
  • hardenator-rules (OSS, MIT)
  • GitHub Action for CI
  • Per-project baseline mode
03 / REMEDIATION

Auto-fix as a pull request

Every fixable finding becomes a PR with a patch you can merge in one click. You review, not triage. Never auto-merged — you stay in control.

  • GitHub App auto-PR
  • Claude Sonnet 4.7 for complex fixes
  • Plain-language breach explanations
  • One-click rollback
The rule library

100+ rules. Open source. Forever free.

Every pattern Hardenator catches is published as a public Semgrep rule under MIT license. Security researchers contribute. Community audits. Competitors can fork it — we'd prefer they did.

Your auto-fix + continuous protection is the paid layer. The knowledge is for everyone.

Browse on GitHub →
supabaselovableboltcursornext.jsstripeclerkauth
Supabase & RLS23
Auth & Session18
Secrets & API keys14
Stripe & payments9
CSRF / XSS / Headers16
BOLA / IDOR11
SQL injection7
Agent coding gates8
Pricing

For the solo builder. And the autonomous agent army.

14-day free trial on all paid tiers. Annual billing saves 20%. First 50 paying customers lock in founding pricing forever.

Solo
Free
Individual vibe-coders
  • 1 repo
  • 100 scans/month
  • Community rules
  • Community support
Indie
$29/mo
Solo SaaS founders
  • 3 repos
  • Unlimited fixes
  • Auto-PR GitHub App
  • Verified badge
  • Monthly risk report
Team
$99/mo
2–10 person startups
  • 10 repos
  • SOC 2 evidence export
  • Slack / Linear / Jira
  • Priority support
  • Custom rules
Fort
$999/mo
Autonomous agent teams
  • Unlimited repos & agents
  • Devin / Codex PR gate
  • Per-agent scorecard
  • Dedicated Slack with founder
  • SLA
The Hardenator Manifesto

“We build at the edge of two truths. The AI writes code now. Consequences are still human.”

read the full manifesto at hardenator.com/manifesto

Get early access.

First 100 waitlist signups get lifetime 30% off. First 50 paying customers lock in $19/mo forever. There is no second launch.

No spam. Weekly Breach Watch. Unsubscribe anytime.