Security that keeps pacewith your ideas.

Adversarial AI agents that attack from the outside in, through structured recon, profiling, and distributed attack chains, finding what's exposed before real attackers do.

Get early access

What we've found in YC startups, Decacorns, and NASDAQ companies.

Real vulnerabilities from real companies — including a platform acquired by a NASDAQ-listed company for $80M.

NASDAQ-acquired platform$80M ACQUISITION

3.5M+

apps exposed

"One API call returned every customer's source code."

Critical: Multi-tenant breach

YC-backed "vibe coding"CLAIMED $5M ARR

321

Stripe keys leaked

"Full database access via public API. Still works today."

Critical: Full database access

Popular AI app builderSERIES A+ STARTUP

100%

apps vulnerable

"Every app tested had broken access control. Scanners passed them all."

Critical: Systemic access control failure

Real attacks. Real findings.
Real fixes.

Auth bypasses, injection, privilege escalation, business logic, tested automatically. Report generated. Fixes included.

All audits

Security audit — jobbee.com#47

Scanning

Initializing agent...

Ask anything

jobbee.com

Waiting for connection...

API Probe — jobbee.com

$ curl -s "/rest/v1/admin_actions?select=*" \

-H "apikey: $ANON_KEY"

profile-links.tsx

index.tsx

14export function ProfileLinks({ profile }: Props) {

15 return (

16 <div className="flex gap-2">

17 <a href={profile.linkedin_url}>

18 LinkedIn

19 </a>

20 <a href={profile.github_url}>

21 GitHub

22 </a>

23 </div>

24 )

25}

2 vulnerabilities: href accepts javascript: URLs

Security Audit Report — jobbee.com

Jan 28, 2026•Comprehensive

Executive Summary

Critical Risk

Findings

3,015

Users Exposed

4/4

Fixes Ready

Vulnerability Summary

Severity

Count

Description

critical

Admin PII exposure, Role manipulation, JS URL injection

high

Business logic bypass, User role enumeration (3,015 users)

medium

Stored XSS payloads in 10 database fields

low

Storage bucket file listing exposed

Critical & High Findings

critical

Admin Audit Log ExposureCVSS 8.1

55 admin records readable by any authenticated user — admin emails, names, activity trail exposed

admin_actions

critical

User Metadata Role ManipulationCVSS 7.8

Any user can set user_metadata.role to "admin" via Auth API — embedded in signed JWT

auth.users

critical

JavaScript URL Injection (XSS)CVSS 8.6

javascript: protocol accepted in linkedin_url, github_url — executes in employer browser session

profiles

high

Self-Accepting Job ApplicationsCVSS 7.5

Talents can PATCH own application status to "accepted" — bypasses employer approval workflow

job_applications

Attack Surface Tested

4 exploitable / 6 blocked

user_metadata role escalationexploitable

admin_actions table readexploitable

INSERT into user_rolesblocked

UPDATE user_roles to adminblocked

javascript: URL in profileexploitable

Self-modify application statusexploitable

SQL injection via PostgRESTblocked

JWT algorithm confusionblocked

Access other users' profilesblocked

Service role impersonationblocked

Remediation Prompts

Copy to your coding agent

critical

Fix admin_actions RLS policy

ALTER TABLE admin_actions ENABLE ROW LEVEL SECURITY; CREATE POLICY "Only admins can read admin_actions" ON admin_actions FOR SELECT USING (EXISTS (SELECT 1 FROM user_roles WHERE user_id = auth.uid() AND role = 'admin'));

critical

Block role field in user_metadata

Create a Supabase Edge Function hook on auth.users update that rejects any request containing data.role. Return 403 "Cannot modify role via user_metadata". Store roles in app_metadata instead.

critical

Validate URL protocols on all link fields

Add URL validation to linkedin_url, github_url, video_url in profiles table. Only allow http:// and https:// protocols. Add CHECK constraint: ALTER TABLE profiles ADD CONSTRAINT valid_linkedin_url CHECK (linkedin_url IS NULL OR linkedin_url ~* '^https?://');

high

Prevent self-accepting job applications

CREATE POLICY "Talents cannot modify application status" ON job_applications FOR UPDATE USING (auth.uid() = (SELECT employer_id FROM jobs WHERE id = job_id)); Only the employer who created the job can update application status.

Copy prompt

→

Paste in Cursor / Claude Code

→

Fixed

Generated by Contramachine • Comprehensive security audit with interactive browser testing

Reconnaissance

Crawls your app like an attacker. Enumerates APIs, maps routes, fingerprints your stack.

Exploitation

Tests real attack vectors including auth bypasses, injection, privilege escalation, and business logic.

Remediation

Generates fix-ready SQL and code. Copy into Cursor or Claude Code and ship.

How it works.

Connect your app. Get a list of vulnerabilities. Each one comes with a fix prompt ready to paste into Cursor, Claude Code, and others.

1. Adversarial agents attack your app like a real threat actor would

Adversarial AI that fingerprints and attacks your app the way a real threat actor would. Finds what scanners miss.

Traditional scanners check for known CVEs and outdated packages. Contramachine goes further. it maps your attack surface, tests business logic, chains vulnerabilities together, and demonstrates real-world impact. The same techniques a threat actor would use, but on your side.

Multi-phase attacks

Recon → Probe → Exploit

Logic testing

Auth, IDOR, XSS, privilege escalation

Exploit chains

Not isolated findings, real impact

Continuous testing

Runs on every deploy, not just once

Attack Simulation#12

Ready

jobbee.com

https://jobbee.com

Audit

Initializing attack simulation...

Remediation Prompts

Copy to your coding agent

Generating fix prompts...

2. Then we give you fixes that work with your AI coding tools

Actionable fix prompts ready to paste into your code editor. Not just findings, solutions.

Every vulnerability comes with a ready-to-use remediation prompt designed for AI coding agents. Copy it into Cursor, Claude Code, or Windsurf, and the fix gets applied to your codebase in seconds. Includes exact file paths, code changes, and database migrations. No context-switching. No Googling. No guessing.

AI-native prompts

Designed for Cursor, Claude Code, Windsurf

Exact file paths

Points to the vulnerable code directly

Full-stack fixes

RLS policies, middleware, validation

Preview before apply

See the diff before committing

Integrations

Works with your stack

Connect via URL or infrastructure access. Audits any modern deployment platform.

GitHub

Vercel

Netlify

Cloudflare

AWS

Supabase

Railway

Lovable

URL-based

Point Contramachine at any deployed URL. No code access, no API keys, no setup.

https://your-app.com

Audit

Infra-based

Connect your repo, database, or cloud account for online infrastructure analysis.

RLS policiesSecretsSchemasEdge functions

Your users' data might be
exposed right now.

Get early access

Security that keeps pacewith your ideas.

What we've found in YC startups, Decacorns, and NASDAQ companies.

Real attacks. Real findings.Real fixes.

Executive Summary

Vulnerability Summary

Critical & High Findings

Attack Surface Tested

Remediation Prompts

Reconnaissance

Exploitation

Remediation

How it works.

1. Adversarial agents attack your app like a real threat actor would

2. Then we give you fixes that work with your AI coding tools

Works with your stack

Your users' data might beexposed right now.

Real attacks. Real findings.
Real fixes.

Your users' data might be
exposed right now.