Find and fixwhat's exposedbefore someone else does.

Adversarial AI agents that audit your code, infrastructure, and live endpoints, surfacing leaked PII, broken access controls, and vulnerabilities before attackers find them.

Get early access

From our first audits

Exposed private data

320

private letters exposed

Future Letters

future-letters.com

320 private letters accessible via a single API call. Suicide notes. Abuse disclosures. Therapy reflections.

RLS was enabled. Scanners passed it. We tested what the RLS actually allowed.

Broken access control

Broken workflow logic

3,015

users at risk

Jobtayo

jobtayo.com

Applicants could accept their own job applications. No employer approval needed.

Also found: Admin emails exposed, stored XSS in profile fields, complete activity logs harvestable.

Business logic bypass

Unguarded privilege escalation

signup to become admin

Concept Test Pulse

concept-test-pulse.lovable.app

We injected role: admin during signup. It's now in their JWT. Waiting for one bad if-statement.

No scanner tests what happens when you abuse the signup flow.

Privilege escalation

Real attacks. Real findings.
Real fixes.

Auth bypasses, injection, privilege escalation, business logic, tested automatically. Report generated. Fixes included.

All audits

Security audit — jobbee.com#47

Scanning

Initializing agent...

Ask anything

jobbee.com

Waiting for connection...

API Probe — jobbee.com

$ curl -s "/rest/v1/admin_actions?select=*" \

-H "apikey: $ANON_KEY"

profile-links.tsx

index.tsx

14export function ProfileLinks({ profile }: Props) {

15 return (

16 <div className="flex gap-2">

17 <a href={profile.linkedin_url}>

18 LinkedIn

19 </a>

20 <a href={profile.github_url}>

21 GitHub

22 </a>

23 </div>

24 )

25}

2 vulnerabilities: href accepts javascript: URLs

Security Audit Report — jobbee.com

Jan 28, 2026•Comprehensive

Executive Summary

Critical Risk

Findings

3,015

Users Exposed

4/4

Fixes Ready

Vulnerability Summary

Severity

Count

Description

critical

Admin PII exposure, Role manipulation, JS URL injection

high

Business logic bypass, User role enumeration (3,015 users)

medium

Stored XSS payloads in 10 database fields

low

Storage bucket file listing exposed

Critical & High Findings

critical

Admin Audit Log ExposureCVSS 8.1

55 admin records readable by any authenticated user — admin emails, names, activity trail exposed

admin_actions

critical

User Metadata Role ManipulationCVSS 7.8

Any user can set user_metadata.role to "admin" via Auth API — embedded in signed JWT

auth.users

critical

JavaScript URL Injection (XSS)CVSS 8.6

javascript: protocol accepted in linkedin_url, github_url — executes in employer browser session

profiles

high

Self-Accepting Job ApplicationsCVSS 7.5

Talents can PATCH own application status to "accepted" — bypasses employer approval workflow

job_applications

Attack Surface Tested

4 exploitable / 6 blocked

user_metadata role escalationexploitable

admin_actions table readexploitable

INSERT into user_rolesblocked

UPDATE user_roles to adminblocked

javascript: URL in profileexploitable

Self-modify application statusexploitable

SQL injection via PostgRESTblocked

JWT algorithm confusionblocked

Access other users' profilesblocked

Service role impersonationblocked

Remediation Prompts

Copy to your coding agent

critical

Fix admin_actions RLS policy

ALTER TABLE admin_actions ENABLE ROW LEVEL SECURITY; CREATE POLICY "Only admins can read admin_actions" ON admin_actions FOR SELECT USING (EXISTS (SELECT 1 FROM user_roles WHERE user_id = auth.uid() AND role = 'admin'));

critical

Block role field in user_metadata

Create a Supabase Edge Function hook on auth.users update that rejects any request containing data.role. Return 403 "Cannot modify role via user_metadata". Store roles in app_metadata instead.

critical

Validate URL protocols on all link fields

Add URL validation to linkedin_url, github_url, video_url in profiles table. Only allow http:// and https:// protocols. Add CHECK constraint: ALTER TABLE profiles ADD CONSTRAINT valid_linkedin_url CHECK (linkedin_url IS NULL OR linkedin_url ~* '^https?://');

high

Prevent self-accepting job applications

CREATE POLICY "Talents cannot modify application status" ON job_applications FOR UPDATE USING (auth.uid() = (SELECT employer_id FROM jobs WHERE id = job_id)); Only the employer who created the job can update application status.

Copy prompt

→

Paste in Cursor / Claude Code

→

Fixed

Generated by Contramachine • Comprehensive security audit with interactive browser testing

Reconnaissance

Crawls your app like an attacker. Enumerates APIs, maps routes, fingerprints your stack.

Exploitation

Tests real attack vectors including auth bypasses, injection, privilege escalation, and business logic.

Remediation

Generates fix-ready SQL and code. Copy into Cursor or Claude Code and ship.

Deploy Adversarial Agents

Adversarial AI that fingerprints and attacks your app the way a real threat actor would. Finds what scanners miss.

Traditional scanners check for known CVEs and outdated packages. Contramachine goes further. it maps your attack surface, tests business logic, chains vulnerabilities together, and demonstrates real-world impact. The same techniques a threat actor would use, but on your side.

Multi-phase attacks

Recon → Probe → Exploit

Logic testing

Auth, IDOR, XSS, privilege escalation

Exploit chains

Not isolated findings, real impact

Continuous testing

Runs on every deploy, not just once

Attack Simulation#12

Ready

jobbee.com

https://jobbee.com

Audit

Initializing attack simulation...

Remediation Prompts

Copy to your coding agent

Generating fix prompts...

Copy. Paste. Fixed.

Actionable fix prompts ready to paste into your code editor. Not just findings, solutions.

Every vulnerability comes with a ready-to-use remediation prompt designed for AI coding agents. Copy it into Cursor, Claude Code, or Windsurf, and the fix gets applied to your codebase in seconds. Includes exact file paths, code changes, and database migrations. No context-switching. No Googling. No guessing.

AI-native prompts

Designed for Cursor, Claude Code, Windsurf

Exact file paths

Points to the vulnerable code directly

Full-stack fixes

RLS policies, middleware, validation

Preview before apply

See the diff before committing

Integrations

Works with your stack

Connect via URL or infrastructure access. Audits any modern deployment platform.

GitHub

Vercel

Netlify

Cloudflare

AWS

Supabase

Railway

Lovable

URL-based

Point us at any deployed URL. No code access, no API keys, no setup.

https://your-app.com

Audit

Infra-based

Connect your repo, database, or cloud account for deep infrastructure analysis.

RLS policiesSecretsSchemasEdge functions

Your users' data might be
exposed right now.

Get early access

Find and fixwhat's exposedbefore someone else does.

From our first audits

Real attacks. Real findings.Real fixes.

Executive Summary

Vulnerability Summary

Critical & High Findings

Attack Surface Tested

Remediation Prompts

Reconnaissance

Exploitation

Remediation

Deploy Adversarial Agents

Copy. Paste. Fixed.

Works with your stack

Your users' data might beexposed right now.

Real attacks. Real findings.
Real fixes.

Your users' data might be
exposed right now.