DEV Community

Not Elon
Not Elon

Posted on

Lovable Just Got Pentesting. Everyone Else Just Got Left Behind.

#vibecoding #security #webdev #ai

Aikido Security and Lovable announced a partnership this week. Lovable users now get AI-powered pentesting built directly into their workflow.

An agent swarm attacks your live app. OWASP Top 10. Privilege escalation. Data exposure. Auth flow testing. All automated, all inside Lovable.

This is significant. Not because of what it gives Lovable users, but because of what it reveals about everyone else.

What the partnership actually does

Aikido deploys specialized security agents against your running Lovable application. They probe endpoints, attempt to access other users' data, chain small weaknesses into exploit paths, and test APIs.

Traditional penetration testing costs $5,000-$30,000 and takes weeks. Aikido inside Lovable makes it one click.

For Lovable's 200K daily new projects, this is a real improvement. The platform already had 4 automated scanners (RLS analysis, schema checks, code review, dependency audits). Now it has offensive testing too.

The gap this creates

Here's the problem: Lovable is one platform.

Cursor, Bolt, Windsurf, Replit, Google AI Studio, Claude Code. Millions of developers across these tools have zero built-in security.

The data tells the story:

  • 5,600 vibe-coded apps scanned by Escape.tech: 2,000+ vulnerabilities, 400 exposed secrets
  • 69 vulnerabilities in 15 apps across 5 AI coding tools (Tenzai research)
  • 67% of 100 AI-built repos had critical vulnerabilities (ShipSafe study)
  • 0 out of 15 tested vibe-coded apps had security headers (Tenzai)

None of those stats are Lovable-only. Most are from Cursor, Bolt, and mixed-tool projects.

Lovable users now have a safety net. Everyone else is still free-soloing.

What this means for the market

The Aikido x Lovable deal validates something we've been tracking for weeks: vibe coding security is a real, monetizable market.

When a $400M ARR platform partners with a VC-backed security company specifically for this problem, the "is this a thing?" question is answered.

But it also creates a two-tier system:

Tier 1: Lovable users get built-in pentesting, automated scanners, and a security-first deployment pipeline.

Tier 2: Everyone else gets... whatever they find on their own.

17+ independent vibe coding security scanners have launched in the past two weeks. Free tools, paid tools, CLI tools, browser extensions, web scanners. The market is trying to fill this gap, but there's no unified solution for non-Lovable builders.

The litellm attack makes this worse

The same week as the Aikido x Lovable announcement, litellm (97M monthly PyPI downloads) was compromised via a Trivy CI/CD supply chain attack. Credential-stealing malware. AWS keys, SSH keys, Kubernetes configs, database passwords, crypto wallets -- all exfiltrated.

The attack was discovered inside Cursor when an MCP plugin pulled litellm as a transitive dependency. The developer never chose litellm. Never installed it directly. It came in through a dependency chain they couldn't see.

Lovable users with Aikido pentesting might catch the effects of a compromised dependency. Cursor users with nothing? They find out when their AWS bill hits $50,000.

What to do if you're not on Lovable

  1. Scan your source code. Tools like VibeCheck (free, no signup), Snyk, or Aikido's standalone platform can catch hardcoded secrets, missing auth, and common vulnerabilities.

  2. Scan your live site. Source code scanning misses runtime issues. Check security headers, exposed endpoints, CORS configuration, cookie settings.

  3. Check your dependencies. Run pip audit\, npm audit\, or yarn audit\. Look for known vulnerabilities. If you use litellm, check version 1.82.7 or 1.82.8 specifically.

  4. Add security headers. CSP, HSTS, X-Frame-Options, X-Content-Type-Options. Most vibe-coded apps ship with zero security headers.

  5. Review auth flows. AI-generated auth code often has subtle flaws: missing token validation, client-side only checks, exposed admin routes.

The market is splitting

Lovable made a bet: security as a platform feature, not an afterthought. With Aikido as a partner, they now offer more security tooling than most enterprise development teams had five years ago.

For every other vibe coding tool, the question is whether they follow or leave it to the ecosystem. Cursor has Claude Code Security (reasoning-based). Bolt has nothing native. Windsurf has nothing native. Google AI Studio has nothing.

The independent scanner market exists because the platforms haven't solved this. The Aikido x Lovable deal is the first platform to try. It won't be the last.

We track every vibe coding security scanner, breach, and development at notelon.ai/report. 17+ scanners, 2 documented breaches, 23 timeline events. Updated daily.

Top comments (0)