pricing
one plan.
every fix included.
free scan to look. €59/month to fix. no enterprise tier, no demo call, no "contact sales". leave the welfare-state vibe for another subscription.
no signup. no card.
see what's bleeding.
- 60 seconds on any public repo
- top 2 findings with severity and pattern id
- 124 patterns · owasp top 10 (10/10) · owasp llm top 10 (10/10)
- no line, no file, no fix
- scan as much as you want. no limit.
or €182/year. save €46.
one repo, line and proof. no auto-fix.
- 1 repo with continuous monitoring
- unlimited scans. file, line, and pattern id.
- 124 patterns · owasp top 10 + llm top 10
- see the fix as a diff (no auto-pr)
- every commit reviewed via push webhook
- ai concierge — 100 messages/month
- leave whenever. no contract.
or €566/year. save €142.
the bug that takes your business down, caught before you do.
- up to 3 repos watched without lifting a finger.
- unlimited audits. file, line, and the proof.
- claude writes the fix. you just read.
- the fix lands as a pr. one click, in.
- every commit reviewed. you sleep, it scans.
- every pr commented before anyone opens it.
- your last 100 commits, gone through one by one.
- the library about to blow up, flagged today.
- user data, traced to where it ends up.
- questions at 3am, ai answers right away.
- leave whenever. no contract, no drama.
The free options scan code.
This one scans how you got hacked.
Side-by-side feature snapshot — based on each tool's documented capabilities at the time of writing. We didn't list prices because they change; we listed what's in the box.
| feature | vceye plan | snyk code (free) | semgrep oss |
|---|---|---|---|
OWASP Top 10 2025 — every category Semgrep OSS covers most via community rules; coverage depends on the rule pack you load. | |||
OWASP LLM Top 10 — built-in patterns Prompt injection, context leakage, MCP tool poisoning, AI output rendered as HTML, AI cost/DoS. | |||
Supabase RLS — policies & service-role audit | |||
Generator-aware patterns (Lovable, v0, Bolt, Cursor, Claude Code) Patterns specific to the broken defaults each agent leaves behind. | |||
Auto-fix delivered as a Pull Request — one click Snyk has fix PRs on dependency upgrades; PR-based code fixes are paid tier. Semgrep prints diffs locally. | |||
AI Concierge for product questions | |||
Free scan from a URL — no signup, no card Snyk free needs a GitHub account. Semgrep needs a CLI install on your machine. | |||
EU DPA (SCCs Module 2) ready |
Snapshot: 2026-04. We re-check this table each quarter. If a row gets stale, mail hello@vibecodingeye.com and we'll fix it. Logos are trademarks of their respective owners.
questions
what founders
ask first.
Claude Code wrote it and I never read it. Do you really know what breaks in these agents?+−
Yes. We've looked inside 100+ apps. Claude Code, Codex, Cursor agent mode, Aider. Every agent has its default patterns and its default footguns. How do you know? By looking. One by one. The scanner knows them one by one. There you go.
Will you judge my code?+−
No. Look. Vibe-coded apps ship fast and fix later. That's the deal. The kind that looks down on you because "you should've known" — not our crowd. Our job is to tell you what's dangerous now. Plain language. No theatre.
Can't I just run Snyk or GitHub Dependabot?+−
Look. In a public benchmark against Semgrep OSS, on vercel/ai-chatbot, we found 21. They found zero. Zero, seriously. You can reproduce it yourself. Why does that happen? Well, snyk and dependabot catch dependency cves, and not much more. The open rls, the api key in the client, the unsigned webhook, the prompt injection — they don't see it. That's where we live. Are we agreed? We are.
What if I don't have a real engineering team?+−
Then you're our exact customer. Every finding comes with file, line, snippet and a diff written by claude. Click apply as pr and review the change. What's cwe-79? Ask the concierge and it answers the way a friend would, not the way an rfc would. You don't need a security background to act. You need a repo and the will to sleep at night.
Is this pentesting?+−
No. Pentesting is a red-team engagement with explicit authorization and deep exploitation. This is production-readiness. The 20-30 patterns that break 70-80% of vibe-coded apps. Backed by 120 real patterns covering 10/10 OWASP Top 10 + 10/10 OWASP LLM Top 10 2025.
Will you sign an NDA?+−
Yes. Standard mutual NDA, we send it. Also we don't store your code. Scans run in memory. Logs are purged in 24h. We never train on your code. Ever.
I fix things and new ones appear. What now?+−
Nothing. Every commit you push gets re-scanned by itself. Every PR you open gets a comment before merge. New findings show up there, before they break anything. Drift is detected on its own as long as your subscription is alive.
How do I cancel?+−
From billing. One click. Stays active until the end of the current period. No questions. No "before you go, look at this". The yearly plan can be refunded pro-rata in the first 14 days.
I need a human to actually fix something. Do you?+−
Not as a standard tier. We kept the product simple on purpose. If you have a specific incident or want a senior to walk you through the report, write us. We figure it out case by case. Sometimes we say no — that with the plan you already have what you need. We're weird like that. A bit illiterate at upselling extras.
Do you actually catch the AI-specific attacks? Prompt injection and that.+−
Yes. 20 patterns dedicated to the llm era. Direct prompt injection. Indirect, via scraped content. System prompt leakage. LangChain CVE-2025-68664 (CVSS 9.3, RCE). MCP tool poisoning from Invariant Labs. RAG poisoning. Slopsquatting of hallucinated packages. Sensitive info disclosure via unscoped agent tools. Misinformation when LLM output flows to DB or payments without verification. Denial of wallet on llm endpoints without rate-limit. And as of today: agent instruction file poisoning. If someone slips <IMPORTANT> into your .cursorrules or invisible characters into your CLAUDE.md, we see it. Nobody else covers that category. We invented it while we wait for owasp to add it. We cover 10 out of 10 in OWASP LLM Top 10 2025. The whole house.
you saw what it does.
now show us yours.
where Semgrep finds 0, we find 21. vercel/ai-chatbot. reproducible.
60 seconds. no card. no signup. 124 patterns. owasp top 10 + llm top 10 covered. €59/month the day you want the fixes. or not. you'll keep vibe-coding either way, but you'll know what's breathing in there.