Vibehacker is an autonomous AI red team that continuously probes your website the way a real attacker would. Dozens of AI agents map your application, look for weak spots, and attempt to exploit them, then verify every finding to eliminate false positives.

How is it different from a traditional vulnerability scanner?

Traditional scanners match known CVE signatures and produce noisy reports full of false positives. Vibehacker's agents reason about your specific application, reproduce each finding, and only report verified, exploitable issues.

Do I need security expertise to use it?

No. Vibehacker is designed for product teams without a dedicated security team. You get a plain-English report of what's actually broken, with reproduction steps.

How much does it cost?

The first scan is free (Proof of Value tier). Continuous always-on protection starts at $50/user/month billed annually, 10-user minimum. Enterprise self-hosted pricing is custom.

Can I try it on my own website?

Yes. The first scan is free. Book a demo and we will run it on your site during the 30-minute call.

What types of applications does Vibehacker work on?

Any web application reachable over HTTP or HTTPS. Single-page apps, REST APIs, GraphQL endpoints, server-rendered sites, dashboards, and internal tools all work. Both public and authenticated apps.

Does it work on sites that require login?

Yes. Provide a test account and the swarm uses it like a real user, including stateful session testing that signature-based scanners cannot do. IDOR and privilege-escalation checks require this.

How long does a scan take?

A typical mid-complexity web app finishes in 15 minutes to 2 hours. Findings stream in as they are verified, so you do not have to wait for the whole scan to see the first results.

What kinds of vulnerabilities does it find?

OWASP Top 10 categories at minimum: SQL injection, command injection, broken access control (IDOR, privilege escalation), authentication flaws, SSRF, XSS, insecure deserialization, and path traversal. Plus chained attacks across multiple endpoints that scanners almost always miss.

Am I allowed to scan my own site?

Yes. You can authorize security testing against systems you own or manage. Vibehacker requires you to confirm authorization before every scan and only runs against targets you have explicitly designated.

How does it compare to a manual penetration test?

Manual pentests dig deeper into high-value targets but cost $10k to $50k and happen once or twice a year. Vibehacker runs continuously, catches most of what a mid-level pentester would find, and costs a fraction. The two work well together: Vibehacker for coverage, human pentesters for strategic engagements.

Is there a false positive problem?

Every finding is independently reproduced by a verification agent before it reaches your report. Findings that cannot be reproduced are discarded. In practice, near-zero false positives. What you see is real and exploitable.

What happens to my scan data?

Scan outputs and findings are stored encrypted on our EU-region infrastructure and are only accessible to your account. You can delete everything at any time from the dashboard, and nothing is retained after account deletion.

Can Vibehacker be self-hosted?

Yes, on the Enterprise tier. Self-hosted deployments run entirely on your own infrastructure with no scan data leaving your environment. Useful for regulated industries and air-gapped setups.

23 April 2026 · 3 min read · 593 words

We placed 2nd on BountyBench running fully blackbox

Vibehacker scored $1,830 on BountyBench and landed 2nd place. We ran without hints, narrowed scope, or guided walkthroughs. Here's why the constraint matters.

by Sten Henriksson

TL;DR

Vibehacker placed 2nd on BountyBench, a benchmark that grades AI agents on real bug-bounty scenarios.

Score: $1,830. We ran fully blackbox. No hints, no narrowed scope, no guided walkthroughs.

Most entries on the leaderboard use the benchmark's hint tiers. Second place without them is a different result than second place with them.

Most security benchmarks for AI agents let you peek at some version of the answer key. Generic bug category. Specific technique. Sometimes a full walkthrough. The scores people post are usually scores with training wheels.

I wanted to know what Vibehacker could do without any. So we ran BountyBench on hard mode and hit 2nd place with $1,830.

One thing before anyone gets the wrong idea: $1,830 is a benchmark score, not money we collected. Those bounties were paid to the original researchers who disclosed each bug. The benchmark mirrors the same dollar values so an agent's performance can be compared against what a human got paid for equivalent work.

How BountyBench grades you

BountyBench puts AI agents into real bug-bounty scenarios: real vulnerable applications, graded on whether the agent finds the planted bug and writes a working exploit. Each target has a bounty value attached. Your total is the sum of what you actually pull off.

It also offers optional hint tiers per target. Generic category of bug. Specific technique needed. Step-by-step walkthrough. Hints are how most entries on the leaderboard get the scores they post.

We did not use any of them.

Vibehacker ran the same way it runs against a real target. No hints, no narrowed scope, no handholding. Just the endpoint and a test account.

That's the mode that matches what a real attacker has. It's also the mode that tells you whether an agent can find bugs on its own, or whether it's pattern-matching on hint text.

Run mode	What the agent gets	Where most entries sit
Maximum hints	Category + technique + walkthrough	Most of the leaderboard
Partial hints	Category only	Some
Blackbox	Endpoint + test account, nothing else	Vibehacker, $1,830, 2nd place

Why the blackbox number is the one that matters

If you are evaluating an automated security tool for your production app, "scored 85% with maximum hints" is close to useless information. Your app does not ship with hints. The benchmark number only transfers to reality if the agent got its result under the same constraints a real attacker has.

Second place with the hint system stripped feels better to me than first place with it turned on.

So we ran blackbox. I would rather post the honest number.

How we got there — coming next week

2nd place on a benchmark designed to grade AI agents on real bug hunting is not something you get with a good prompt and a fast model. The swarm had to be taught. Or more precisely, it had to teach itself.

Next week I'll walk through how. The self-healing, self-improving loop behind Vibehacker. How the agents flag their own failures, rewrite their own playbooks, and quietly get better at attack classes they've never seen, all without a human writing the fix each time. Going under the hood, with the lab results that made me trust the thing enough to push it onto a public benchmark.

If you want to see what Vibehacker finds on your own site in the meantime, book a demo. First scan is free.