We Red-Teamed AI-Built MVPs. Here's What Broke.

We set out to answer one question: how bad is it, really?

Everyone agrees AI-built products "have security issues." Vague. So we ran a focused red-team exercise against a set of real AI-built MVPs — products shipped fast, mostly by autopilot, the kind of thing raising a seed round today. We attacked them the way an actual adversary would.

We're not naming names, and we're generalizing the details. But the patterns are worth your time, because if you shipped with AI, you almost certainly have at least one of these.

The Method

Nothing exotic. We did what an attacker with a free afternoon and a browser does:

• Made an account, then poked at every ID, every endpoint, every parameter.
• Read the client bundle and the network tab.
• Pointed the AI features at inputs they weren't expecting.
• Then turned up the concurrency and watched what fell over.

No zero-days. No nation-state budget. Just curiosity and the willingness to send a request the app didn't anticipate.

That's the threat. Not movie hackers — a bored person with the dev tools open.

What Broke

1. Auth bypass / IDOR — found it almost everywhere

The headline finding. Change /api/invoice/1041 to /api/invoice/1040 and you're reading someone else's invoice. The app checked that you were logged in; it never checked that the record was yours. On one product we walked the entire user table this way. This is the most common serious bug in AI-built software, full stop.

2. Secrets sitting in the open

Live API keys in the JavaScript bundle. A cloud storage key with write access shipped to the browser. A .env with production database credentials committed in the first week and never rotated. Anyone who opened the network tab had the keys to the kingdom.

3. SSRF — the server fetching whatever you tell it to

A "fetch preview from URL" feature that would happily request any URL you gave it — including internal cloud metadata endpoints. That's a straight line to stealing the server's cloud credentials. The AI built the feature exactly as asked. Nobody told it the URL was hostile.

4. Prompt injection straight into tool-calling agents

The most modern, most underestimated finding. An AI support agent that could look up orders and issue refunds — and would take instructions from the content of a support ticket. Paste the right text into the message field and the agent issues itself a refund, or dumps another customer's order history. The user input was untrusted; the agent treated it as a command.

5. Money bugs under concurrency

Fire the "redeem credit" endpoint a hundred times in parallel and the balance goes negative. Two requests read the same value, both pass the check, both write. In a demo you'd never see it. With real users — or anyone who knows how to hold the button — it's a direct loss. High-performance code that wasn't designed for concurrency is a vulnerability, not just a bug.

6. No rate limits — cost and downtime as an attack

Unmetered endpoints calling paid APIs (including LLMs). A single script could run up a four-figure bill overnight or simply take the service down. The endpoints worked beautifully one request at a time, which is the only way they were ever tested.

The Common Thread

Every one of these has the same root cause: AI optimizes for the path you showed it.

You asked for "let users see their invoices," so it built the read. You didn't say "and stop them from seeing everyone else's," so it didn't. The happy path is flawless. The adversarial path was never considered, because considering the adversary is a different job — and it's the job autopilot skips.

This isn't an argument against building with AI. We build with AI every day. It's an argument for a human who thinks like an attacker reading the result before your users do.

The Fix Playbook

If you do nothing else, do these, roughly in order:

1. Authorization on every object. Every read and write checks "does this user own this?" — not just "is this user logged in?" This kills the IDOR class.
2. Get secrets out of the client and rotate them. Nothing sensitive in the bundle. Anything that has ever been committed is burned — rotate it.
3. Treat all user input as hostile — including input to your AI. Validate, sanitize, and never let untrusted text become an instruction or an action without a guardrail.
4. Allowlist outbound requests. If the server fetches a URL, constrain where it can go. Block internal ranges and metadata endpoints.
5. Make concurrent operations atomic. Anything touching money or counters needs proper locking or atomic database operations — designed for the hot path, not bolted on.
6. Rate-limit everything, especially anything that costs money. Per-user and global. This is your circuit breaker against both abuse and runaway bills.
7. Re-test under adversarial load. Fixing it in code isn't done. Done is proving it holds when someone attacks it.

This Is the Work We Do

Reading the happy path is what AI is great at. Reading the adversarial path — the IDOR, the injected agent, the race under load — is what we're great at, and it's getting more valuable by the day as more code ships on autopilot.

We red-team and harden high-performance and AI-built systems: we find what an attacker would find, prove it, fix it, and verify the fix holds.

Book 20 minutes with us. Tell us what you shipped. We'll tell you, honestly, where we'd start.

Better us than them.

---

Previously: The Autopilot Trap — why AI-generated code fails security review.