MANIFESTOThe Vibe Coding Blind Spot
Kosuke
Talk to us
Kosuke for Pentesting

Free pentest. Pay only to unlock the report.

8 out of 10 startups have critical or high vulnerabilities exposed. We run a real authorized pentest against your web app at no cost and share how many critical, high, and medium issues we found. If you want the full details and fix instructions, unlock the report at the price set upfront in the authorization you sign. Price depends on your company size and industry. No surprise invoice.

Request a free pentestSee how it works

Four steps. No procurement. No quarterly waits.

From the moment you join the waitlist to a written report in your inbox: roughly 7 to 14 days, end to end.

step / 0130 seconds
Work email
jane@acme.com
Company URL
https://acme.com
Join waitlist

Join the waitlist

Name, work email, company URL, role. Takes 30 seconds.

step / 0215-min call
Verifiedacme.com
In-scopeapp.acme.com
×Out-of-scopebilling/*
Test window14 days

Scope on a call

Confirm domain ownership, agree on scope, pick a 14-day window.

step / 03~5 min
Authorizationv1.0
Unlock price€ agreed
J. Doe

Sign the authorization

One page, DocuSign, Delaware-governed. Your unlock price is in it, set before we run.

step / 04Free + unlock
Severity countsFree
Critical0
High2
Medium3
Full report
unlock · price in contract

Free counts. Optional unlock.

You see the severity counts for free. Unlock the report only if you want the details.

Free pentest. Paid report. Price set upfront.

The pentest is free. You always see how many critical, high, and medium issues we found. The full report, with what they are, where they are, and how to fix them, is paid. Your unlock price depends on your company size and industry, and is written into the authorization before we run anything. No surprise invoice, no renegotiation after we find vulnerabilities.

What you seeFree

Severity counts

Critical0
High2
Medium3

Total findings by severity. Always free. No catch, no upsell pressure.

What you unlockPaid

Full report

  • Vulnerability name & location
  • Proof of concept + reproduction steps
  • CVSS 4.0 score and CWE tagging
  • Concrete fix instructions
  • SOC 2 CC7.x evidence

Price depends on your company size and industry. Written into your authorization before we run anything.

When you unlock, a report your team can act on.

Not a 60-page consulting deliverable. Every row is scored, reproducible, and ships with a concrete fix. Audit-ready for SOC 2 CC7.x. Routes into Linear, Jira, or GitHub Issues without rewriting. If you want to check the full report, download a sample (PDF).

High
Stored XSS in user profile bio
8.1
Endpoint
PATCH /api/users/me
CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L
CWE
CWE-79
Description

The bio field on /api/users/me persists user-supplied HTML without sanitisation. The markup renders raw on the public profile route at /u/:handle.

Impact

Any authenticated attacker can plant a payload in their own bio that fires on every visit, including unauthenticated visitors. With a shareable profile URL, this enables one-click session theft and account takeover.

Evidence · proof of concept
# reproduce
$ curl -X PATCH https://app.acme.com/api/users/me \
-H 'Authorization: Bearer $TOKEN' \
-d '{"bio": "<img src=x onerror=fetch(/leak?c=${document.cookie})>"}'
→ HTTP 200 · bio updated
→ payload fires on /u/jane · verified 14:08 UTC
Remediation
app/api/users/route.ts
- bio: body.bio,
+ bio: sanitizeHtml(body.bio, {
+  allowedTags: ['b', 'i', 'a'],
+ }),

We can be your SOC 2 pentest auditor.

Auditors don't accept “we ran a scanner” as evidence. The Kosuke deliverable drops straight into your SOC 2 Type II workpapers. Mapped to CC4.1, CC7.1, and CC7.4, scored under CVSS 4.0, framework-anchored to OWASP WSTG v4.2, and re-tested by us after you patch. Want to see the exact format your auditor will receive? Download the SOC 2 sample report (PDF).

Section 7
Finding F-04CVSS 6.4
MedStored XSS in support comments
EndpointPOST /api/tickets/:id/comments
CC4.1CC7.1CC7.4CWE-79WSTG-INPV-02

Mapped to SOC 2 controls

Every finding tagged with the control it supports: CC4.1, CC7.1, CC7.4. Your auditor reads across the row, not back and forth.

Section 4
OWASP WSTG v4.2 · coverage82 / 96
INPV
15/1883%
ATHN
9/1182%
ATHZ
5/5100%
CONF
8/1080%
SESS
6/875%

OWASP WSTG v4.2, anchored

Per-category coverage matrix plus a per-test-case appendix listing the pipeline step that satisfied each WSTG ID.

Re-test workflow
Finding F-01 · lifecycleSQLi · /api/orders
Opencustomer ships patchMay 23
Fixed?Kosuke re-runs PoCMay 28
✓ VerifiedPoC no longer reproducesJun 01

Re-tested by us, not by you

We re-run the original PoC after you patch. The verified-date is written only when the exploit no longer reproduces.

Section 9
Attestation · § 9Confidential
Report IDKOS-2026-0523-001SHA-2568f3a2b1c·d4e5f6a7·9b0c1d2e·3f4a5b6cSignedKosuke · v1.0 · 2026-05-23
kosuke.ai/verify/KOS-2026-0523-001

Signed, hashed, retained

Unique report ID, Statement of Independence, SHA-256 hash, and a public verify URL. Raw evidence retained for 12 months, available to your auditor on written request.

You own the asset. You authorize the testing.

Same legal posture every pentest firm uses, from Bishop Fox to Cobalt. Well-precedented for 20+ years. We run as your authorized agent, against assets you control, under a written agreement that names exactly what is in scope.

Domain ownership, verified first

Before any active testing, you publish a DNS TXT record or a /.well-known token. We do not run the agent against domains you cannot prove control of.

$ dig TXT acme.com
acme.com.  IN  TXT
"kosuke-auth=ok"
verified
≤10 rps

Rate-limited and non-destructive

≤10 requests per second per host unless you authorize higher in writing. No mass account creation, no payment-flow exploitation, no data deletion, no DoS.

Encrypted, then deleted

PoCs use synthetic payloads wherever possible. Engagement artifacts encrypted at rest (AES-256) and deleted within 30 days of report delivery.

Request a free pentest.

We will reply within 24h with a proposal that includes your exact unlock price for the full report. Then a 15-minute scoping call. No procurement. No NDA before the call. No pricing pressure.

  • Pentest is free. Severity counts are free. Report is paid. Price set upfront in the authorization.
  • Domain ownership verification before any active testing.
  • Report ready for SOC 2 CC7.x evidence.

Common Questions

01

How long does the engagement take?

02

What if you don't find anything?

03

What if you do find something?

04

How is the unlock price set?

05

Is this actually legal?

06

Do you store our data?

Sister project

Strike. The startup security posture directory.

A public, searchable, neutral directory of startup security posture. Browse by industry, country, stage, investor, or tech stack.

Visit Strike