Documentation

LaunchGuard docs

Everything you need to know about how LaunchGuard works, what it catches, and how to get the most out of it. We scan from the outside, nothing to install, no code access required.

What LaunchGuard does

The one-sentence version, then the details

We attack your live app from the outside the way a real hacker would, find what is actually reachable, and hand you the exact fix. You type a URL. We do the rest.

AI-assisted tools (Cursor, Lovable, Claude Code) are excellent at shipping working apps fast. They are less reliable at verifying security from the outside. An RLS policy might look correct in the code but fail when an anonymous user hits the endpoint directly. The only way to know is to test from the outside. That is what LaunchGuard does.

Three scanning engines run together: the endpoint scanner maps every externally-reachable API route, the Supabase scanner probes every surface behind your anon key, and the Firebase scanner does the same for Firebase projects. Results stream live while the scan runs.

No code access, ever. We work entirely from the outside, with nothing but what is already public. Same tools a real attacker has. No key, no account, no integration required.

How a scan works

Three phases, about 60 seconds

01

Exploring

We crawl your app, parse JS bundles for API routes, enumerate subdomains, probe for OpenAPI specs, and detect your tech stack. No guessing; we build a real map of what is reachable.

02

Analysis

We probe each surface with the credentials that are already public (your Supabase anon key, for example). Tables are tested for SELECT, INSERT, UPDATE, and DELETE. Write probes use rollback so nothing persists. The endpoint scanner uses LLM analysis to estimate cost-per-request and identify unprotected expensive operations.

03

Findings

Tests come back as Protected (locked) or Exploitable (a stranger can do it right now). Every exploitable result has evidence: the exact request, the response, the row count, the method. Pro adds AI-written fix prompts ready to paste into Cursor or Claude Code.

For a deeper look at scan depth and the authenticated testing tier, read the how scanning works page.

The free tools

Standalone scanners, no account required

Four interactive tools you can run right now on any URL. Each one focuses on a specific slice of your app surface.

Supabase Scanner

Finds your Supabase project from client JS, extracts the anon key, and probes every table, RPC, edge function, and storage bucket. Live re-probing with custom payloads included.

Open Supabase Scanner

Firebase Scanner

Tests Firestore, Realtime Database, Storage, and Cloud Functions for unauthenticated read/write access. Enumerates auth providers and checks hosting configuration.

Open Firebase Scanner

Leak Radar

Scans your JS bundles and HTML with Trufflehog-style patterns for API keys, service role JWTs, Stripe secrets, and other credentials that should never reach the browser.

Open Leak Radar

Ship Score

A single security-readiness score across all surfaces. Good for a quick pre-launch check: run it, see the posture, then drill into any flagged areas with the specific scanners.

Open Ship Score

What we catch

Six categories of risk, all testable from the outside

Exposed databases

Tables readable or writable with no auth. Supabase and Firebase, every surface.

Leaked secrets

Service role keys, Stripe secrets, or any credential that landed in client JS.

Paywall bypass

API endpoints that trigger Pro features or paid resources without a valid subscription check.

Cross-user leaks

One user reading another user's rows. Broken RLS policies, IDOR. Pro-tier deep scan.

Cost abuse

Unprotected endpoints that trigger LLM calls, email sends, or other expensive operations at will.

Broken access

Routes that respond without authentication. Open RPCs, callable edge functions, public storage.

Monitoring

Free with any account

Every time you deploy, Guard re-runs the scan and emails you the second something new becomes exploitable. It works by fingerprinting your app and re-checking when the fingerprint changes. No schedule to set up, no agent to run, no integration required.

Monitoring is free with any account. Make a free account and it turns on. You will never ship a fresh hole without hearing about it.

Pro users get deeper AI verification on each re-scan: full evidence, fix prompts, and attack chain analysis on any new findings that appear.

Custom tests

Pro only

Your app has bugs no generic scanner can guess: a race condition in your checkout, a weird auth flow in your invite system. With Pro, your Claude Code writes tests for exactly those, and Guard re-runs them on every deploy.

The workflow: describe the edge case in plain English, Claude Code generates a test definition, you paste it in. Guard runs it from the outside on every scan, the same as any built-in test. Results show up in your Tests list alongside everything else.

Custom tests require a Pro subscription (29€/mo). Start with a free account to get monitoring, then upgrade when you are ready to write your own tests.

Plans

Free forever vs Pro at 29€/mo. No free trial.

Free

$0

Full scan, full results, no credit card.

  • Full external scan (endpoint + Supabase + Firebase)
  • All tests + evidence (summary)
  • Shareable security report
  • Monitoring (requires free account)
  • Leaked-secret detection

Pro

29€/mo

For when you want us behind the login, chaining attacks, and writing the fixes.

  • Everything in Free
  • AI-written fix prompts (paste into Cursor or Claude Code)
  • Full evidence (response bodies, data samples, full keys)
  • Authenticated / deep scan (testing behind login)
  • IDOR / cross-user testing
  • Attack chain analysis
  • Custom tests (your Claude Code writes them)
  • Unlimited scans
No free trial. Free is a permanent tier. Pro is 29€/mo, cancel any time. See the pricing page for full details.

Privacy and how we work

We only touch what is already public

We work entirely from the outside, with nothing but what is already public. Same tools a real attacker has. No key, no account, no access to your codebase, no integration required.

The Supabase scanner extracts your anon key from your own public JS bundle. That key is already visible to any browser loading your app. We use it to probe the same way an unauthenticated visitor would. Write probes use PostgREST's Prefer: tx=rollback so nothing is persisted.

We do not store raw scan data beyond what is needed to show you your results and power monitoring. We do not sell or share scan data. Read the privacy policy for the full details.

Getting started

First scan in under 60 seconds

01

Paste your URL

Go to launchguard.dev, type or paste your app URL, check the consent box, and hit Scan. No signup.

02

Watch it think

Results stream live as the scan runs. You see the scanner mapping endpoints, probing surfaces, and surfacing findings in real time.

03

Read the report

Tests show as Protected or Exploitable. Each exploitable result has evidence: the exact request, the response, what was reachable. Free users see summary evidence; Pro users see full evidence plus AI fix prompts.

04

Turn on monitoring (free)

Make a free account. Guard starts watching your app for deploys and re-scans automatically. You hear about new findings before your users do.

Developer API

Integrate LaunchGuard into your workflow

The LaunchGuard API lets you trigger scans, register Ongoing Guard monitoring, and ingest attack chains from your own tooling. Use it to wire Guard into your CI/CD pipeline so every deploy is verified automatically, without touching the dashboard.

All /api/v1/* routes require a per-user bearer token starting with lg_. The scan endpoint at /api/scan is public and requires no auth.

Browse the API reference for full endpoint docs, request schemas, and live response examples.

FAQ

Does this test my actual database?

Yes, from the outside. We send real HTTP requests to your PostgREST or Firestore endpoint using the credentials that are already in your public JS. Write probes use rollback so nothing is saved. Read probes are identical to what any visitor could do.

Do I need to install anything?

Nothing. Type a URL on the homepage. The scan runs on our side and results appear in your browser. No SDK, no npm package, no config file.

What is the difference between Free and Pro?

Free shows you what is exposed (all tests, summary evidence, the shareable report, monitoring). Pro adds the tools to fix it: AI-written fix prompts, full evidence, authenticated/IDOR testing, attack chains, and custom tests. No free trial; Free is a permanent tier.

Is monitoring really free?

Yes. Make a free account and monitoring turns on. Guard detects your deploys and re-runs the scan automatically. You get email alerts when something new becomes exploitable. No credit card needed.

Can I test an app I do not own?

No. You need permission to test the app. The consent checkbox on the scan form is there for a reason. Only test apps you own or have written authorization to test.

What does "Exploitable" mean?

A stranger with no account and no credentials can perform the action right now. We do not flag theoretical risks; every Exploitable result has working evidence. Protected means the check ran and the door is locked.

Does the scan catch SQL injection or XSS?

Not currently. LaunchGuard focuses on access control and secret leakage: open databases, misconfigured RLS, leaked credentials, unprotected expensive endpoints. It is not a full vulnerability scanner and does not run SQLi or XSS payloads.

How long does a scan take?

The Supabase and Firebase scanners run in about 30 seconds. The full endpoint scan (with JS parsing, crawling, and LLM analysis) takes 60 to 90 seconds depending on app size. You watch results stream in as they arrive.