Paste a URL. Get a security grade.
Free public scanner for AI-built web apps. Built for projects deployed from Lovable, Bolt, v0, Cursor, Replit, or Claude Code — but works on anything public. Takes about 30 seconds.
Here's what a scorecard looks like.
Below is the live scan of lictorai.com itself. We scan ourselves first, publicly. Our findings are public. That's the contract.
How it works.
You paste a URL.
Any public web app. No login, no GitHub install, no signup.
A Cloudflare Worker scans it.
Our 7-check Rust engine, compiled to WebAssembly, runs against your URL in about 30 seconds. The same engine that runs in /lictor-security-check and the Shield browser extension.
You get a letter grade.
A through F. Plus the 5 worst findings in plain English, with a 5-minute fix for each. Shareable. Re-runnable as you fix.
What we do with your scan.
- We never store your URL or scorecard publicly without your consent. Your scan is yours.
- We store one anonymous fingerprint per scan — a hash of (check + severity + platform) with no URL, no app name, no PII. This builds the public dataset on how AI assistants get security wrong.
- Patrol — our continuous scanner — respects a 30-day private-disclosure window for individual founders and 90 days for companies. Methodology →
- One-click opt-out at
lictorai.com/scan/<hash>/remove— Meerkat processes within 24 hours. - Zero telemetry, ever. The CLI version is also free and runs entirely offline.
It's free. Forever.
Lictor's core is open source under Apache 2.0. The scanner runs on Cloudflare Workers ($30/month at our projected volumes) and a domain (one-time). The audit corpus, the public scorecards, the leaderboard — all free.
If Lictor helps you ship a safer app, the world treats back the same:
For commercial use with continuous monitoring + Slack alerts + audit log export, Lictor for Teams is $19/month flat, unlimited seats. No per-seat pricing, ever. (Learn more on the home page.)