The State of Vibe-Coded Web Security
What 827 production websites reveal about AI-built code
UNPWNED continuously scans production websites and classifies each one as AI-built, modern stack, or traditional. This page aggregates the results: one row per domain, latest scan only, continuously updated. No individual site is ever identified.
The Average Hides the Damage
On average security scores, AI-built sites look almost identical to traditional ones (71.3 vs 71.6). The difference is in the tail: AI-built sites fail catastrophically far more often. Same average, very different worst case.
| Stack | Sites | Avg Score | Exposing Secrets | With Critical | No CSP |
|---|---|---|---|---|---|
| AI-BuiltLovable, Base44, Bolt, V0 | 100 | 71.3 | 18% | 15% | 87% |
| Modern StackNext.js, React, Vercel, Netlify | 190 | 77.2 | 12.1% | 12.6% | 61.6% |
| TraditionalWordPress, PHP, Magento | 208 | 71.6 | 4.8% | 5.3% | 67.3% |
Which Platforms We Detect in the Wild
Detected via deterministic fingerprints (hostname patterns and HTML/header markers), never self-reported. Platforms with fewer than 5 detected sites are not shown.
Security Score Distribution
All 827 sites in the research population, scored 0 (worst) to 100 (best).
The Gaps Are Everywhere
Methodology
PopulationOne row per domain: only the most recent completed scan of each site counts, so rescans never inflate a statistic. Demo and internal test scans are excluded. Current population: 827 distinct production websites across 1,710 scans.
ClassificationAI-Built means a specific builder was detected by deterministic fingerprints: hostname patterns (highest confidence) or HTML and response-header markers that survive custom domains. Modern Stack covers JS-era frameworks and hosting (Next.js, React, Vite, Vercel, Netlify) that could be either AI-assisted or hand-built. Traditional covers established platforms (WordPress, PHP, Magento, classic web servers). Sites with no reliable signal are excluded from comparisons rather than guessed.
PrivacyAggregates only. No domain names, scores, or findings of individual sites are ever published. Comparison groups under 30 sites and platforms under 5 detections are hidden. Site owners can opt out of aggregate telemetry entirely.
FreshnessNumbers are recomputed from the live dataset and cached for one hour. Last generated: 2026-07-04. As the dataset grows, the numbers on this page update automatically.
Where Does Your Site Land?
Scan your site and see your score against this dataset. No signup, 60 seconds.
Scan NowBuilding With AI?
The security checklist for vibe coders: ship fast without shipping your API keys.
Read Guide