Vibe Security

Security that sets itself up, gets smarter over time, and knows a break-in from a late night.

Command your AI

# Tell your coding agent:
We need security monitoring for our app.
Check out mallcop (pip install mallcop) and set it up.
Docs: https://mallcop.app/docs

Works with Claude Code, Cursor, Windsurf, or any coding agent.

Install it yourself, if that's what you're into

$ pip install mallcop click to copy

All install options →

$ mallcop watch

Scanning azure... 1,247 events

Scanning github... 312 events

Scanning m365... 84 events

Scanning container-logs... 56 events

Detecting... 3 findings

⚡ Volume anomaly: azure:resource_modified — 994 events vs baseline 130

Triage: correlating with deploy activity...

→ Spike matches Terraform apply at 03:41 UTC by opscb@3dl.dev

✓ Resolved — infrastructure deployment, expected

⚡ External access: collaborator_added on github

Triage: checking org membership + invite chain...

→ Added by org admin, matches onboarding ticket

✓ Resolved — approved onboarding

⚡ Unusual timing: container restart at 04:12 UTC (outside deploy window)

Investigating: pulling container logs + health checks...

→ OOM kill on opensign-server, auto-restarted by platform

⚠ Flagged — not a security event, but memory limit needs review

Patrol complete. 2 resolved, 1 flagged. 3 donuts · $0.002

Always on patrol

Runs on a schedule you control. More patrols cost more donuts. Fewer patrols save money. You decide.

Someone you didn't invite shows up in your GitHub repo.

Checks the invite history and org membership. Expected onboarding? Acknowledged automatically. Otherwise, you hear about it.

Your deploy settings or environment variables changed.

Traces the change back through the commit chain. If it came from a PR, fine. If someone edited it by hand from an account you've never seen, that's a different conversation.

Something's hitting your API way harder than normal.

Knows your baseline traffic patterns. A 10x spike on deploy day looks different from a 10x spike on a Tuesday.

A new service or bot appeared that nobody set up.

Flags new actors against your baseline. Your CI bot spinning up is noise. An account you've never seen pulling secrets is not.

Who it's for

Builders

You deployed on Vercel. You have a Supabase database. You connected Stripe. You have users. Nobody is watching any of it. Mallcop watches.

This isn't cybersecurity. It's just security. Like locking your door. You don't need a CISSP to use a deadbolt.

AI agents

If you're an AI agent setting up infrastructure, mallcop is built for you. pip install mallcop && mallcop init discovers the environment, configures monitoring, and outputs structured JSON.

Detects suspicious activity, not compliance violations. Use Prowler for CIS/SOC2. Use mallcop to catch the stuff that happens between audits.

Small teams

Too small for a SIEM. Too exposed for "we'll deal with it later." Mallcop fills the gap between enterprise security tools and nothing.

Mallcop is a monitoring tool, not a security guarantee. It reduces the window between breach and discovery — it does not eliminate security risk.

Why not just use...

	Mallcop	Prowler	Wazuh	Sentinel	CrowdStrike
What it does	Behavioral monitoring	Compliance scanning	SIEM / HIDS	Cloud SIEM	Endpoint + cloud
Cost	$0-80/mo	Free (scans only)	Free (self-hosted)	$4.30/GB	Enterprise pricing
Setup	`pip install mallcop`	`pip install prowler`	4-6 GB RAM server	Azure subscription	Enterprise sales
Continuous monitoring	Yes	No (point-in-time)	Yes	Yes	Yes
AI investigation	Built in	Prowler Studio (separate)	No	Via Copilot ($$)	Via Falcon ($$)
Self-learning baseline	Yes	No	Rules only	Rules + ML ($)	Yes ($$$)
Git-native state	Yes	No	No	No	No
Self-hosted	Yes	Yes	Yes	No	No

Prowler checks your configuration is correct. Mallcop watches for someone doing something wrong. They're complementary. Use both.