Last year, I built a full production app using Claude Code. I have a security background — I know what a DevSecOps pipeline looks like, I know how to harden a configuration, I know what a supply chain attack means. And even I found it painful.
The architecture decisions, the dependency choices, the configuration layers — all of it had to be engineered manually, on top of everything else. It was friction I knew how to push through. Most people don't.
The problem has changed layers
For a long time, software security was about the code itself. SQL injections. Buffer overflows. Insecure functions. That threat is shrinking — not because developers got smarter, but because AI is genuinely good at catching those flaws in real time. They get flagged in pipelines and patched in seconds.
The new threat is architectural. It lives in the decisions that get made at scaffolding time — before any pipeline runs, before any scanner sees anything. The wrong database permissions set at initialization. A compromised package pulled in as a default dependency. An insecure API exposure pattern chosen because the model defaulted to it.
In March 2025, the liteLLM PyPi package was compromised — a supply chain attack baked in at project initialization. A professional engineer knows what that means. Most people building with AI today never will. And every existing security tool — SAST scanners, linters, pipeline checks — operates after that layer. They're all right of the problem.
The scale of what's already in the wild
In May 2026, Israeli cybersecurity firm RedAccess mapped 380,000 publicly accessible assets built with AI coding tools — Lovable, Base44, Replit. Roughly 5,000 of those were actively leaking sensitive corporate data. These weren't consumer hobby projects. They were internal enterprise tools built by employees without IT oversight, deployed on public URLs, indexed by Google.
The CEO of RedAccess described finding them while researching shadow AI for enterprise customers. That sentence tells you everything: the apps were invisible to the security teams at the companies that owned them. No scanner was pointed at a customer intake form a product manager vibe-coded on Lovable over a weekend, connected to a live database, and deployed on a public URL.
Gartner projects that 60% of all new software code will be AI-generated by the end of 2026. The problem isn't going to get smaller.
What we're building
SentryStack is a governance layer that sits between security policies — yours, or the best-practice defaults we've codified — and the AI tools being used to build software.
At project initialization, before code exists, we enforce:
- Approved architecture patterns
- Approved dependency sources
- Infrastructure guardrails
- Identity and access constraints
For individual builders, that means shipping the app you vibe-coded without the security holes — no security expertise required, invisible, automatic.
For enterprises, it means a control plane for AI-native internal development. Ops managers, analysts, and PMs are already shipping internal tools on company infrastructure. Security teams have governance for engineers. They have no governance model for these builders. SentryStack is that model.
This isn't a scanner. Scanners live to the right of the problem. We live at the moment risk is introduced.
Two audiences, one thesis
We're launching with early access for individual builders at $0–$10/month — connect Claude Code and GitHub, and your next project starts on a secure foundation.
We're also working directly with enterprise design partners on initialization-time policy enforcement across Claude Code, GitHub Copilot, Replit, and internal AI tools — with audit artifacts mapped to SOC 2, ISO 27001, and NIST AI RMF. If you're a CISO, head of platform engineering, or running a security team that's watching shadow AI turn into institutional AI without a governance model, we want to talk.
The window to build this before the first major enterprise breach gets traced back to a vibe-coded internal tool is open right now. We want to be the answer before the incident — not after.
What's next
We're three people on a 12-week build sprint. We're heads-down, we're building in the open, and we're onboarding early users now. If you're a builder who wants to ship something safe, or an enterprise team that needs governance before an incident forces the issue — reach out.
Build fast. Ship safe.