Lictor monitoring watches your live site for exposed API keys, reachable config files, and open databases. It re-checks around the clock and emails you when something new is exposed. From $49/mo.
See plans → Run the free scan firstYou probably monitor plenty already. An uptime service pings your site and pages you when it goes down. An error tracker catches crashes. Analytics tells you who showed up. Every one of those watches whether the app works.
None of them watch whether the app is leaking.
Those are different questions. A site can pass every uptime check while its .env file sits one URL away from anyone who asks for it. Nothing is down. Nothing crashed. The dashboard is green. And your database password is public.
If you ship with AI tools, there is a second problem: the site you checked last month is not the site you have now. Every prompt that rewrites your code can move a config file, add a route that skips the auth check, or print a key somewhere public. Not because you got careless. Because you ship weekly, and each deploy is a fresh chance for something to slip out.
That is why a one-time scan and monitoring are different products. A scan is a photo. It is an honest picture of one moment. Monitoring is a smoke alarm. It sits there quietly, keeps checking, and only speaks up when something changes. You would not photograph your kitchen once and call it fire safety.
In plain terms: the exposures most likely to bite a small company first. It watches the surface you authorize, and it only looks at what is already public.
Live API keys, cloud credentials, and tokens sitting in public files, pages, or a repo push. The kind of leak that ends with someone else's compute usage on your card.
Reachable .env files, public .git directories, and backup archives sitting in the web root. The git history buried inside usually holds old secrets too.
Databases and cloud buckets that answer without a password. Anyone can list your files, read your records, or pull your backups.
Admin consoles, debug pages, and dev or staging environments that a deploy left reachable from the open internet with no password.
The full taxonomy is on the coverage page. In numbers: 20 detectors across 24 exposure types, plus 83 recognized secret formats.
And it is not theoretical. The same detection engine has found 3,700+ critical and high-severity exposures in the wild (leaked keys, exposed databases, open admin, claimable subdomains). None ever exploited.
There is no dashboard you have to remember to check. The service re-checks your live site around the clock. While nothing has changed, it stays quiet. When something new is exposed, you get an email.
The email is written for the person who has to fix it, not for a security team. It tells you three things: what was found, where it lives, and how to close it. Findings are plain English and severity-ranked, so you know whether this is a drop-everything problem or a fix-it-this-week problem.
One detail that matters: every alert masks the real secret. If a key leaks, the alert shows you enough to identify it, never the full value, so the secret is not stored or emailed in the clear.
And the whole thing is permission-based and observe-only. It watches only the assets you authorize, looks only at what is already public, and never touches or changes your systems. In other words: it sees what an attacker poking around would see. It just gets there first, and tells you instead.
Monitoring earns its keep for one specific kind of team: founders who ship with AI every week and do not have a security person.
If you build in Lovable, Bolt, or Claude Code, your app changes faster than any manual review can keep up with. That speed is the whole appeal, and it is exactly the situation where a smoke alarm beats a photo. Security monitoring for vibe-coded apps is not a luxury tier of DevOps; it is the missing counterpart to the uptime check you already have. If you want the do-it-yourself layer first, we keep a security checklist for Lovable apps and a guide to Claude Code security.
Start with the free layer either way. The free scanner checks your live site passively, with no signup. For your codebase, the free open-source Claude Code plugin runs a 48-check audit catalog covering leaked keys, exposed configs, broken auth, and the rest of what gets apps breached. Install it with:
/plugin marketplace add Raffa-jarrl/Lictor-AI
/plugin install lictor-security-suite@lictor-ai
And because "trust us" is not evidence: the audit behind that plugin has a published benchmark. In a blind run on a 30-case stratified sample of OWASP Benchmark 1.2, it scored an F1 of 93.8%. That is a sample, not the full benchmark, and the write-up says so.
Monitoring is the part you pay for, because it is the part that runs while you are asleep. It is built by a security engineer with 20 years in the field who does real responsible-disclosure work.
Plans are simple and per-month, with no long-term contract. Every plan runs the full detection sweep; the tiers differ by how much surface you watch and how fast we can reach you.
For a single site or a founder getting started.
For a growing company with a few properties.
For agencies, multi-brand, and regulated-data teams.
Monitoring is for the next incident. If you are in the middle of one right now, these runbooks are free and need nothing from you:
sk-ant-... keys specifically.Whichever page you land on, the first move is the same: kill the key at the provider before you clean up git history. GitHub's own documentation on removing sensitive data says revoking or rotating the secret comes first, and that rewritten history can still be read in clones, forks, and cached views.
Software that repeatedly checks your public surface (your live site, and optionally your repos) for credentials, config files, and other sensitive material that should not be reachable, and alerts you when something new appears. The point is to shrink the time between "the key became public" and "you found out." Without monitoring, that gap is however long it takes you to notice, which is often a strange bill.
A scan describes one moment. Monitoring covers all the moments after it. A scan is the right first step, and ours is free, passive, and needs no signup. But a scan from last month says nothing about the deploy you pushed yesterday. Monitoring re-checks around the clock and only contacts you when something new shows up.
Sometimes, honestly. If you run a static brochure site that never changes and holds no customer data, a scan now and then is probably fine, and you should not pay us $49 a month for it. If you run an app you keep shipping, especially with AI tools writing the code, then no. Every deploy can change what is exposed, and the one-time result goes stale the moment you push.
From $49/mo. Silver ($49/mo) watches one asset with email alerts. Gold ($149/mo) watches up to 5 assets and adds SMS. Diamond ($399/mo) watches unlimited assets and adds phone escalation and priority support. Details on the plans page, signup at app.lictor-ai.com/billing.
No. It is observe-only and permission-based. It watches only the assets you authorize, looks only at what is already public, and never modifies your systems. And every alert masks the real secret, so nothing sensitive is stored or emailed in the clear.
You will keep shipping. The app will keep changing. The only question is whether anyone is watching what each deploy leaves open, and whether you hear about it from a calm email or from an invoice.