Replit, Lovable, Bolt, v0 — non-developers are building and deploying functional applications in minutes. These apps handle real data, connect to production APIs, and serve customers. They bypass security review, change management, and compliance entirely. Behavry discovers, risk-scores, and governs them.
// the citizen coder problem
The old shadow IT problem was employees installing unauthorized SaaS tools. The new problem is employees building unauthorized production applications — and deploying them to the public internet in minutes, without writing a line of code themselves.
Vibe-coded apps ship directly from the platform to production. No PR review. No SAST/DAST scan. No change management ticket. The app is live before security knows it exists.
These aren't prototypes. They connect to production databases, process customer PII, call payment APIs, and authenticate against your SSO. They handle real data with none of your controls.
The builders don't know about input validation, auth token handling, or OWASP Top 10. They're marketing, ops, and finance teams solving real business problems — without the security training to do it safely.
Your SIEM doesn't see them. Your EDR doesn't scan them. Your vulnerability scanner doesn't know the deploy domain. These apps exist outside every tool in your security stack — by default.
// 7 platforms covered
Deploy domain glob patterns, IDE domain matching, and DOM-based browser extension detection. Not a keyword list — real platform fingerprinting.
// 7-signal risk scoring
Not a binary "approved / not approved." A score built from 7 signals that tells leadership exactly why this Lovable app is high-risk — and what policy tier it maps to.
// discover → score → enforce → govern
Browser extension detects build/deploy activity on vibe-coding platforms via DOM fingerprinting. Platform API connectors (Vercel REST, Replit GraphQL) pull deployment data. Agent fingerprint DB matches deploy domain patterns across all 7 platforms. Discovery is continuous — not a one-time scan.
Real-time · DOM fingerprinting · API connectorsEach discovered app gets a CitizenApp record with platform, builder identity, deploy URL, and creation timestamp. The 7-signal risk scorer evaluates the app and assigns a tier (Low / Medium / High / Critical). The score drives what happens next.
CitizenApp model · 7 signals · 4 risk tiersOPA Rego policies enforce governance based on approval status and risk tier. Unapproved apps are denied by default. Critical-risk apps trigger immediate escalation. High-risk apps are restricted to read-only until reviewed. The policy engine loads citizen app context before every evaluation — this runs on the actual execution path.
OPA Rego · deny unapproved · escalate critical · restrict highA background loop checks every 6 hours for apps that remain ungoverned after 30 days, firing CITIZEN_APP_UNGOVERNED_30D alerts. The dashboard shows live stats, filter bar, risk breakdown, and an enroll CTA. The nav badge shows ungoverned count on 30-second polling. This isn't a one-time audit — it's continuous governance with a time-based SLA.
30-day SLA · 6-hour check loop · live dashboard// enforcement scenarios
No auth, handles payment data, public URL. Risk score: 6/7 (High). App restricted to read-only. Alert sent to governance team. Builder notified of enrollment requirement.
Database connection, PII in query results, no authentication layer. Risk score: 7/7 (Critical). Immediate escalation. App blocked until security review completes.
Auth present, no PII beyond name/email, internal use only. Risk score: 2/7 (Low). Auto-enrolled with standard monitoring. No friction for the builder.
Discovered on day 1. Builder notified on day 7. Still ungoverned at day 30. CITIZEN_APP_UNGOVERNED_30D alert fires. Leadership escalation. Governance SLA enforced.
// frequently asked questions
Low-risk apps auto-enroll with zero friction. The builder never sees a gate. Medium-risk apps get a review flag but continue running. Only high-risk and critical-risk apps get restricted or blocked — and those are the ones that should get a security review before they're serving production data. Governance enables citizen development by making it safe enough to allow.
Shadow IT discovery finds unauthorized SaaS subscriptions. Citizen coder governance finds unauthorized applications your employees built. The risk profile is completely different — a SaaS tool has vendor security built in. A Lovable app deployed by your marketing team has no security review, no code review, no change management, and potentially handles your customer data. Discovery is step one. Risk scoring and policy enforcement are what make it governance.
If the employee accesses the vibe-coding platform from a managed device or network where the Behavry browser extension is installed, the DOM fingerprinter detects the build/deploy activity regardless of whether it's a personal or corporate account. The discovery is device-based, not account-based. If it touches your network, Behavry sees it.
Yes. The OPA Rego policy engine supports per-platform, per-risk-tier, and per-team policies. You could allow all Replit apps from engineering at any risk tier, but require approval for all Lovable apps from non-technical teams above medium risk. Policies are code — they're version-controlled, auditable, and composable.