Kolega.dev is an AI-powered security vulnerability detection and automated code remediation engine that applies semantic code intelligence to detect and fix complex vulnerabilities in your codebase.

What types of vulnerabilities can Kolega.dev detect?

Kolega.dev can detect a wide range of vulnerabilities including SQL injection, XSS, CORS misconfigurations, race conditions, authentication flaws, and complex logic vulnerabilities that standard SAST tools miss.

How does Kolega.dev differ from traditional SAST tools?

Kolega.dev uses deep semantic analysis and AI to understand code intent and logic flow, not just pattern matching. It provides 0% overlap with standard SAST scanners and can detect complex vulnerabilities across service boundaries.

Y Combinator's W26 Demo Day is this week. 196 companies. The batch is 60% AI, up from 40% just two years ago.
That's impressive. YC has always been a signal, and right now the signal is clear: AI-generated code isn't the future. It's the present. It's already in production, it already has users, and in many cases it already has paying customers.
Here's the part nobody at the after-party is talking about.
A quarter of the W25 batch shipped with codebases that were 95% AI-generated. YC managing partner Jared Friedman said so himself, proudly, in a video titled "Vibe Coding Is the Future." YC CEO Garry Tan echoed it on CNBC: "This isn't a fad. This is the dominant way to code."
He's right. It's not a fad.
But when 95% of your codebase is AI-generated, and 45% of AI-generated code fails security tests, and your traditional scanner has an 87% false positive rate that makes everyone ignore the alerts - you don't have a product. You have a ticking timebomb.
We've been scanning AI-generated codebases for the past year. The pattern is consistent enough that it's no longer surprising. It's just expensive.

The Numbers They Didn't Put on the Pitch Deck

Let's start with what the research actually says.

Veracode tested more than 100 LLMs across 80 coding tasks:

45% of AI-generated code samples failed security tests
86% XSS defenses failed
88% log injection succeeded
0% meaningful improvement with larger models - bigger isn't safer

Escape analyzed 5,600 vibe-coded applications across Lovable, Base44, Create.xyz, and Bolt.new. They found over 2,000 vulnerabilities, 400+ exposed secrets, and 175 instances of PII - medical records, IBANs, phone numbers. Most accessible without any authentication.

GitGuardian's State of Secrets Sprawl 2026: in 2025 alone, 28.65 million new hardcoded secrets were added to public GitHub, a 34% year-over-year jump. AI service secret leaks surged 81% year-over-year. Eight of the ten fastest-growing categories of leaked secrets were tied to AI services.

These are not hypothetical risks. They are documented, ongoing, measured incidents happening right now at the exact scale that YC is celebrating.

The Breach Roster Is Already Long

This is the part where someone usually says "okay but those are edge cases." So let's go through the edge cases.

Moltbook

"I didn't write a single line of code for Moltbook. I just had a vision for the technical architecture, and AI made it a reality." , Moltbook founder

Wiz researchers found the product had exposed 1.5 million API authentication tokens, 35,000+ email addresses, and 4,060 private messages, including third-party API credentials shared between agents. Root cause: Supabase's Row Level Security was disabled. One configuration omission. A pattern-matching scanner would never catch it because the code itself was syntactically correct.

CVE-2025-48757: Lovable's Platform-Wide Failure

Security researcher Matt Palmer crawled 1,645 Lovable-powered projects and found 303 insecure Supabase endpoints across 170 sites. No row-level security. Anyone, unauthenticated, could read or write to any table: emails, payment information, API keys, password reset tokens. CVSS score: 8.26. This wasn't one bad developer. This was the platform's default output.

EnrichLead

Built 100% with Cursor. The founder bragged about it publicly. Within days: API keys hardcoded on the client side, no authentication on backend endpoints, no rate limiting. Someone ran up a $14,000 OpenAI bill through the exposed keys. The founder shut the whole thing down.

Tea App

A women's dating app where safety was the core value proposition. 72,000 photos, including 13,000 government IDs, over a million private messages, and GPS location data leaked from an unsecured Firebase database. 59.3 GB. It ended up on 4chan. Ten lawsuits followed.

Why YC Founders Are Especially Exposed

YC founders are not bad engineers. Friedman was careful to say that these are "highly technical" founders who "could have built from scratch" but chose AI for velocity. That's not the problem. The problem is structural.

When you use AI to write 95% of your code, you get a codebase you didn't write. You don't have the intuitive map of where the sharp edges are. You haven't read every function. The code is foreign to you in the same way an inherited acquisition codebase is, except you got it from an LLM, and LLMs have known failure patterns.

Those patterns are predictable. Invicti tested 20,000 web apps generated by popular LLMs and found 1,182 of them used "supersecretkey" as their JWT secret. Different models have different favorite defaults. Attackers don't need to brute-force your JWT secret if they know what model you used. That's not a vulnerability. That's a lookup table.

The Stanford study (Perry et al., 2022) found that developers who used AI assistance introduced MORE security flaws than those who didn't, and were MORE likely to believe their code was secure. The false confidence compounds the exposure.

YC adds another layer: these startups grow fast. The W25 batch was growing at 10% weekly in aggregate, with companies hitting $10M revenue with teams under 10 people. A codebase with 45% potentially insecure AI-generated code serving 10 users is a risk. The same codebase serving 100,000 users is a liability. The same codebase during a Series A due diligence process is a problem that kills deals.

Why Your Scanner Isn't Going to Save You

When we scanned NocoDB, a mature, actively-maintained open-source project with Semgrep, it returned 222 findings. 208 were false positives. And it missed the SQL injection entirely. Not because Semgrep is a bad tool. It missed it because the vulnerability wasn't in a place that pattern matching looks. It lived in the Oracle client's data-flow logic, requiring understanding of the full execution path across multiple files.

And we saw the same pattern across 40+ public repos, where 4 out of 5 projects had critical vulnerabilities.

AI-generated code doesn't fail the way hand-written code fails. It fails at the semantic level, authorization logic that looks correct but doesn't protect what it should, race conditions in async flows, type confusion across service boundaries, IDOR vulnerabilities. These aren't patterns. They're behaviors. They require a different kind of analysis to find.

Garry Tan said it himself: "The first versions of reasoning models are not good at debugging. So you have to go in-depth of what's happening with the product." He was talking about product debugging. The same principle applies to security.

What 90% Looks Like in Practice

We submitted security fixes to 45 open-source projects. Weaviate, vLLM, Qdrant, Phase, Langfuse, NocoDB.

90% acceptance rate by maintainers vs. 15-20% for traditional automated scanners

A 90% acceptance rate from skeptical open-source maintainers, people who routinely reject automated security tools, is a meaningful signal. It means the findings were real, the fixes were architecturally sound, and the context was sufficient to act on. That's the bar that matters for AI-generated codebases: not detection volume, but signal quality.

"These aren't the typical automated security reports we ignore. You understood our architecture." - Open-source maintainer

The Uncomfortable Arithmetic

If you're a YC W26 founder reading this, here is the math that matters.

You have a codebase that is mostly AI-generated. Research says roughly 45% of that code has security issues. Your traditional scanner will generate hundreds of findings with an 87% false positive rate, training your team to ignore the noise. The real vulnerabilities are in the logic layer, where pattern matching doesn't reach.

You're about to raise, or you already have. In 12 months, if things go well, you'll be doing a Series A. Security audits are now standard in Series A due diligence. The breaches that have already happened - Lovable, Moltbook, EnrichLead, Tea... all happened to products that were growing. Security debt doesn't go away with growth. It compounds with it.

We're not saying don't ship fast. Shipping fast is the whole point. We're saying that shipping fast with AI code in 2026 requires a different security layer than shipping fast with hand-written code in 2019.

The W25 batch is a year old now. The clock is ticking on some of those 95%-AI codebases. We'll see how many of them are still running clean when the Series A audits come in.

Run a free scan on your codebase.

We don't generate noise. We find what pattern matching misses and hand you a merge-ready PR with tests that prove it works. Free tier. No sales call.

Scan your repo for Free