TAKO://GUARDIAN :: THREAT CATALOG
what we catch
every threat below was pulled out of a real app like yours. each tank holds one: what it is, what it costs you, and how tako fixes it. plain english, because you shouldn't need a security degree to protect your app.

broken access control
“the apex”change one number in a web address and read someone else's account. this is the most common hole in AI-built apps: every user can see every other user's data, and the owner never knows.
HOW TAKO FIXES IT :: tako signs up as two fake users and tries to read one's data with the other. if it works, it fixes the access rules and proves the door is shut.

leaked keys & passwords
“the blabber”your API keys, sitting in your public code for anyone to copy. around 38% of live vibe-coded apps leak at least one, and attackers run scripts that find them in minutes.
HOW TAKO FIXES IT :: tako reads your public code, logs, and history the way an attacker would, then replaces the exposed keys and moves them somewhere safe.
your AI agent turned against you (prompt injection)
“the lure”your app has an AI wired to email, code, and money. an attacker sends it a poisoned message that convinces it to hand over your data or spend your budget. it's the newest kind of attack, and nobody else defends against it for teams without a security engineer.
HOW TAKO FIXES IT :: tako audits every tool your agent can touch, cuts its permissions to the minimum, and screens everything it reads for planted instructions.
hostile input (SQL & command injection)
“the tunneler”a form field that lets a stranger run commands on your database or server. one crafted input and they're inside: reading tables, deleting rows, reaching your internal services.
HOW TAKO FIXES IT :: tako feeds your forms hostile input against a safe copy of your app. whatever gets through is sanitized and re-tested.

code injected into your pages (XSS)
“the defacer”user content that runs as code in your visitors' browsers: stolen sessions, fake login boxes on your own pages, malware served under your name.
HOW TAKO FIXES IT :: tako cleans what users can post, locks your pages down with security headers, and verifies the attacks stop working.

accidental data exposure
“the oversharer”your app spills its insides when poked: raw error messages shown to users, passwords written to logs, file storage left public. a free map of your app for anyone curious.
HOW TAKO FIXES IT :: tako silences the oversharing errors, locks the storage, and scrubs secrets out of your logs. then it pokes again to make sure.

password guessing & runaway AI bills
“the swarm”bots guessing your users' passwords all night, and an unmetered AI endpoint hammered into a $3,000 bill by morning. no alarm goes off until the invoice arrives.
HOW TAKO FIXES IT :: tako adds rate limits and lockouts where they're missing, meters your AI endpoints, and arms an automatic cost cut-off.
compromised packages (supply chain)
“the drifter”a hacked or lookalike code package your AI installed without asking. your app becomes unsafe overnight with zero changes on your side.
HOW TAKO FIXES IT :: tako audits every package your app depends on, and when a new vulnerability is announced anywhere, re-checks your app before you've heard the news.