TAKO://GUARDIAN :: THREAT CATALOG

what we catch

every threat below was pulled out of a real app like yours. each tank holds one: what it is, what it costs you, and how tako fixes it. plain english, because you shouldn't need a security degree to protect your app.

SPEC-01 :: CONTAINEDCRITICAL

broken access control

the apex

change one number in a web address and read someone else's account. this is the most common hole in AI-built apps: every user can see every other user's data, and the owner never knows.

HOW TAKO FIXES IT :: tako signs up as two fake users and tries to read one's data with the other. if it works, it fixes the access rules and proves the door is shut.

SPEC-02 :: CONTAINEDCRITICAL

leaked keys & passwords

the blabber

your API keys, sitting in your public code for anyone to copy. around 38% of live vibe-coded apps leak at least one, and attackers run scripts that find them in minutes.

HOW TAKO FIXES IT :: tako reads your public code, logs, and history the way an attacker would, then replaces the exposed keys and moves them somewhere safe.

OUR SPECIALTY :: THE THREAT NOBODY ELSE COVERS
SPEC-04 :: CONTAINEDCRITICAL

your AI agent turned against you (prompt injection)

the lure

your app has an AI wired to email, code, and money. an attacker sends it a poisoned message that convinces it to hand over your data or spend your budget. it's the newest kind of attack, and nobody else defends against it for teams without a security engineer.

HOW TAKO FIXES IT :: tako audits every tool your agent can touch, cuts its permissions to the minimum, and screens everything it reads for planted instructions.

SPEC-03 :: CONTAINEDCRITICAL

hostile input (SQL & command injection)

the tunneler

a form field that lets a stranger run commands on your database or server. one crafted input and they're inside: reading tables, deleting rows, reaching your internal services.

HOW TAKO FIXES IT :: tako feeds your forms hostile input against a safe copy of your app. whatever gets through is sanitized and re-tested.

SPEC-05 :: CONTAINEDHIGH

code injected into your pages (XSS)

the defacer

user content that runs as code in your visitors' browsers: stolen sessions, fake login boxes on your own pages, malware served under your name.

HOW TAKO FIXES IT :: tako cleans what users can post, locks your pages down with security headers, and verifies the attacks stop working.

SPEC-06 :: CONTAINEDHIGH

accidental data exposure

the oversharer

your app spills its insides when poked: raw error messages shown to users, passwords written to logs, file storage left public. a free map of your app for anyone curious.

HOW TAKO FIXES IT :: tako silences the oversharing errors, locks the storage, and scrubs secrets out of your logs. then it pokes again to make sure.

SPEC-07 :: CONTAINEDHIGH

password guessing & runaway AI bills

the swarm

bots guessing your users' passwords all night, and an unmetered AI endpoint hammered into a $3,000 bill by morning. no alarm goes off until the invoice arrives.

HOW TAKO FIXES IT :: tako adds rate limits and lockouts where they're missing, meters your AI endpoints, and arms an automatic cost cut-off.

SPEC-08 :: CONTAINEDHIGH

compromised packages (supply chain)

the drifter

a hacked or lookalike code package your AI installed without asking. your app becomes unsafe overnight with zero changes on your side.

HOW TAKO FIXES IT :: tako audits every package your app depends on, and when a new vulnerability is announced anywhere, re-checks your app before you've heard the news.