I run a small systems shop and I've tried every security tool out there. Most of them either slow me down, flood me with noise, or require a whole security team to operate. Rafter is different — it fits into the tools I already use and just works.
What I love:
It catches things before they ship. Secrets, risky commands, bad dependencies — my coding agent surfaces them while I'm actually building, not three days later during a post-merge review that everyone ignores. Setup takes minutes, not days. One CLI command and it's wired into OpenClaw. No infrastructure to manage, no agents to deploy. The lifetime deal is real. This isn't some "early access" that turns expensive after launch — I paid once and it's mine. Cloud backend for the heavy lifting. Local scanning is fast, but when I need deep SAST/SCA passes on a complex repo, the cloud engine handles it without tying up my machine. If you're serious about shipping secure code — especially with AI coding agents — this is the layer you need between the agent and your repo. Worth every penny.
Founder Team
Rome_Rafter
May 28, 2026
Thanks for much for taking the time to leave a review, Zymm! Don't hesitate to reach out to me personally ([email protected]) with feedback, feature requests, or anything at all.
Yeah I bet you didn't have Rafter on your AI Bingo Card, but you should...
I want to make this comment as short as possible. I am handing out fewer and fewer 5 tacos these days. Rafter is the real deal. The tool just feels grown up. It doesn't feel sloppy and duck taped together. It does exactly what it says it does. It looks for vulnerable holes in your vibe code or any code for that matter. I am starting to deploy some small vibe coding projects so I picked this tool up to see if it would find things the software could not find. Guess what? It found quite a few things I should check but no serious security holes. That was just from the website pulls from my landing page domains and not really going into the backend. Just to be able to have another set of eyes on my new found journey to becoming the Vibe Coding King, it's worth at least 1 tier. Why? You have never seen this tool on Appsumo before, that's why. I did a very and I mean very short walk through to show you what I found on one of my deployed websites just to give you a quick view. here https://youtu.be/unWOz1AOnlg
I will be digging into this some more and I wish them well. Something tells me that this company will get snatched up by a major Software firm though. It's so mature looking and feeling and the need is so much there. Do yourself a favor and get at least a tier one. You are welcome...
Founder Team
Rome_Rafter
May 28, 2026
Thanks Jenny! Love the video, appreciate you sharing your take. You're spot on—we're building this to be the effortless security layer for vibe coded apps. Please don't hesitate to reach out with feedback or feature requests.
Based on your video, one tip if you're using Codex or Claude Code, is drop the prompt on rafter.so directly into your agents. Then they'll use Rafter directly on your code,...
Picked up the lowest tier to test it. Inside the first hour, Rafter flagged multiple live production API credentials sitting in committed files in a codebase I'd been working in for months... credentials my existing security workflow had completely missed. After remediating, I rotated and revoked all of them.
I planted a fake AWS key in a test file to verify the pre-commit hook actually fires. It blocked the commit cleanly with line number, severity, and a redacted preview. I also intentionally tried to edit a file with a literal secret in the search string, and Rafter's pre-tool-use hook caught that mid-edit before it landed. That's real prevention, not theater, and honestly, a no-brainer.
What stood out:
- One command installed three skills, a sub-agent, hooks, and a pre-commit gate into Claude Code. Zero fragile setup. Dead simple. - The local CLI is genuinely free, fast, and produces clean JSON output designed for AI agent consumption. I'm always look for AS deals where I can augment our paid agentic tool stack. If you do most of your work in Claude Code or Codex this is not even worth debating over. - Skill auditing for third-party AI agent skills is a category nothing else in my stack does. As more shared skills proliferate this matters more.
A couple honest edges so you know it's a real review: the local secrets scanner doesn't yet respect .gitignore by default (easy to filter post-hoc); the skill audit currently recognizes one naming convention but not all common ones. I fixed these in my local skills no prob.
Upgrading immediately. One missed credential in production would pay for the top tier ten times over. So extremely cheap insurance and high value.
Glad to see you guys on AS and look forward to where you take the app.
Founder Team
Rome_Rafter
Edited May 27, 2026
Love to hear it, and thanks for the detailed review! I'm on the .gitignore issue, will get it shipped by end-of-day. Feel free to reach out at [email protected] for the naming conventions (or even just tell your agent to raise an issue on git)—or any other feature requests.
Update: .gitignore shipped (in about 4 hours, v0.8.2)
Verified purchaser
Just buy it!
I run a small systems shop and I've tried every security tool out there. Most of them either slow me down, flood me with noise, or require a whole security team to operate. Rafter is different — it fits into the tools I already use and just works.
What I love:
It catches things before they ship. Secrets, risky commands, bad dependencies — my coding agent surfaces them while I'm actually building, not three days later during a post-merge review that everyone ignores.
Setup takes minutes, not days. One CLI command and it's wired into OpenClaw. No infrastructure to manage, no agents to deploy.
The lifetime deal is real. This isn't some "early access" that turns expensive after launch — I paid once and it's mine.
Cloud backend for the heavy lifting. Local scanning is fast, but when I need deep SAST/SCA passes on a complex repo, the cloud engine handles it without tying up my machine.
If you're serious about shipping secure code — especially with AI coding agents — this is the layer you need between the agent and your repo. Worth every penny.
Rome_Rafter
May 28, 2026Thanks for much for taking the time to leave a review, Zymm! Don't hesitate to reach out to me personally ([email protected]) with feedback, feature requests, or anything at all.
Share Rafter
Verified purchaser
Yeah I bet you didn't have Rafter on your AI Bingo Card, but you should...
I want to make this comment as short as possible. I am handing out fewer and fewer 5 tacos these days. Rafter is the real deal. The tool just feels grown up. It doesn't feel sloppy and duck taped together. It does exactly what it says it does. It looks for vulnerable holes in your vibe code or any code for that matter. I am starting to deploy some small vibe coding projects so I picked this tool up to see if it would find things the software could not find. Guess what? It found quite a few things I should check but no serious security holes. That was just from the website pulls from my landing page domains and not really going into the backend. Just to be able to have another set of eyes on my new found journey to becoming the Vibe Coding King, it's worth at least 1 tier. Why? You have never seen this tool on Appsumo before, that's why. I did a very and I mean very short walk through to show you what I found on one of my deployed websites just to give you a quick view.
here
https://youtu.be/unWOz1AOnlg
I will be digging into this some more and I wish them well. Something tells me that this company will get snatched up by a major Software firm though. It's so mature looking and feeling and the need is so much there. Do yourself a favor and get at least a tier one. You are welcome...
Rome_Rafter
May 28, 2026Thanks Jenny! Love the video, appreciate you sharing your take. You're spot on—we're building this to be the effortless security layer for vibe coded apps. Please don't hesitate to reach out with feedback or feature requests.
Based on your video, one tip if you're using Codex or Claude Code, is drop the prompt on rafter.so directly into your agents. Then they'll use Rafter directly on your code,...
Share Rafter
Verified purchaser
Caught real, live credentials in our first scan
Picked up the lowest tier to test it. Inside the first hour, Rafter flagged
multiple live production API credentials sitting in committed files in a
codebase I'd been working in for months... credentials my existing security
workflow had completely missed. After remediating, I rotated and revoked
all of them.
I planted a fake AWS key in a test file to verify the pre-commit hook
actually fires. It blocked the commit cleanly with line number, severity,
and a redacted preview. I also intentionally tried to edit a file with a
literal secret in the search string, and Rafter's pre-tool-use hook caught
that mid-edit before it landed. That's real prevention, not theater, and honestly, a no-brainer.
What stood out:
- One command installed three skills, a sub-agent, hooks, and a
pre-commit gate into Claude Code. Zero fragile setup. Dead simple.
- The local CLI is genuinely free, fast, and produces clean JSON output
designed for AI agent consumption. I'm always look for AS deals where I can augment our paid agentic tool stack. If you do most of your work in Claude Code or Codex this is not even worth debating over.
- Skill auditing for third-party AI agent skills is a category nothing
else in my stack does. As more shared skills proliferate this matters
more.
A couple honest edges so you know it's a real review: the local secrets
scanner doesn't yet respect .gitignore by default (easy to filter post-hoc);
the skill audit currently recognizes one naming convention but not all
common ones. I fixed these in my local skills no prob.
Upgrading immediately. One missed credential in production would pay for
the top tier ten times over. So extremely cheap insurance and high value.
Glad to see you guys on AS and look forward to where you take the app.
Rome_Rafter
Edited May 27, 2026Love to hear it, and thanks for the detailed review! I'm on the .gitignore issue, will get it shipped by end-of-day. Feel free to reach out at [email protected] for the naming conventions (or even just tell your agent to raise an issue on git)—or any other feature requests.
Update: .gitignore shipped (in about 4 hours, v0.8.2)
Share Rafter