17 Penetration & Performance Testing Prompts for Vibe Coders

A complete set of prompts to reverse-engineer your app, uncover attack vectors, identify critical issues, boost performance, and guide future improvements.

Aug 25, 2025

∙ Paid

Hey, Paweł here. Welcome to the premium edition of The Product Compass!

Every week, I share actionable insights and resources for AI PMs.

Consider joining the community of 121K+ and upgrading your account for the full experience:

The recent posts were published without a paywall or with huge free sections. This time, we’re prioritizing a premium experience.

In today’s post:

Accredia: Status, Security Challenge, and the $4,500 Winners
🔒17 Penetration & Performance Testing Prompts for Vibe Coders
1. Group 1: Six Prompts to Reverse-Engineer and Document Your App
2. Group 2: Custom Instructions / Project Knowledge
3. Group 3: Seven Powerful Prompts to Stress-Test Security
4. Group 4: Three Prompts To Boost Performance
Vibe Coding Security & Performance: More Tools And Resources
Conclusions

Let's dive in.

1. Accredia: Status, Security Challenge, and the $4,500 Winners

Product Status

I’m back from vacation and continuing work on my no-code B2B2C SaaS PoC.

Accredia is live. I’ve migrated certificates for all three video courses: Product Discovery, Strategy, and Innovation.

My public profile: https://www.accredia.io/users/pawel-huryn

If you earned a certificate, you should have received a notification.
I’ve started onboarding the first two organizations. I hope to learn a lot! 🙂
This is just a PoC, but I’m going to try to win the first beachhead segment.

I’m also creating a simple, ready-to-use template to help anyone vibe-code a production-ready side project. I realized this will require covering the basics like Supabase or Clerk, and we’ll get into that too.

In the next few posts, we’ll focus more on Strategy, Discovery, and AI PM topics.

Security Challenge and the $4,500 Winners

Before importing real student data, I used AI to audit security and permissions. Then, organized a public security challenge on LinkedIn and Reddit and promised the first three people to hack the platform to win $1,500 each.

Over 80+ developers created student accounts to hack the app. I received 12+ detailed reports and rewarded three people:

William LE POMMELET: XSS vulnerability for 3 fields (a real issue I had missed; this would allow attackers to target visitors of a specific public profile)
u/wrighte0: CSP issues (impossible to leverage right now, but essential to cover).
Vinicius Lage: A theoretical vector of attack using a Clerk token from another instance (impossible to leverage right now, but too important to ignore).

Thanks to those and other reports, including reverse-engineering failed attack attempts documented by participants, the framework and prompts have become stronger than ever 🙏

2. 17 Penetration & Performance Testing Prompts for Vibe Coders

Based on all recent experience, I’ve refined a set of prompts that will help you:

Understand your system, its architecture, and components.
Identify common mistakes, best practices, and areas for improvement.
Detect possible attack vectors, critical vulnerabilities, and future improvements.
Boost the performance of your product as it scales by addressing typical issues.

Notes:

The prompts are not Lovable-specific. They will work with Cursor, Replit, etc., too.
If you work with Lovable, make sure you’re using the Agent Mode.

Group 1: Six Prompts to Reverse-Engineer and Document Your App

First, we need to document the system. This will help us detect the first critical issues and create the foundation for future work.

Prompts available in the Notion collection:

Six prompts to reverse-engineer and document an app

After major changes, adjust the prompts and run them again to update the existing documentation by starting with:

“Think step-by-step. Reverse-engineer the codebase to update [the rest of the prompt].”

Example result 1: System Architecture Documentation

Lovable System Architecture Documentation — A fragment of System Architecture Documentation

See the full file on GitHub

Note that I didn't address all suggestions in the first iteration - I talked with an agent through the consequences and mitigations to learn fast and responsibly. The final reusable template will include additional suggestions.

Example 2: Roles and Permissions Documentation

Lovable, Roles and Permissions Documentation — A fragment of Roles and Permissions Documentation (roles.md)

Example 3: Scheduled Work Documentation

Lovable Cron Jobs Documentation — A piece of Scheduled Work Documentation (cron.md)

Group 2: Custom Instructions

Documenting your system was the first step. Next, we need to make sure the coding agent can easily find that information.

The best way is to reference these documents in the custom instructions attached to each user prompt. In Lovable, they're called “project knowledge.”

A ready to use template from the Notion collection:

Lovable Project Knowledge — Custom instructions template

Group 3: Seven Powerful Prompts to Stress-Test Security and Permissions

Those are the prompts that will challenge your app the most. Surprisingly, I get much better results when persuading the AI that someone has already hacked the app.

Prompts available in the Notion collection:

Lovable Seven Powerful Prompts to Stress-Test Security and Permissions Vibe Coding — Seven prompts to stress-test security and permissions

Group 4: Three Prompts To Boost Performance

The last three prompts cover the most common performance issues:

Lovable Three Prompts To Boost Performance — Three prompts to boost performance

The Premium Notion Collection Also Contains

Our Notion collection is growing fast and also contains:

Get Access By Clicking The Link Below

The prompts are way too long for this post.

Please use the link below:

Keep reading with a 7-day free trial

Subscribe to The Product Compass to keep reading this post and get 7 days of free access to the full post archives.