The Vezraa Framework
The Vezraa framework combines three specialized frameworks — VPRF, VAPF, and VAASF — into a unified methodology for evaluating whether software is production ready. Each framework serves a distinct purpose, and together they provide complete coverage from passive scanning to active exploitation to AI-specific security.
Framework Overview
The Vezraa framework is built on the principle that production readiness cannot be evaluated through a single lens. A comprehensive assessment requires three distinct perspectives: a broad passive scan that checks every category of production readiness, an active testing methodology that probes for exploitable vulnerabilities, and a specialized framework that addresses the unique security challenges of AI-powered development. Together, these three frameworks provide the most complete assessment of production readiness available in a single platform.
The Three Frameworks
VPRF — Vezraa Production Readiness Framework
The VPRF is the baseline assessment. It defines 150 checks across 16 categories with P0/P1/P2 severity levels. The VPRF is executed on every scan and provides the production readiness score. It covers security headers, TLS configuration, exposed secrets, Core Web Vitals, accessibility compliance, email authentication (SPF/DKIM/DMARC), legal compliance signals, SEO fundamentals, infrastructure hardening, breach history, supply chain security, authentication configuration, API design, mobile readiness, and documentation completeness. The VPRF is the entry point for every assessment and provides the broadest coverage of any single framework.
VAPF — Vezraa Autonomous Pentesting Framework
The VAPF extends the VPRF by adding active security testing. Where the VPRF passively detects configuration gaps and exposed secrets, the VAPF dispatches an AI agent that actively probes the application for exploitable vulnerabilities. The VAPF follows a 6-phase methodology: Discovery (mapping the attack surface), Enumeration (systematic vulnerability probing), Attack Chains (constructing multi-step exploits), Exploitation (executing real payloads), Verification (confirming each finding with proof-of-concept evidence), and Human Review (flagging complex findings for expert analysis). The VAPF is optional and requires explicit user consent because it involves active testing that goes beyond passive observation.
VAASF — Vezraa AI Application Security Framework
The VAASF addresses the unique security challenges of applications built with AI-powered development tools. Each AI tool — Cursor, Claude, Lovable, Bolt, Replit, and Supabase — creates distinct vulnerability patterns that traditional security assessments miss. Cursor applications may contain exposed secrets from agentic code generation. Lovable apps frequently have misconfigured Supabase RLS policies. Bolt applications often ship with permissive CORS and debug endpoints. Claude-generated code tends to include verbose error messages with stack traces. Replit projects commonly embed inline secrets viewable in public forks. Supabase applications frequently expose anon keys with overly permissive access. The VAASF systematically checks for each tool's specific risk patterns and provides tool-specific remediation guidance.
How They Work Together
The three frameworks are designed to be used together in a layered assessment approach. A typical workflow starts with the VPRF, which runs automatically on every scan to establish the baseline production readiness score and identify all gaps across the 16 categories. If the VPRF identifies potential security vulnerabilities — particularly in authentication, authorization, or input handling — the user can enable the VAPF to dispatch an AI agent for deeper validation. The VAPF takes the VPRF findings as input and prioritizes its testing based on the most promising attack vectors identified during the passive scan. Separately, if the scanned application shows signs of being built with AI tools — such as telltale code patterns, specific framework configurations, or known AI tool artifacts — the VAASF applies its additional check sets to catch AI-specific vulnerabilities that neither the VPRF nor VAPF would detect on their own. The results from all three frameworks are consolidated into a single report with unified severity classification and remediation guidance.
Implementation Guide
Implementing the Vezraa framework in your organization follows a phased approach. Phase 1 starts with the VPRF baseline — scan all production applications to establish current scores and identify critical gaps. Phase 2 enables continuous monitoring with weekly re-scans to track improvement and detect regressions. Phase 3 introduces VAPF autonomous pentesting for critical applications, running active tests before major releases or after significant infrastructure changes. Phase 4 applies the VAASF for applications built with AI tools, ensuring AI-specific vulnerabilities are addressed. Phase 5 establishes organizational standards based on the VPRF, defining minimum acceptable scores for different application tiers and integrating automated scanning into CI/CD pipelines to block deployments that fall below thresholds. Throughout the process, the unified reporting and severity classification ensure consistent communication between security teams, engineering teams, and leadership.
Why Three Frameworks
A single framework cannot adequately assess production readiness because the question itself has multiple dimensions. Passive scanning (VPRF) catches configuration issues and exposed secrets but cannot determine whether a vulnerability is actually exploitable. Active pentesting (VAPF) validates exploitability but is too resource-intensive to run on every scan and requires user consent. AI-specific security (VAASF) addresses a rapidly evolving threat landscape that traditional frameworks don't cover. By separating these concerns into three specialized frameworks that share a common severity language and reporting structure, Vezraa provides the right depth of assessment for every situation — fast baseline scans for everyday use, deep active testing when needed, and AI-specific coverage for modern development patterns.
All three frameworks run on every scan. Start with a free assessment.
Scan Your App →