The Opviva blog
How the security agent finds, proves, and fixes the gaps AI builders leave behind.
AI agent forensics: how to prove what your AI actually did
Scanners can't tell you what your AI agent actually did. Why forensics is the missing layer in AI app security — and how to prove an agent's actions.
Vibe-coding security scanners compared (2026): an honest look — including ours
An honest, side-by-side look at the vibe-coding security scanners in 2026 — what each catches, what it misses, and which to use for your AI-built app.
MCP security: how to secure Model Context Protocol servers and AI agents
MCP connects AI agents to tools — and to a new attack surface. The complete picture: the risks, how MCP gets exploited, and how to secure it.
EU AI Act Article 12: a practical guide to AI logging and record-keeping
EU AI Act Article 12 requires high-risk AI systems to keep logs automatically. What it actually asks for — and a practical way to meet it.
Tamper-evident logging explained: how to make a log you can actually trust
An ordinary log can be edited — and proves nothing. What tamper-evident logging is, how hash chaining works, and why it turns logs into evidence.
MCP tool poisoning explained: how a tool description can hijack your AI agent
Tool-spec injection is the headline MCP risk. How a poisoned tool description hijacks an AI agent, a concrete example, and how to defend against it.
Scan vs fix: why a security report isn't enough for a vibe-coded app
A list of vulnerabilities only helps if you can act on it. Why scan-only tools leave non-developers stuck — and what post-deploy auto-fix really means.
AI now finds decades-old security bugs overnight — what it means for your app
Frontier AI now finds bugs that survived 20+ years of human review — overnight. What changed, why it matters for your AI-built app, and how to stay ahead.
The 7 security holes in AI-generated apps (and how to fix them)
AI builders ship apps in minutes — and the same security gaps every time. The seven most common holes in vibe-coded apps, and how to close each one.
Exposed Supabase service_role key: why it's critical and how to find it
The Supabase service_role key bypasses all security. If it reaches the browser, your whole database is exposed. Here's how to detect and fix a leak.
