What investor-ready infrastructure looks like
Vauntico's Phantom Maintainer evaluates every codebase across six weighted security vectors. Below are pre-calculated posture profiles for world-class open-source projects — and one representative example of what unresolved posture debt looks like before a due-diligence review.
Exemplary Posture — Sovereign Tier
vercel/next.jsEXEMPLARYNext.js
The React framework powering millions of production web applications globally.
6-Vector Posture Matrix
Scan Findings (4)
Zero secrets detected in 12,400+ commits
Automated secret-scanning workflow active on all branches.
Dependabot enabled — 0 critical CVEs
Lockfile audited: all direct dependencies patched within 48 h of disclosure.
Security policy (SECURITY.md) present and linked
Responsible disclosure channel documented with SLA commitments.
IaC drift — 2 staging env vars unmanaged
Minor: staging-only variables not tracked in Terraform config.
Phantom scan · simulated · v2 schema
supabase/supabaseEXEMPLARYSupabase
Open-source Firebase alternative — Postgres, Auth, Storage, Edge Functions.
6-Vector Posture Matrix
Scan Findings (4)
RLS enforced across all core database schemas
Row-level security validated on 47 Supabase platform tables.
Branch protection rules active on main
Required status checks: lint, type-check, unit tests, security audit.
SOC2-type policy documentation present
Trust centre policies linked from public repository.
3 transitive peer-dep mismatches (non-critical)
Flagged by Phantom: eslint peer dependency version range mismatch in dev graph.
Phantom scan · simulated · v2 schema
tailwindlabs/tailwindcssEXEMPLARYTailwind CSS
A utility-first CSS framework with a world-class developer experience.
6-Vector Posture Matrix
Scan Findings (4)
Lockfile integrity verified — npm provenance enabled
Package provenance attestations published for all releases ≥ v3.4.
MIT licence — no IP encumbrance for enterprise use
Licence classification: permissive. Zero GPL / AGPL transitive risk.
Signed releases via GitHub Attestation
All NPM publish workflows use OIDC token-based signing.
IaC coverage partial — no Terraform for CDN config
jsDelivr and Cloudflare CDN rules managed manually, not in version control.
Phantom scan · simulated · v2 schema
Vulnerable Posture — Pre-Series A Red Flags
hypothetical-startup/api-backendVULNERABLE EXAMPLEVulnerable Startup API
A representative example of a pre-Series A startup codebase with unaddressed posture debt.
6-Vector Posture Matrix
Scan Findings (4)
AWS_SECRET_ACCESS_KEY leaked in commit b4f92a1
Credential found in plaintext. Phantom flagged immediate rotation requirement.
47% of packages outdated — 3 contain critical CVEs
CVE-2023-44270 (lodash), CVE-2024-21538 (cross-spawn), CVE-2024-4067 (micromatch).
No SECURITY.md — zero responsible-disclosure channel
Investors and enterprise clients cannot report vulnerabilities privately.
CI pipeline has no security scanning step
No SAST, no dependency audit, no secret detection gate in GitHub Actions.
Phantom scan · simulated · v2 schema
Why investors and enterprise clients run TrustScore checks
Due-diligence passports
A TrustScore passport gives VCs and angels a one-click view of your infrastructure risk profile — no custom audit, no 40-slide security deck.
SOC 2 readiness evidence
Phantom Maintainer generates continuous compliance artefacts that map directly to SOC 2 Type II trust service criteria, cutting audit prep by weeks.
Enterprise vendor qualification
Fortune-500 procurement teams require security posture attestation. A verified Vauntico badge replaces lengthy vendor questionnaires.
Real-time posture monitoring
TrustScores update nightly. New vulnerabilities surface within 24 h — so you fix before an auditor, attacker, or client discovers the gap.
Ready to see where your infrastructure stands?
Free 60-second scan. No credit card. Instant six-vector posture report.