Engagement · 1 week · From $2,500

A security-first read of your AI-built app — before customers, payments, or PII touch it.

AI tools generate code that looks secure. Auth-shaped functions, words like "RLS" in the comments, helpfully named variables. Then a real attacker types /api/users/2 and walks out with everyone's data. We find that class of issue.

Book a security audit → See full code audit

Who this is for

Teams that handle anything worth stealing.

If your app touches one of these, the security audit is the right starting point.

Payments

Stripe, billing, subscriptions

Webhook signatures, idempotency, plan downgrades, refund flows. Where money flows, attackers follow.

PII / health / financial

You store sensitive data

Names, addresses, medical notes, KYC documents, bank metadata. We test the perimeter and the inside.

B2B with security review

A customer is asking for a SOC 2 letter

You don't have SOC 2 yet. We'll give you a redacted security report you can put in a vendor questionnaire while you work on it.

What we check

Eight surface areas, threat-model first.

We start by drawing the threat model with you, then work the surfaces in priority order.

S-01Always

Authentication

Session handling, password reset, magic links, OAuth flows, social login pitfalls, account-takeover paths.

S-02Always

Authorization & RLS

Per-row, per-tenant, per-resource. We try to read someone else's data. If the database supports RLS and you don't use it, we say so loudly.

S-03Always

Secrets & key management

What's in the bundle, what's in env, what's in source control. Rotation plan if anything was leaked.

S-04High

Input validation & SSRF

Server-side validation, file uploads, URL fetchers, redirects, prototype pollution, SQL injection in raw queries.

S-05High

Webhooks & payment handlers

Signature verification, replay protection, idempotency, retry semantics. Stripe, Lemon Squeezy, Paddle, Polar.

S-06High

LLM features & prompt injection

If your app calls an LLM with user input in the prompt — and you have access to user data — we test it as an injection vector.

S-07As needed

Dependency & supply chain

Known CVEs, abandoned packages, install scripts, lockfile drift, typosquats. AI tools often pull in obscure packages.

S-08As needed

Abuse, rate-limiting, cost

Sign-up floods, scraping, OTP abuse, LLM bill bombs. Not classic security, but lethal in practice.

Red flags

If you see these, fast-track the security audit.

Five signs the security floor is lower than you think.

R-01Critical

You can't list every database table that has user data

If you don't know which tables hold what, you can't know which are protected.

R-02Critical

Your "API key" lives in client code

If a curl from an attacker's laptop can hit your backend with full powers, that's not an API key — that's a giveaway.

R-03High

Auth is "handled by Supabase" / "by Firebase"

The platform handles login. You still have to write the rules. We see RLS missing on Supabase weekly.

R-04High

You have an LLM endpoint with no rate limit

One angry teenager and a free weekend will end your runway.

R-05High

Stripe webhooks "just work"

If you didn't write the signature verification yourself, it probably isn't there.

R-06Worth checking

You shipped a feature in one prompt last week

Big features in one shot tend to skip auth checks on new endpoints. We re-walk auth after every audit-grade prompt.

Deliverables

What lands on Friday.

Two reports. One for you. One you can share.

Internal security report

Threat model diagram, findings list with code references, severity (Critical / High / Medium / Low), exploit notes, fix recipes. For your team.

External / redacted summary

A 2-page version with no code references and no exploit details. For customer security questionnaires, investors, partners.

Hot-fix advisories (if needed)

If we find anything Critical, you hear about it within 24 hours, with a fix you can ship that day. We don't sit on findings.

90-minute walkthrough

Live call. We walk every Critical and High finding with you and your developer. Recording optional.

Pricing

From $2,500 · Fixed price · 1 week · Hardening sprint available as follow-on

Book a security audit →

FAQ

Security audit, asked & answered.

01 How is this different from the general code audit?

The security audit is tighter scope, deeper depth: auth, authorization, secrets, data exposure, dependencies, abuse paths. We don't grade architecture or performance — only what an attacker could exploit. If you want both, the general audit includes security at lighter depth.

02 Is this a penetration test?

No. We read the source. A pen test is black-box, externally probing a running system. Source-available review finds different (and usually more) issues for less money. We can refer pen testers we trust if a customer requires one.

03 Do you check for OWASP Top 10?

Yes, plus the classes we see most in AI-generated code: missing RLS, leaked service-role keys, unverified webhooks, prompt injection in LLM features, unbounded LLM spend, weak input validation. OWASP is a floor, not a ceiling.

04 What if you find a critical issue?

We surface it within 24 hours of finding it, not at the end of the engagement. With a recommended hot-fix you can ship the same day if needed.

05 Can the report go to investors or customers?

We produce two versions: an internal report with code references, and a redacted summary you can hand to a customer's security team or investor. Both are yours.

06 How do you handle the access?

NDA-first. Read-only repository access. Read-only database role for query-pattern review. All credentials in 1Password vaults with hardware MFA. Wiped within 5 working days of close.