Home/ Services/ AI Code Audit

Engagement · 1 week · Fixed price from $1,500

A senior read on whether your AI‑built app is safe to launch.

Two senior engineers walk your codebase, deployment, and data layer. You get a prioritized risk report, a practical remediation plan, and a 60-minute walkthrough. We don't run an automated tool and call it a report.

What we cover

Eighteen surface areas. We grade every one.

If something we look at isn't relevant to your app, we say so and move on. We don't pad findings.

  • Authentication & sessions
  • Authorization & row-level security
  • Secrets & key management
  • Data exposure & PII handling
  • Database backups & restore
  • Deployment pipeline & rollback
  • Environment parity
  • Logging & error tracking
  • Monitoring & alerting
  • Rate limiting & abuse
  • Input validation & SSRF
  • Dependency & supply chain
  • Type safety & tests
  • Architecture & extendability
  • Performance & cost ceilings
  • Background jobs & queues
  • LLM/API spend safeguards
  • Compliance posture (light)

The week

What actually happens in those five days.

A typical timeline. We compress for urgent pre-launch work.

  1. DAY 0

    Intake call (30 min)

    What you built, what scares you, who the users are. NDA signed, read-only access provisioned.

  2. DAYS 1–2

    Walk the codebase

    Two seniors read the code. We open every file we suspect. We test auth, RLS, secrets, deploy paths from the outside.

  3. DAY 3

    Synthesize findings

    We grade every surface area, attach severity and effort, and rough out a remediation plan.

  4. DAY 4

    Write the report

    Founder summary, risk register, remediation plan, engineering appendix. Each finding has a concrete fix.

  5. DAY 5

    Walkthrough call

    60-minute call. We answer "what should I do first," "what can wait," and "is this safe to launch."

Deliverables

What lands in your inbox on Friday.

A tight, useful document — not a 60-page PDF nobody reads.

risk-register.md
R-01 · Service-role key in client bundle
Effort: 1d · Owner: dev · Fix: rotate, move server-side
High
R-02 · No RLS on user_documents
Effort: 2d · Owner: dev · Fix: enable RLS, add policies
High
R-03 · No backups on primary DB
Effort: 0.5d · Owner: ops · Fix: nightly + PITR
Medium
R-04 · Manual deploys from laptop
Effort: 1d · Owner: ops · Fix: GitHub Actions w/ rollback
Medium
R-05 · Stripe webhook not verified
Effort: 0.5d · Owner: dev · Fix: signature check
High

Founder summary (1 page)

A page you can share with your cofounder, your investor, or your board. Plain English. What's safe. What isn't. What we'd do.

Risk register (8–18 findings)

Each finding: severity, effort estimate, suggested owner, exact code reference, recommended fix. Sorted so you know where to start.

Remediation plan

Three horizons: ship-this-week, ship-next-month, strategic-quarter. Effort totals, sequencing, and what we'd do ourselves vs. give to your team.

Engineering appendix

For whoever does the work. Snippets, file paths, before/after sketches, and the reasoning behind every recommendation.

If you're hesitating

Two questions we get from every founder before they book.

Q · "Will this slow us down?"

No. Most teams keep building during the audit week — we work read-only and async. The exit interview gives you a 30-day plan; you decide what to do with it.

Q · "What if you find something terrible?"

Better than your customers finding it. We won't be melodramatic about it. We'll tell you what to fix today, what can wait, and what to communicate to whom — including, occasionally, "delay the launch by two weeks."

Book an audit slot Or see the hardening sprint →