Exposed API keys
Stripe, OpenAI, and database service-role keys committed in code or shipped to the browser bundle. Often present in git history even after "fixes."
For founders shipping AI-built software
Turn your AI‑built app into production‑grade software.
AI made the prototype. We make it shippable. We audit AI‑generated codebases, harden them for real users, and stay on as a fractional engineering owner if you need one.
- Security review
- Deployment hardening
- Codebase triage
- Founder-friendly reports
01 — Prototype vs production
Working in a demo is not the same as safe for users.
AI tools are excellent at the first 80%. The remaining 20% — auth, data, deploys, failure modes — is where companies get hurt. Most "vibe-coded" apps look fine until the first real customer.
prototype
What AI tools give you
- UI that looks complete in a single happy-path demo
- Authentication wired to whatever the model knew last
- Permissions enforced in the UI, not the database
- Secrets pasted into source files and commit history
- No tests, no backups, no observability, no rollback path
- Architecture that gets harder to extend with every prompt
production
What real users require
- Real auth, server-enforced permissions, audit trails
- Secrets in a vault, not the repo. Keys you can rotate
- Deploys from CI, with rollback & environment parity
- Backups you've actually restored from
- Logs, error tracking, and an on-call story
- A codebase your next engineer can extend without rewriting it
02 — What we usually find
The eight failure modes we see in almost every AI‑built codebase.
These aren't theoretical. This is what comes back after a two-day audit on a typical Cursor / Lovable / v0 / Replit Agent project that's about to ship.
Broken authentication
Sessions that never expire, JWTs verified on the client, password resets that leak account existence. Account takeover is a one-line request away.
UI‑only permissions
"If admin, show button" — but no row-level security on the database. Any authenticated user can read or modify any other user's data with curl.
No database backups
No automated snapshots, no restore drill, no point-in-time recovery. One bad migration or one rm -rf and the company is over.
Unclear deployment state
Code on the laptop differs from staging differs from production. No one is sure what's running. Rollbacks involve guesswork.
No logs or error tracking
First sign of a problem is a customer email. Errors swallowed in try/catch, console.log on the server, no Sentry, no alerting.
Fragile architecture
Files that grew by accretion, prompt by prompt. Three slightly-different ways of doing the same thing. Each new feature breaks two old ones.
Not safely extendable
The honest answer is sometimes: don't keep building on this. We'll tell you when that's true, and what a tactical rewrite looks like.
03 — How we work with you
Three engagements. Pick the one that matches where you are.
Fixed scope, fixed price, no retainers you can't escape. Every engagement starts with a conversation about whether you actually need it.
AI App Audit
From $1,500fixed
Best for founders with an AI‑built MVP about to put real users or paying customers on it.
- Full read-only review of code, deploys, secrets
- Prioritized risk report (red / amber / green)
- Practical remediation plan, written for founders
- 60-min walkthrough with your team
Production Hardening Sprint
From $6,000fixed
Best for apps going live with users, payments, or customer data — and you need it solid in a few weeks.
- Fix all red and amber items from the audit
- CI/CD with rollback, environment parity
- Auth, RLS, secrets vault, error tracking, backups
- Runbook + handoff doc your next engineer can actually read
Maintenance & CTO‑Lite
From $2,000/ month
Best for teams running production software without a senior technical owner — yet.
- Monthly health check & quarterly re-audit
- On-call support for incidents and outages
- Architecture & hiring decisions, vendor selection
- Async + 1 weekly call with the founder
Also available: Technical due diligence for investors and acquirers reviewing AI-built codebases.
04 — Method
A method that respects your time and your codebase.
We are calm, we don't gatekeep, and we don't rewrite things that work. If your codebase shouldn't be maintained, we'll say so on day three — not three months in.
- STEP 01
Intake & access
30-min call. Read-only access to repo, hosting, database, and analytics. We sign your NDA before you send anything.
- STEP 02
Codebase & deployment audit
Two senior engineers walk the codebase, deploy path, and data layer. We don't run tools and call it a report.
- STEP 03
Risk report & plan
Prioritized findings with severity, effort, and concrete fixes. Written for a founder, with a deeper appendix for engineers.
- STEP 04
Hardening or handoff
You either green-light the sprint, hand it to your team, or — if appropriate — we tell you to stop and rebuild a slice.
- STEP 05
Maintain & iterate
Optional monthly engagement: re-audits, on-call, architecture calls. Predictable cost. Cancellable any month.
05 — Pricing at a glance
Fixed prices. Quoted in writing. No surprises.
We scope tightly so you can budget honestly. If a project is going to cost more, we tell you before we start it.
AI App Audit
Up to 25k LOC, one repo, one product surface. Larger scopes priced after intake.
From $1,500
Details Production Hardening Sprint
2–3 weeks of senior engineering on prioritized fixes from the audit.
From $6,000
Details Maintenance & CTO‑Lite
Monthly retainer. Fractional senior engineer + technical owner.
From $2,000 / mo
Details Technical due diligence
Investor or acquirer review of an AI-built codebase. Delivered in 5 working days.
From $4,500
Inquire 06 — Who we work with
Three kinds of teams hire us, often at the same moment.
You don't need to be technical to work with us. You do need a codebase you can give us read access to.
Solo founder
You shipped an MVP with Cursor or Lovable
You can't tell whether the app is dangerous to put real customers on. You want a clear answer in a week.
- Audit before launch
- Before you take payments
- Before you store anything regulated
Small agency
You build for clients with AI tools
You want a senior pair of eyes on the code before delivery, and a written report that protects your relationship.
- Pre-handoff audit
- Co-branded remediation plan
- Optional ongoing safety net
Investor / acquirer
You're evaluating an AI‑built company
You need an honest read on the engineering risk before a term sheet or before close. We don't pull punches.
- 5-day technical DD
- Acquisition-grade report
- Founder interview included
07 — Frequently asked
Questions founders ask before they hire us.
Q·01 Do I need to be technical to hire you?
No. Most of our clients are non-technical founders or product people. Our reports are written for you first, with a deeper appendix for whoever is going to do the work. If you don't have anyone to do the work, we can do it.
Q·02 What if my codebase is a mess?
That's the normal case. We've seen worse than yours. The audit's first job is to give you a clear, calm picture of where you are — not to make you feel bad about it.
Q·03 Will you tell me to throw it out?
Sometimes. About 1 in 8 codebases we look at shouldn't be maintained as-is. When that's true, we say so, and we describe a tactical slice you can rebuild without losing momentum. Refusing to keep paying for sunk-cost code is part of the job.
Q·04 Which AI tools do you cover?
Cursor, Claude Code, Lovable, v0, Bolt, Replit Agent, Windsurf, GitHub Copilot Workspace, and the long tail of "AI builder" platforms. We care about the resulting code, not the tool that produced it. Same applies to whatever model wrote it.
Q·05 How fast can you start?
Usually within a week. We hold two audit slots open per month for urgent pre-launch work. If you're already on fire, tell us in the intake form and we'll prioritize.
Q·06 What about NDAs and IP?
Standard mutual NDA before access. We sign yours; if you don't have one, we'll send ours. Read-only access throughout. Everything we touch is logged. We never train models on your code.
Ready when you are
Before you ship an AI‑built app, know what can break.
We'll write you a short, honest assessment in a week. If we don't think you need an audit, we'll tell you that for free.
- → NDA signed before access
- → Read-only credentials throughout
- → Written report, not a slide deck