packages
Fixed prices. No surprises.
Start with a free scan to see what's exposed. When you're ready for a human to dig in and close the holes, the price is fixed and known up front.
Vibe Check
A free, instant look at what's exposed on your live app.
Instant · Anyone who just shipped and wants to know if they left a door open.
- Checks your public URL in under a minute
- Security headers, HTTPS, and exposed keys in your front-end
- Open-database probe (the #1 vibe-coding mistake)
- A plain-English report emailed to you
- No account, no credit card
Deep Audit
A human-verified review of your whole codebase, not just the surface.
3–5 days · Founders with real users who need to know exactly what's wrong.
- Everything in Vibe Check, plus your source code
- Auth, access-control, and database-rule review by a human
- Business-logic and API checks a scanner can't do
- A prioritized report: what's critical, what can wait
- Copy-paste fixes and a 30-minute walkthrough call
Audit + Fix
We find the problems and we fix them, then prove they're closed.
1–2 weeks · Teams who want it handled, not just a list of homework.
- Everything in Deep Audit
- We implement the fixes in your codebase
- A re-test pass that proves every issue is closed
- Locked-down database rules, secrets, and auth
- Before/after report you can show investors or clients
Continuous Shield
Stay safe as you keep shipping with AI.
Ongoing · Apps that change every week and can't re-break every deploy.
- Monthly scan + human review
- A security check on every AI-generated change (CI gate)
- Priority fixes when something serious appears
- A living security scorecard for your app
- Direct line to the team
Questions people actually ask
Do you need access to my code?
For the free scan, no, just your live URL. For a Deep Audit or a fix, yes: we look at the actual source, always under a signed agreement, and only after you authorize it in writing.
Is this a certified penetration test?
No, and we won't pretend otherwise. This is a security audit and hardening service tuned for AI-built apps. It catches the issues that actually sink these apps, without the enterprise price tag of a formal pentest.
My app is on Lovable or Bolt, don't they already scan it?
Partly. Their built-in scanners only check their own platform and only whether a rule exists, not whether it works. We verify it for real, cover the parts they ignore, and fix what we find.
I'm pre-revenue. Should I bother?
The free scan is always worth it. Paid audits make the most sense once you have real users or a client depending on the app, because that's when a leak actually costs you something.
Still not sure? Start free.
The scan costs nothing and tells you exactly where you stand. Everything else is your call.