A fixed-scope security audit for apps built with Claude Code, Cursor, Lovable, Bolt, or Replit — reviewed by hand before you take on real users, payments, or personal data.
Fixed scope, fixed price. Read-only repo access, revoked when the audit closes.
The tools that let a founder ship in a weekend generate working features fast — but access control, secrets handling, and payment logic are exactly the parts these tools leave unreviewed. The data on shipped AI-built code is consistent, and it isn't reassuring.
Figures reflect aggregated 2026 industry research on AI-generated code — OWASP Top 10 failure rates, exposed-secret scanning studies, and slopsquatting research.
Automated scanners already exist for this. They're inexpensive, widely available in the $0–39/month range, and genuinely useful for catching known-bad patterns. But they share one hard limit: they read code, they don't reason about your app. They can't tell whether a check is actually enforced, only whether it appears to be present.
A scanner can tell you the code has a permission check.
Only a person can tell you the permission check works.
That's the entire reason PreFlightSec exists. Every audit runs the automated tooling too — but the automated pass is the floor, not the finding. The judgment is the product.
Focused on where AI-generated code fails most often, and where a missed flaw does real damage to a founder taking their first paying users.
Whether sessions are verified server-side, tokens are stored safely, and logging out actually ends the session.
The high-impact one: can a logged-in user reach data, files, or admin actions that aren't theirs?
Keys and credentials in your source and full git history — not just the latest commit.
Where user input reaches a query, a command, or the page unescaped — SQL/NoSQL injection and XSS.
Every package cross-checked against the real registry, to catch hallucinated or slopsquatted names. (Full Audit)
Whether entitlement is decided server-side from a trusted record, or by something the client can simply change.
A short questionnaire captures your stack and grants read-only repo access. It routes you straight to the right tier.
Static analysis and secrets scanning run across your code and full git history — the floor, done fast.
A person reviews the auth, authorization, and payment logic by hand — the part automation can't judge.
A plain-English report ranked by severity, with a specific fix for every finding, plus a short walkthrough call.
Priced against what a breach, a leaked key, or a bypassed paywall would actually cost you — not against a monthly tool subscription.
Real, named engagement results will appear here as audits complete. No invented testimonials, no borrowed logos — this space stays empty until there's something true to put in it.
Start the intake questionnaire. It takes a few minutes, tells you which tier fits, and there's no charge to complete it.
Start your intakeRead-only repo access · revoked at engagement close · no code retained after the audit.