Independent security review · before you launch

A person reviews the parts of your AI-built app a scanner can't judge.

A fixed-scope security audit for apps built with Claude Code, Cursor, Lovable, Bolt, or Replit — reviewed by hand before you take on real users, payments, or personal data.

Fixed scope, fixed price. Read-only repo access, revoked when the audit closes.

audit summary
Automated scan: no issues found
SAST + secrets pattern-match · clean
Manual review found
Any user can read another user's data
GET /allocations/:userId — no ownership check
Admin function reachable by any logged-in user
role check never enforced server-side
Session cookie stealable via injected script
not HttpOnly/Secure · autoescaping off
Why this matters now

AI writes the happy path. It rarely writes the security.

The tools that let a founder ship in a weekend generate working features fast — but access control, secrets handling, and payment logic are exactly the parts these tools leave unreviewed. The data on shipped AI-built code is consistent, and it isn't reassuring.

~1 in 3
live vibe-coded apps scanned had a serious vulnerability or an exposed secret.
45%
of AI-generated code fails basic OWASP Top 10 checks — over 70% in some languages.
Rising
CVEs attributed to AI-generated code are climbing month over month through 2026.

Figures reflect aggregated 2026 industry research on AI-generated code — OWASP Top 10 failure rates, exposed-secret scanning studies, and slopsquatting research.

The difference

The tool that built your app can't grade its own homework — and neither can a bot that only pattern-matches code.

Automated scanners already exist for this. They're inexpensive, widely available in the $0–39/month range, and genuinely useful for catching known-bad patterns. But they share one hard limit: they read code, they don't reason about your app. They can't tell whether a check is actually enforced, only whether it appears to be present.

What an automated scanner can do
  • Match code against a library of known-bad patterns
  • Flag a hardcoded key that fits a known format
  • Point at a line and say "this looks risky"
What a human reviewer checks
  • Whether an auth check is actually enforced server-side — not just hidden in the UI
  • Whether a paywall can be bypassed by editing a request the client controls
  • Whether one user can read or change another user's data by changing an ID

A scanner can tell you the code has a permission check.
Only a person can tell you the permission check works.

That's the entire reason PreFlightSec exists. Every audit runs the automated tooling too — but the automated pass is the floor, not the finding. The judgment is the product.

What we review

The classes that actually get people breached.

Focused on where AI-generated code fails most often, and where a missed flaw does real damage to a founder taking their first paying users.

Authentication & sessions

Whether sessions are verified server-side, tokens are stored safely, and logging out actually ends the session.

Authorization & access control

The high-impact one: can a logged-in user reach data, files, or admin actions that aren't theirs?

Secrets & credentials

Keys and credentials in your source and full git history — not just the latest commit.

Injection & input handling

Where user input reaches a query, a command, or the page unescaped — SQL/NoSQL injection and XSS.

Dependencies & hallucinated packages

Every package cross-checked against the real registry, to catch hallucinated or slopsquatted names. (Full Audit)

Payment & paywall logic

Whether entitlement is decided server-side from a trusted record, or by something the client can simply change.

How it works

Fixed scope, no scoping calls, a report you can act on.

1

Intake

A short questionnaire captures your stack and grants read-only repo access. It routes you straight to the right tier.

2

Automated pass

Static analysis and secrets scanning run across your code and full git history — the floor, done fast.

3

Manual review

A person reviews the auth, authorization, and payment logic by hand — the part automation can't judge.

4

Report & handover

A plain-English report ranked by severity, with a specific fix for every finding, plus a short walkthrough call.

Pricing

Two fixed-price tiers. You know the scope and the cost before you start.

Priced against what a breach, a leaked key, or a bypassed paywall would actually cost you — not against a monthly tool subscription.

Essentials
$750–1,200
Written report within 48 hours of repo access.
  • Automated static analysis & secrets scan
  • Manual review of auth, payments & secrets handling
  • Severity-ranked report in plain English, with fixes
  • 20-minute handover walkthrough
Choose Essentials at intake
What this is not: an audit is not a full penetration test, a load/performance test, a code rewrite, or a compliance certification (SOC 2 / ISO). It reviews the security of your existing code within a fixed scope. The exact in-scope and out-of-scope boundaries are set out in the engagement agreement before any work begins.
Placeholder

[ Client results coming soon ]

Real, named engagement results will appear here as audits complete. No invented testimonials, no borrowed logos — this space stays empty until there's something true to put in it.

Find out before your users do.

Start the intake questionnaire. It takes a few minutes, tells you which tier fits, and there's no charge to complete it.

Start your intake

Read-only repo access · revoked at engagement close · no code retained after the audit.