The process

Simple.
Thorough.
Fast.

No enterprise sales process. No month-long engagement. You submit your repo, we get to work, you get a report — and you know exactly what to fix and in what order.

01
Step 01

You fill in the booking form

Tell us your app URL, your stack, your tier, and what's keeping you up at night. Takes 3 minutes. No call required upfront.

Name, email, app URL
Stack (Node / Python / etc.)
Repo access (private link or zip)
Audit tier selection
02
Step 02

We confirm scope and start the audit

Within 12 hours we reply with a scope confirmation and payment link. Once payment clears, the audit begins immediately — no queue, no waiting weeks.

Scope confirmed via email
Payment via Payoneer / Wise
Audit starts same day
03
Step 03

Manual review + automated scanning

We run automated tooling and then go through your code manually — the parts that matter most: auth, API routes, data handling, secrets, dependencies. We look for what scanners miss.

Dependency CVE scan
Secrets & credentials check
Manual auth + API review
OWASP Top 10 coverage
04
Step 04

You receive your report

A structured PDF with every finding categorised by severity, a plain-English description of what's wrong, the impact, and exact remediation steps — not vague recommendations.

Severity: Critical / High / Medium / Low
File + line number for every issue
Remediation steps you can act on
Passed checks included
What we check
Every audit covers these areas
Authentication & Sessions
  • JWT signing and expiry
  • Session token entropy
  • Login brute-force protection
  • Refresh token rotation
  • OAuth flow security
API Security
  • IDOR / broken object-level auth
  • Rate limiting on key endpoints
  • Input validation & sanitisation
  • Verbose error responses
  • CORS misconfiguration
Secrets & Config
  • Hardcoded API keys in source
  • Secrets committed to git history
  • .env files in repository
  • Insecure default configs
  • Exposed debug endpoints
Dependencies
  • Known CVEs (npm / pip audit)
  • Outdated packages with patches
  • Supply chain risk
  • Unnecessary permissions
Data Handling
  • PII exposure in logs
  • Unencrypted sensitive fields
  • SQL / NoSQL injection
  • Mass assignment vulnerabilities
  • File upload risks
Infrastructure & Headers
  • HTTPS enforcement
  • Security headers (CSP, HSTS)
  • Admin route exposure
  • Directory listing / path traversal
Turnaround times
Per tier
Quick Scan
48 hours
  • Automated scans + checklist review
  • 1-page PDF findings report
  • Email delivery
MVP Audit
5 business days
  • Manual code review included
  • Full PDF report with remediation notes
  • Threat model for your specific stack
  • Email delivery
Full Review
7 business days
  • Everything in MVP Audit
  • 1-hour walkthrough call
  • Re-scan after you apply fixes
  • Security sign-off letter
  • 30-day follow-up email support
Common questions
Do I need to give you full access to my codebase?
You can share a private GitHub/GitLab repo link, a zip of your source, or a read-only collaborator invite. We never need write access, deploy keys, or production credentials — and we sign an NDA on request.
What languages and frameworks do you support?
Node.js, Python (FastAPI, Django, Flask), and React/Next.js are our primary stack. If you're using something else, reach out first — if we can't cover it well, we'll tell you upfront.
Is this a penetration test?
No. This is a code-level security audit — we review your source code and configuration, not your live production environment. A pentest involves active exploitation of a running system and is a different (and more expensive) engagement. For most vibe-coded MVPs, a code audit catches 80% of real risk at a fraction of the cost.
How do I pay? Do you accept international payments?
We accept payment via Payoneer, Wise, and direct bank transfer in USD. Payment is required before the audit begins. We'll send an invoice on scope confirmation.
What if I don't understand the report?
The report is written to be readable by a solo founder who built with AI assistance — not a security professional. Every finding has a plain-English description, a concrete impact statement, and numbered fix steps. If anything is unclear, reply to the delivery email and we'll clarify at no extra charge.

Ready to
know for sure?

Fill in the form. We'll confirm scope within 12 hours and start immediately after.

Book your audit →