AUDITS 2 per month · solo · hand-driven

The vibe-coded SaaS
security audit.

A one-week, hand-driven security review of your AI-generated SaaS, built for the bugs LLMs actually ship to production. Find your critical vulnerabilities before a customer does — or you don't pay.

See pricing Email me your URL
  1. 1Send URL
  2. 2Scope call
  3. 3Quote + 50% deposit
  4. 4Day 1–3: hunt
  5. 5Day 3: finding or refund
  6. 6Week end: full report

Who

Who this is for

You shipped a SaaS in the last 18 months. You used an LLM to scaffold most of the code. You have paying users. You have not had a security review.

You're moving fast on purpose. You're not slowing down to read OWASP. You're also aware, on some level, that the same models that wrote your auth middleware wrote everyone else's, and that something in your codebase is probably broken in a way that will only surface when it surfaces badly.

If you have a security team, you don't need me. If you're pre-revenue, neither of us benefits — come back when you've shipped.

What's included

What you actually get

The full engagement, itemized:

Methodology

How I actually test

Operator-level questions, answered up front. If anything below doesn't fit your setup, we adjust on the scope call — this is the default.

Testing model
Grey-box by default: I work from a test account, your public docs, and a 30-minute architecture walkthrough. Black-box (no walkthrough) and white-box (source access) are both available; white-box typically surfaces 30–50% more on the same time budget.
Source access
Not required, but welcome. Read-only GitHub collaborator on a private repo, or a zipped snapshot. Source is reviewed manually plus a targeted Semgrep pass for the twelve classes in the checklist.
Environment
Staging strongly preferred. I will test production with written authorization if no staging exists, with destructive payloads explicitly excluded and a pre-agreed abort signal.
Authenticated testing
Two test accounts in separate tenants/orgs are the minimum — cross-tenant IDOR, RLS, and JWT-audience bugs need a second identity to prove.
Scope size
Starter: one web app, one main domain, up to ~40 endpoints. Standard: web app plus up to 3 connector flows (Notion, Slack, GitHub, Stripe, etc.). Deep: add a desktop/mobile client, multiple OAuth flows, or sensitive scopes — quoted after scoping.
Stacks I'm fluent in
Next.js / Node / TypeScript, Python (FastAPI, Django, Flask), Supabase / Postgres + RLS, Hono / Cloudflare Workers, Clerk & Auth.js, OpenAI / Anthropic agent code, Stripe webhooks. Other stacks on request — I'll tell you honestly if it's outside my fluency.
Intensity
Starter is ~25–30 focused hours over 5 business days. Standard is ~50–60 hours over 10 business days. Deep is quoted per engagement.
Re-test SLA
One re-test on the original scope is included. Scheduled within 5 business days of your "ready to verify" email, completed within 3 business days of starting.
Reporting format
PDF + a markdown bundle (one file per finding) you can paste directly into Linear / Jira / GitHub issues. CVSS 3.1 vector strings on every finding. Sample report on request.
Legal safe harbor
You provide written authorization (template supplied) before any testing touches your infrastructure. Mutual NDA optional. I carry professional indemnity cover; certificate of insurance on request.
What I don't touch
Denial-of-service, social engineering of your employees, physical access, and anything that would exfiltrate real customer data. Destructive payloads on production are off by default.

Guarantee

If I don't find a High or Critical, you don't pay.

Concretely: I quote the engagement, you pay 50% upfront. If I haven't surfaced at least one finding I'd score High or Critical under CVSS 3.1 within 3 days, I refund the deposit in full and you keep the clean-bill-of-health report as a due-diligence asset. The full deliverable stack — report, threat model, remediation Q&A, re-test — lands by end of the engagement window (one week for Starter, two for Standard).

This is a real risk reversal. I take it because I've yet to run this audit on a vibe-coded product and not find at least one issue at that severity — but if your codebase is the first, the risk is on me, not on you.

Pricing

Three tiers

Fixed price, no hourly. Quoted per engagement.

Starter

$1,500

Solo founders and very early teams. One web app, one main domain.

  • ~25–30 focused hours over 5 business days
  • Up to ~40 endpoints, grey-box, two tenants
  • Full deliverable stack, single re-test included

Standard

$3,500

Seed-stage products with real integrations.

  • ~50–60 hours over 10 business days
  • Web app + up to 3 connector flows
  • Extended threat model, source-assisted on request
  • Full deliverable stack, single re-test included

Deep

$6,000FROM

More surface — desktop/mobile, multiple OAuth flows, sensitive scopes. Clicky-class work.

  • Network capture + binary review where applicable
  • Privacy-practice review & third-party processor analysis
  • Attack-chain narrative + remediation roadmap
  • Quoted per engagement after a free scoping call

Capacity: I take two audits per month. This is real — I'm solo and the work is hand-driven. Booking is first-come; if the current month is full, the next slot is whichever month opens next.

Process

How it works

  1. Free 20-minute look. Send your URL and one sentence on what you do. I tell you whether I see something worth a closer look. Public surfaces only, no NDA needed at this stage.
  2. Fixed-price quote. If we're a fit, I send a scope and a quote. Sign and pay 50% to book the slot.
  3. One week of work. NDA in place, test account provisioned, you don't need to do anything while I work. No standups, no Slack interrupts, no calls.
  4. Report delivered. Full deliverable stack lands in your inbox. Balance due on delivery.
  5. Patch and re-test. Your team fixes; I verify within the included 30-day window.

Boundaries

What I don't do

Questions

FAQ

How does the public-writeup policy work for paid clients?

Paid engagements follow coordinated disclosure. We agree the public-disclosure timeline together (90 days from the fix is the default, longer is fine). You choose whether the eventual writeup names you, anonymises you, or stays private indefinitely. The site shows existence of paid engagements only with your approval — see the ParakeetAI card for what an approved-but-embargoed listing looks like.

And for the public writeups I see on this site?

The writeups currently published (Clicky, Outrank) were not paid engagements. They were independent research on products I use, disclosed privately to the vendor first. When a vendor does not engage with a disclosure after good-faith attempts, the finding is published under the same responsible-disclosure timeline that Project Zero, Trail of Bits, and most security researchers operate under. If either vendor responds now, I'll happily add a "fixed in version X" note to the post.

What if you don't find anything?

You don't pay. The guarantee covers this. You also keep the clean-bill-of-health report, which has real value for due diligence, customer trust, and investor questions.

Why is this cheaper than US security firms?

A traditional pentest engagement starts at $10k–$25k and is scoped for a different buyer. I'm a solo researcher running a focused methodology against a narrow target class. Less overhead, less scope, less time — lower price. The work itself is not cheaper.

Payment?

Card via Stripe Payment Link, sent with the quote. 50% on accept, 50% on delivery. USDC, USDT, or wire on request — reply to the quote and I'll swap the link.

NDA?

Yours or mine. I sign yours unredacted; mine is a one-page mutual NDA on request.

Get started

Send me your URL.

One sentence on what your app does. I'll reply with whether I see something worth a closer look.

[email protected]