Frequently Asked Questions

A vibe code audit is a security review specifically designed for codebases built with AI coding tools like Cursor, v0, Bolt, Lovable, Replit, and GitHub Copilot. These tools generate functional code quickly, but they consistently produce the same categories of security vulnerabilities. Our audits focus on finding and fixing these issues before they reach production.

AI coding tools are trained to produce code that works, not code that is secure. They routinely generate exposed API keys, missing authentication checks, overly permissive database policies, and insecure data handling patterns. These issues are not obvious from the outside -- the app looks and feels complete -- but they can lead to data breaches, unauthorised access, and other serious problems.

We audit codebases built with any AI coding tool, including Cursor, v0, Bolt, Lovable, Replit, and GitHub Copilot. We also review code from ChatGPT, Claude, and other LLMs used for code generation. If you have used an AI tool not listed here, get in touch and we will confirm whether we can help.

No. Many of our clients are non-technical founders, designers, and product managers who have built apps using AI tools without a traditional programming background. Our reports are written in plain language with clear prioritisation, so you know what needs fixing and how urgent each issue is.

Automated scanners check for known vulnerability patterns in code syntax, but they miss the architectural and logic issues that AI tools create most often. Things like incorrect RLS policies, broken authorisation flows, and insecure data exposure require human understanding of what the application is supposed to do. Our audits combine manual review with automated tooling for thorough coverage.

The Security Scan (£297) covers authentication, API routes, secrets, and database basics for codebases up to 50 files. The Full Audit (£997) is a comprehensive review with no file limit, covering infrastructure, third-party integrations, OWASP Top 10, plus a video walkthrough. The Production Ready package (£2,997) includes everything in the Full Audit plus hands-on implementation of fixes, security hardening, and 30 days of follow-up support.

Yes. If you start with a Security Scan and decide you need deeper coverage, we can upgrade you to a Full Audit. We will credit the cost of your Security Scan towards the Full Audit price, so you only pay the difference.

If we begin the audit and find no security issues at all, we will refund you in full. In practice, this has never happened -- every AI-generated codebase we have reviewed has had at least several issues worth addressing. If you are unhappy with the quality of the audit for any reason, get in touch and we will make it right.

No. The price you see is the price you pay. There are no setup fees, no per-issue charges, and no surprise add-ons. The only additional cost would be if you choose to upgrade to a higher tier after starting.

Yes. If you have more than one codebase that needs auditing, or if you want to set up a recurring audit schedule, get in touch and we can put together a custom quote.

After you purchase an audit, we will send you a short intake form asking about your application, tech stack, and any specific concerns. You then share access to your codebase (usually via a private GitHub repository). We conduct the review within the stated turnaround time and deliver a detailed report. For Full Audit and Production Ready packages, we also schedule a video walkthrough.

The easiest way is to add us as a collaborator on your private GitHub or GitLab repository. If your code is not in a repository, you can share it as a zip file via a secure link. We never store your code after the audit is complete, and we are happy to sign an NDA before you share access.

The Security Scan is delivered within 3 business days. The Full Audit takes up to 7 business days. The Production Ready package takes 10-12 business days, as it includes implementing fixes. Turnaround times start from when we receive full access to your codebase.

You receive a PDF report listing every issue found, categorised by severity (critical, high, medium, low). Each issue includes a description of the problem, where it is in your code, why it matters, and step-by-step guidance on how to fix it. Full Audit and Production Ready packages also include a recorded video walkthrough.

Yes. We are happy to sign a mutual NDA before you share access to your codebase. Just let us know when you purchase and we will get that sorted before the audit begins.

For the Security Scan, you get 1 follow-up question via email. For the Full Audit, you get up to 5 follow-up questions. For the Production Ready package, you get 30 days of email support after delivery. If you need additional help implementing fixes beyond your package, we can arrange that separately.

We specialise in the stacks most commonly generated by AI coding tools: Next.js, React, Node.js, Supabase, Firebase, Prisma, and Tailwind CSS. We also review Python (Flask, Django, FastAPI), and standard REST or GraphQL APIs. If your stack is not listed, get in touch -- we can likely still help.

We check for authentication and authorisation flaws, exposed secrets and API keys, insecure database configurations (RLS policies, query injection), cross-site scripting (XSS), cross-site request forgery (CSRF), insecure direct object references (IDOR), missing rate limiting, improper error handling, and insecure third-party integrations. We cover the full OWASP Top 10 in the Full Audit and Production Ready packages.

Our audits focus on code-level security review rather than black-box penetration testing. We examine the source code, configuration files, and infrastructure setup to find vulnerabilities. This approach catches issues that penetration testing often misses, such as logic flaws and misconfigured database policies. If you need penetration testing, we can recommend trusted partners.

Our audits are not compliance certifications, but they help you address many of the technical controls required for SOC2, GDPR, and similar frameworks. The security improvements from a Full Audit or Production Ready package will put you in a much stronger position when you pursue formal certification.

We currently focus on web applications and their APIs. If your mobile app uses a web-based backend (which most AI-generated apps do), we can review the backend, API layer, and database configuration. We do not review native iOS or Android code at this time.

That is fine, and actually common. Many of our clients come to us after launching because they have started getting traction and want to make sure their app is secure before scaling further. We will prioritise the most critical issues in our report so you can address the biggest risks first without taking your app offline.