Vibe Code Audits

Simple Pricing. No Surprises.

Choose your audit depth. Pay online. Get your report.

Security Scan

£297 /one-time
Delivered in 3 business days

Scope

Up to 10 endpoints
1 integration
1 repo

Best for:

  • Early MVPs and hackathon projects
  • Pre-launch side projects
  • Apps with fewer than 10 API routes

What's included:

  • Authentication flow review (login, signup, password reset, session handling)
  • Authorisation checks on all routes within scope (RLS policies, middleware guards)
  • API route security assessment (input validation, error handling, data exposure)
  • Environment variables and secrets audit (hardcoded keys, client-side leaks)
  • Database security basics (RLS enabled, no open access, injection vectors)
  • Security headers and CORS check
  • Summary report with prioritised findings (Critical / High / Medium / Low)
  • 1 follow-up email question
Out of scope
  • Infrastructure / deployment configuration review
  • Third-party integration deep-dives
  • Performance or scalability review
  • Hands-on fixes or code changes
  • Multi-tenancy / data isolation review
  • OWASP Top 10 formal assessment
Get Started
Most Popular

Full Audit

£997 /one-time
Delivered in 7 business days

Scope

Up to 25 endpoints
Up to 3 integrations
1 (monorepo fine) repos

Best for:

  • Apps approaching launch or already live with real users
  • Multi-tenant SaaS with auth, payments, and integrations
  • Teams who need a comprehensive picture before going live or raising funding

What's included:

  • Everything in Security Scan, plus:
  • Full codebase review (all files — shared utilities, middleware, data models, not just routes)
  • Multi-tenancy and data isolation review (can User A access User B's data?)
  • OWASP Top 10 assessment mapped to findings
  • Third-party integration security (webhook verification, OAuth flows, file storage permissions)
  • Data flow analysis (user input → API → database → response)
  • Infrastructure and deployment config review (Vercel / Railway / Fly env setup, build settings)
  • Dependency vulnerability scan (outdated packages, known CVEs)
  • Detailed report with code examples and fix suggestions
  • Up to 5 follow-up email questions
Out of scope
  • Implementing fixes or code changes
  • Performance optimisation or load testing
  • Compliance certification (SOC 2, GDPR audit, etc.)
  • Ongoing monitoring or retainer support
  • Penetration testing
Get Started

Production Ready

£2,997 /one-time
Delivered in 10–12 business days

Scope

Up to 50 endpoints
Up to 5 integrations
Up to 2 repos

Best for:

  • Apps handling payments or sensitive user data
  • Apps preparing for enterprise customers
  • Teams who want fixes done, not just a list of problems

What's included:

  • Everything in Full Audit, plus:
  • Hands-on implementation of all Critical and High severity fixes (delivered as PRs or applied directly)
  • Authentication and authorisation hardening (JWT configuration, session management, RBAC)
  • Database security hardening (RLS policies written/fixed, query parameterisation)
  • Rate limiting and abuse prevention setup
  • Security headers and CORS properly configured
  • Input validation and sanitisation on all endpoints in scope
  • Logging and error handling review (no secrets in logs, proper error boundaries)
  • Full report + Git diff / PR of all fixes applied
  • 30 days of follow-up support (email, up to 2 short calls)
Out of scope
  • Ongoing maintenance or feature development
  • Performance optimisation beyond security-related fixes
  • SOC 2 / compliance certification
  • Penetration testing
  • CI/CD pipeline setup
  • Redesign or refactoring beyond security fixes
Get Started

Need more endpoints or integrations? We offer flexible add-ons — get in touch.

Add-Ons & Extras

Extend any package with additional services tailored to your needs.

Add-ons

Customise your audit with optional extras.

Add-on Price

Additional Endpoints

For apps that exceed the tier's endpoint limit.

 £30/endpoint

Additional Integration

Deep-dive review of each extra third-party service.

 £75/integration

Additional Repository

Extend scope to cover extra repos beyond tier limit.

 £150/repo

Re-audit (within 90 days)

Full re-review after you've implemented fixes.

 50% of tier price

Well over the limits? Get in touch and we'll put together a custom quote.

Pricing Questions

Common questions about our pricing, payment, and what's included.

What does each package include?
The Security Scan (£297) covers authentication, API routes, secrets, and database basics for up to 10 endpoints. The Full Audit (£997) is a comprehensive review covering up to 25 endpoints with infrastructure, third-party integrations, and OWASP Top 10. The Production Ready package (£2,997) includes everything in the Full Audit plus hands-on implementation of fixes, security hardening, and 30 days of follow-up support for up to 50 endpoints.
What counts as an "API route" or "endpoint"?
Any server-side route that handles requests — e.g. /api/users, /api/payments/webhook, /api/auth/login. Each unique route counts as one endpoint regardless of HTTP method. If you're unsure how many you have, drop us a message and we'll help you figure it out before you buy.
What counts as a "third-party integration"?
Any external service your app connects to — Stripe, OpenAI, Resend, Cloudinary, AWS S3, etc. Your database provider (Supabase, Firebase, PlanetScale) counts as one integration. Auth providers bundled with your database (e.g. Supabase Auth) don't count separately.
What if my app exceeds the endpoint or integration limits?
No problem — we offer add-ons for additional endpoints (£30 each), integrations (£75 each), and repos (£150 each). Or if you're well over the limits, just get in touch and we'll put together a custom quote.
Do you only review apps built with AI tools?
We specialise in AI-built apps (Cursor, v0, Bolt, Lovable, Replit, Copilot) because we know the specific patterns and vulnerabilities these tools produce. But our audits work for any codebase — the security principles are the same.
What tech stacks do you support?
We primarily work with Next.js, React, Node.js, Python, and common SaaS stacks (Supabase, Firebase, Vercel, Railway, Fly.io). If your stack is different, get in touch — we likely still can help.
Can I upgrade from a Security Scan to a Full Audit later?
Yes. If you start with a Security Scan and decide you need deeper coverage, we can upgrade you to a Full Audit. We will credit the cost of your Security Scan towards the Full Audit price, so you only pay the difference.
Do you offer refunds?
If we begin the audit and find no security issues at all, we will refund you in full. In practice, this has never happened — every AI-generated codebase we have reviewed has had at least several issues worth addressing. If you are unhappy with the quality of the audit for any reason, get in touch and we will make it right.
Are there any hidden costs?
No. The price you see is the price you pay. All prices are in GBP and exclude VAT. There are no setup fees, no per-issue charges, and no surprise add-ons. The only additional cost would be if you choose optional add-ons or upgrade to a higher tier.
Do you offer discounts for multiple projects?
Yes. If you have more than one codebase that needs auditing, or if you want to set up a recurring audit schedule, get in touch and we can put together a custom quote.

Not sure which package is right?

Get in touch and we'll help you choose the right level of audit for your project.

Talk to Us

Ready to ship with confidence?

Get your AI-generated app audited by UK security experts.

See Pricing

Or email us at hello@vibecodeaudits.co.uk