Free · 30 minutes · No obligation
The free audit runs the same probes an attacker would.
We spend thirty minutes on a call working out what matters for your app, then you give us read-only access and we read the code and curl your endpoints ourselves. Within two days you get a one-page list back, ranked by severity, with a recommended fix next to each finding. There's no sales call attached.
The access lasts only as long as the audit, and we don't come back to you afterwards unless you want us to.
§ I. What we run during the audit
The checks, in order.
- 01 We probe your auth endpoints for missing checks
- 02 We curl your API routes from a logged-out session
- 03 We inspect the client bundle for leaked secrets
- 04 We test webhook handlers for missing signature verification
- 05 We check the database for missing row-level security
- 06 We read error responses for leaked stack traces
- 07 We probe input validation on user-controlled fields
A free audit won't surface every issue. That's what the Express audit covers. But the probes find enough to tell you whether your app has the patterns that cause breaches, and whether the deeper audit is worth your money.
§ II. What you get
What we promise.
- No pitch
- We tell you what we found and leave the next move to you.
- 48-hour turnaround
- Written list of findings in your inbox within two business days of the call.
- Read-only access
- Read-only repo invite for the audit window. No commits, no deploys, no changes to your code.