Services & pricing
Three tiers. Each one stands alone.
Start free. Pay only for the work you ask us to do. Flat fees per engagement, with nothing recurring after it ships.
Free audit call
$0 30 minutes
- Thirty-minute scoping call
- Read-only repo invite for the audit window
- We probe auth, API endpoints, secrets, webhook handlers
- One-page list of findings in your inbox within 48 hours
- No sales pitch, no follow-up unless you ask
Most start here
Express audit
$750 2 days
- Ten-to-twenty page written report
- Severity ratings: critical / high / medium / low
- Code excerpts, screenshots, recommended fixes for each finding
- Coverage: security, production-readiness, scale, observability
Audit + fix sprint
$3,500 1-2 weeks
- Everything in the Express audit
- Pull requests against your repo fixing the top 5-10 issues
- Negative tests for each fix, the ones AI didn't write
- Handoff document covering what changed and why
- One post-merge call to walk through the fixes
§ I. Questions worth asking
Frequently asked.
- How do I know I need this?
- Open a private browser window with no cookies. Copy any API URL your app calls. Hit it directly. If data comes back, you have the pattern we exist to fix. The free audit makes the same check on the rest of your endpoints.
- Which stacks do you cover?
- Whatever Lovable, Bolt, Cursor, v0, and Replit Agent generate, which in practice is Next.js, React, Supabase, Postgres, Stripe, Vercel. Different stack? Ask. We'll tell you honestly if it's outside what we read for.
- Do you sign NDAs?
- Yes, before the audit starts. The free 30-minute call usually doesn't warrant one (there's no obligation attached either way), but we'll sign one if you'd prefer.
- Can you fix things without breaking them?
- Yes. Every fix in the sprint ships with tests for the bug we just fixed, plus the negative tests AI skipped: "unauthenticated request returns 401," "forged signature returns 400," "user A can't read user B's rows." You review the pull requests before merge.
- What's outside the audit?
- The audit tiers stop at the findings and the fix sprint. Engineering work beyond that (hardening, feature builds, greenfield, fractional help) lives on a separate page. We don't compete with your in-house developers; we hand work off to them when you have them.
Need work outside the audit? We also take on engineering engagements: post-audit hardening, feature builds on AI-generated apps, greenfield, fractional.