Security and Architecture Audit

The challenge

The product was nearing launch on a codebase that had grown out of a no-code export and been hand-extended with AI assistance, with no independent verification that it was safe to ship a platform holding personal data, salaries, and decision-bearing AI scores. The documentation had drifted so far from reality that AI agents and new engineers were building against false assumptions and reintroducing the same classes of defect.

The solution

Ran a full architecture evaluation plus a two-pass adversarial security audit using a self-built multi-agent methodology: a fan-out across vulnerability classes with refute-first verification of every high-severity finding, then a re-audit to confirm and hunt for misses. Each finding was reproduced, severity-ranked, and explained in plain terms for the founder and in technical detail for the dev. Extended the review into data-protection posture and the unbuilt monetization layer, and verified the genuinely strong parts so it was a targeted audit, not a teardown.

Results

• Independent ship-readiness verdict backed by reproducible, severity-ranked evidence
• Critical authentication and access-control issues identified, including an account-takeover and a privilege-escalation path
• One or two changes shown to neutralize whole clusters of findings (a rate-limit layer, a data-seam lockdown)
• Surfaced two business-critical gaps outside the brief: data-protection compliance and an unimplemented paywall
• Delivered a prioritized remediation sprint and a three-layer target architecture (app validation, least-privilege DB role, row-level isolation)
• Left an agentic ruleset in the repo so AI-assisted development keeps enforcing the audited standards