Scan free. Watch your apps for $19/mo. Or put a senior dev on retainer. Pick the level that fits where you are.
Scan
Free 60-second security scan
Watch
Self-serve monitoring + drift alerts
Care
+ $349 one-time setup
Production team on retainer
Quick Fix
For when the scan turned up 2–3 critical findings.
Full Audit
For pre-fundraise, post-incident, or “I want everything checked.”
Both start with a free scan so we know exactly what to fix. Zero critical findings on Full Audit = full refund.
Concierge
Named senior dev embedded in your stack · 4h SLA · custom scope, feature work included. From $2,500/mo, inbound only.
Critical = data exposure, payment fraud, app down. Anything else is next-day at the latest.
Watch ($19/mo) is the self-serve monitoring tier — daily re-scans of up to 3 URLs, drift alerts, AI-explained findings, no human in the loop. You see what broke; you decide what to do about it. Care ($349/mo) is the human-in-the-loop tier — everything Watch does, plus 2 fix tickets a month (a senior dev diagnoses, fixes, and ships a PR) and a 24-hour response SLA on anything you submit. Start on Watch; upgrade the day you'd rather pay $330 more than spend a Saturday debugging.
Then the audit is free. If we turn up zero critical-severity issues on your $1,499 audit, we refund the full payment. We define critical strictly: live API keys exposed in your client bundle, public read or write access to private database tables (broken Row-Level Security), authenticated APIs returning data to unauthenticated requests, or test-mode Stripe keys deployed in production. In every vibe-coded app we've audited so far, this guarantee has not been triggered — about 70% of Lovable apps have a critical RLS issue alone — but it's there so you don't have to bet.
The Free Scan runs 15+ probes against your live URL — RLS, exposed secrets in the bundle, source-map source recovery, exposed paths (.env / .git / .aws), CORS misconfiguration, unauthenticated APIs. It finds what your users could find. The $1,499 Audit adds GitHub or Lovable share-link access and runs Semgrep static analysis on your actual source, scans your full git history for rotated-but-still-committed secrets, and reviews your Supabase RLS policies in SQL. It finds what an attacker with repo access would find. The escalation is what becomes visible — not how hard we work.
One issue we diagnose and ship a fix for — a broken Stripe webhook, a misconfigured RLS policy, an exposed key. Care includes 2 per month at $349/mo. Need more in a given month? Extra tickets are $200 each. We picked a fair-use model over an 'unlimited' tier on purpose — unlimited creates an adverse-selection trap where the customers most likely to subscribe are the ones whose apps will overwhelm the SLA.
If we can't ship a fix within tier SLA, we escalate to Concierge for the duration at no extra charge, refund the month, or both. We'd rather lose money than have you down.
No. We support Lovable, Bolt, v0, Cursor, Replit, Bubble, and Base44 out of the box. We're platform-neutral — that's the point.
After you've been a Care customer for six months we'll offer annual prepay (2 months free) on renewal. We don't push annual at signup — early-stage founders shouldn't commit to a year of anything before they've seen us deliver.
Yes. We make read-only requests to your live URL and a small number of harmless probe requests against discovered API routes. We do not write data, store your code, or use service-role credentials.