Vibe Security · AI App Audit
Is your vibe-coded app safe to launch?
Claude Code, Codex, Cursor, Lovable and Bolt are fast. That's the point. Secure defaults aren't. Our Vibe Security Check finds what the AI left behind before someone else does.
A fixed-scope review covering the issues that come up most often in AI-built apps — hardcoded secrets, broken access control, dependency risk, and Australian Privacy Act exposure. You get a written brief you can hand straight to a developer.
The problem
The AI built it. Nobody reviewed it.
Claude Code, Codex, and Cursor are fast. One person can build in days what used to take a team weeks. But they were trained to produce code that runs, not code that's secure.
The model doesn't know whether your app will handle customer payment data, and it has no idea about your Privacy Act obligations. It definitely won't flag the auth check it just wrote that's trivially bypassed.
Secrets & credentials
Claude Code, Codex, and Cursor regularly write API keys, database passwords, and OAuth tokens directly into source. We find them before a push to a public repo does.
Broken access control
OWASP's number one vulnerability, every year. AI tools build features that work — they don't check whether the person calling an endpoint is supposed to.
Dependency risk
Vibe-coded apps pull in npm and pip packages based on what the model has seen before — including packages that are abandoned, renamed, or typosquatted.
Authentication gaps
Login logic, session handling, and token validation are the controls AI tools get wrong most often. We check every auth surface against current standards.
Scope
What's included
in every Vibe Security Check.
One fixed-scope engagement. Every check listed below is included — no per-item upsell.
OWASP Top 10 review
Your codebase mapped against the ten most critical web application security risks.
Secrets & credential scan
We find API keys, database passwords, OAuth tokens, and private keys before they reach production.
Authentication audit
We check login flows, session handling, and password storage against current standards.
Access control review
Every endpoint checked to confirm only the right people can reach it.
Dependency risk review
Third-party packages assessed for known CVEs, abandonment, and supply chain exposure.
API & endpoint mapping
Every exposed endpoint documented and checked for unintended public access.
Privacy Act alignment
We flag where your app collects or stores personal information in ways that may not meet Australian Privacy Act obligations.
Findings brief
A plain-English report with every issue ranked by severity, plus a recommended remediation order.
Which tools does it cover?
Any app built with an AI coding tool — or a combination of them.
- Claude Code (Anthropic)
- Codex / ChatGPT (OpenAI)
- Cursor
- GitHub Copilot
- Lovable
- Bolt / StackBlitz
- Replit Agent
- v0 (Vercel)
The issues we find don't change much based on which tool wrote the code. Mixed-tool codebases are common — we assess the output, not the source.
Read: AI-assisted development & web app security→How it works
Share your code
Secure transfer via our encrypted channel. We sign an NDA before we touch anything.
We review
Our team works through your codebase against the OWASP framework, scanning for secrets, and reviewing Privacy Act exposure. Usually two to five business days.
Findings delivered
A written brief: every issue, its severity, and what to do about it. In plain English, not consultant-speak.
Optional fix support
We can guide your developer through remediation, review pull requests, or handle it directly. Your call.
Common questions
Questions founders ask first.
Not in this list? Email hello@ironsights.com.au or book a quick call. No obligation.
Which AI coding tools does this cover?
Any of them — Claude Code, Codex, Cursor, Lovable, Bolt, GitHub Copilot, Replit Agent, v0, or a combination. The issues we find don't change much based on which tool wrote the code.
Do you need access to our production environment?
No. We work from your codebase only. No database access, no production credentials, no live system access required to complete the review.
How long does the review take?
Most reviews are delivered within two to five Australian business days from when we receive your code. Larger codebases take a little longer — we confirm timing when we scope it.
What does the report look like?
A written document with every finding, its OWASP category, a severity rating (critical, high, medium, low), a plain-English description of the risk, and a recommended fix. No jargon, no filler.
Is this useful if we haven't launched yet?
Before launch is the best time. Fixing things now costs less than a breach notification, or a customer finding it first.
Can you help fix the issues you find?
Yes. Remediation support is available as an optional add-on. We can work through the fixes with your developer, review pull requests, or handle remediation directly.
We used several AI tools. Does that complicate things?
Not at all. Mixed-tool codebases are common. We assess the output, not the tool that generated it.
How much does it cost?
The Vibe Security Check is fixed-scope — the price doesn't move once we've agreed it. We scope it based on your codebase size during an initial consultation. Get in touch and we'll give you a number quickly.
Related services
Other IronSights capabilities.
Audit & Assurance
Independent posture assessment against , , , or . Board-ready report, fixed price.
Learn more→Penetration Testing
Manual pen testing to confirm the fixes your team made actually hold up against a real attacker.
Learn more→Fortify – Managed Security
Continuous monitoring, incident response, and uplift for Australian businesses. 24/7 Australian-staffed SOC.
Learn more→Get started
Know what you're launching before you launch it.
Fixed scope and a plain-English report from an Australian security team. We'll reply within one business day.