I'm a senior full-stack engineer (14+ years). I find the security holes in your vibe-coded app and fix them for you — before launch, without you hiring a developer.
The 15-min scan is free — or skip it and buy the Sweep directly. No call required to work with me.
The security holes AI tools quietly leave behind — in almost every app
Veracode tested 100+ models and found 45% of AI-generated code introduces an OWASP Top 10 vulnerability. Across published vibe-code audits, a typical AI-built app ships with 8–14 security findings — disabled row-level security, leaked secrets and unverified webhooks among the most common.2
→ The code looks like it works. That's exactly why the holes go unnoticed until someone finds them for you — or against you.
Here's exactly what happens — however you start, with or without a call
Buy the Sweep and go straight to the review — or book a free 15-min scan first if you'd rather see your risks before you pay. No call required either way.
I review your whole codebase and live app for the security holes AI tools leave behind — the ones automated scanners read right past.
Sweep ($349): a plain-English report with every issue and ready-to-paste fixes you apply yourself. Done-For-You (from $1,500, scoped): I make the fixes myself, with before/after proof — no developer needed.
You launch on a report you can trust — or a fixed app with proof each hole is closed. For fixes I work on a copy, never your live site, and nothing ships without your OK.
Shipping new features after launch? Once we've worked together, I can keep watch on new releases for you — that's the Ongoing Security Guard (from $300/mo).
Know what you want? Buy the Sweep below — no call needed. Not sure, or want the fixes done for you? Start with a free scan.
The full inside review — every issue, not a 15-min glance
Scoped to your app — you don't touch the code, I do
Your $349 Sweep credits toward the Fix. Architecture & scalability review available as an add-on.
Shipping new features after launch? Once we've worked together, I can keep watch on new releases — Ongoing Security Guard, from $300/mo (capped to a set number of releases). Ask me on the call.
Not sure which you need? Book a free 15-min scan and I'll tell you straight.
I'm a senior full-stack engineer based in Barcelona, with 14+ years shipping production software — React, TypeScript, Node.js and PostgreSQL. Today I build enterprise PaaS infrastructure used by 1,000+ companies and 14,000+ active users.
Here's why that matters for you: I build with the same AI tools you do — I've shipped AI-powered apps to the App Store and to production using OpenAI and Anthropic. So I know exactly where AI code looks perfect but quietly breaks: auth, data access, exposed keys, and messy API integrations. That's what I find and fix.
"AI is incredible at writing code that works. My job is making sure it works safely — before your users, or an attacker, find out it doesn't."
Component Expert
Type Safety Pro
Backend Master
CSS Architect
The most common holes I check for — and exactly how I close them
I had an AI agent conceive, spec, and code a full multi-tenant SaaS end-to-end — I only checked that features worked and never reviewed the code, exactly like a vibecoder. It had login, auth, and database isolation switched on in the config. It still leaked: any signed-in account could reach another account's data, because three correct-looking pieces never added up to one real boundary.
→ I proved it with a failing test, closed it with two independent layers, and locked it in CI so a regeneration can't bring it back.
before → 4 failed · after → 10 passed
Read the full breakdown →Common holes I check for in every app:
Row-level security left off — any logged-in user can read every other user's records.
→ I turn on RLS and add policies so users only see their own data.
Stripe or API secret keys hardcoded in client-side JavaScript, visible to anyone.
→ I rotate the key and move it server-side, out of the browser.
IDOR + no rate limiting — IDs can be swapped to hit any account, with no abuse limits.
→ I add ownership checks and rate limits across your endpoints.
You book a time and paste your app's link. Before we talk, I take a real look at your app — so the call isn't generic. On the call (15 minutes) I show you the top security risks I found and how serious each one is. It's genuinely free: you walk away with a clear list even if you never buy anything. Prefer to skip the call? You can buy the Sweep directly.
The free call is a quick outside look — in 15 minutes I show you the top risks I can spot from your live app, and how serious they are. The Sweep is the full inside review: I go through your whole codebase, database rules, secrets and dependencies — where the most dangerous issues actually hide and a 15-minute glance can't reach. You get every issue found (not just the top few), each with exact fix steps and ready-to-paste prompts, in a written report you can act on or hand to anyone — backed by a money-back guarantee. Free tells you a problem exists. The Sweep gives you the complete map and how to close every hole.
Automated scanners (like the built-in one in Lovable, or Aikido) are genuinely useful — run them, they're cheap. But they hand you a list; I hand you a fixed app and a person accountable for the result. Three real differences: I close the holes and prove it (before/after, not just flags); I give you a straight go / no-go verdict on launching, not a report to decode; and a scan is a snapshot — the next prompt in Lovable can quietly reintroduce a hole the test already passed. I'm not a rival to the scanner — I'm the human layer on top of it.
Apps built with AI tools — Lovable, Bolt, Cursor, Replit, GitHub Copilot — usually on a JS/TS + Supabase/Node stack. If you described what you wanted and the AI wrote the code, you're exactly who I help.
Both — you choose. The Sweep gives you a plain-English report plus ready-to-paste fix prompts, so you (or your AI tool) can apply them yourself. With Done-For-You Fix, I implement the critical fixes myself and prove each hole is closed — no developer needed on your side.
Yes — that's the point. Findings are written for founders, ranked by how badly they can hurt you, with clear next steps. And if you'd rather not touch it at all, that's what the Done-For-You tier is for.
You share a live URL plus a GitHub repo (or a ZIP, or invite me to your Lovable/Bolt project). For Done-For-You fixes I always work on a copy or a separate branch — never your live site. You get the fixed code back with before/after proof, and nothing goes live until you approve it. Your code stays 100% confidential, is deleted after the job, and an NDA is available on request.
The Sweep is delivered in 48 hours. It comes with a 7-day money-back guarantee — if the audit isn't worth it, I'll refund you, no questions asked. Rush delivery available on request.
Don't wait for a breach or a crashed launch to find out what's wrong. Get the full Sweep now — or start with a free 15-minute scan if you'd rather look first. Your call.
No commitment. No hidden fees. Just an honest look at your app.