Case study · SaaS / professional services tool
From weekend build to production-ready in three weeks.
A founder's AI-built client portal: 14 security findings, a hardened codebase, and a production database — without rebuilding a line of the working UI.
A solo founder built a client portal over six weeks using Cursor and Claude. The app handled client onboarding, document sharing, and billing status — working features, clean UI, real value delivered. He had five clients using it and a sixth ready to sign if the app could pass basic IT security review at a mid-size company.
The company's IT team sent a questionnaire: how is data encrypted at rest? What's the authentication model? Where are credentials stored? How are backups handled?
He knew he couldn't answer those questions confidently. He booked a Vibe Code Audit.
The Audit identified 14 findings across 6 categories. Four were Critical, five were High, four were Medium, one was Low.
Critical findings included: Supabase service role key hardcoded in the frontend bundle (visible to any user via browser devtools), no server-side route protection (any logged-in user could access any client's data by modifying API request parameters), and the production database URL committed to the git repository.
High findings included: no rate limiting on authentication endpoints, user-supplied input passed unsanitized to database queries, and CORS configured to accept requests from any origin.
“I knew some of this was probably not right. I didn't know the service key was in the bundle. That one would have been bad.”
The Hardening Sprint resolved all four Critical and all five High findings within eight business days. Key implementations: service role key moved server-side with a proper API proxy layer, row-level security implemented on all database tables, all routes protected with server-side session validation, input validation added across all user-facing endpoints, CORS locked to the production domain.
The Medium findings were documented with remediation guidance and handed back to the founder to implement with his next feature sprint — they were real issues but none were exploitable without first bypassing the now-hardened authentication layer.
The Audit also identified that the app was using Supabase's free tier as its only data layer with no backup configuration. We scoped a Backend Build to implement automated daily backups with 30-day retention, a staging environment properly isolated from production, and monitoring with Sentry for error tracking and uptime alerting. Total time from Audit booking to production-ready sign-off: 19 business days.
The sixth client signed. The IT security questionnaire was answered from the Audit report and the post-Sprint verification document.
The founder now has a codebase he can develop on with confidence and a security posture he can describe accurately.
“The Audit report was the most useful technical document I'd received since I started building. It told me exactly what was wrong, exactly what to prioritize, and exactly what it would cost. That's what I needed.”— Founder, B2B SaaS, 6 clients
Want to see the actual report from this engagement?
The Audit report referenced in this case study is available to download. This is the document the founder used to answer the IT security questionnaire — the full findings, severity ratings, remediation roadmap, and sprint scope.
Start with the Vibe Code Audit.
Find out exactly what your app needs. Written report within 5 business days.