NZ Expertise

Vibe Coding Audits

You vibe-coded an app. Brilliant. Now let's make sure it doesn't quietly leak your customers' data on launch day.

You had an idea on Sunday night, opened Claude or Cursor, and by Wednesday you had a Next.js app on Vercel, a Supabase project holding your users, Resend firing off emails, and a Stripe key in there somewhere. Genuinely impressive – a few years ago that took a team and six months. But now you're staring at the signup form with a creeping suspicion that something in there is going to bite you the moment a real user shows up.

That suspicion is healthy. AI is brilliant at producing code that runs. It's much less brilliant at producing code that's secure, scalable, observable, and safe to leave running unattended at 3am while you're asleep. The gap between 'it works on my laptop' and 'it survives contact with the public internet' is where we come in.

We audit AI-generated apps for solo founders and small teams. We tell you what's solid, what's terrifying, and exactly what to fix before you flip the switch.

We know where the AI cuts corners, because we use the same tools every day.

We use Claude Code every day ourselves, so we know exactly where it cuts corners. AI assistants are great at writing code that looks right. They're a lot less fussy about whether it's safe, sensible, or going to hold up once real people start poking at it.

Every audit looks a bit different, because every app is. We tailor it to what you've built and what you're worried about – but broadly we're checking that your users' data is safe, your app won't fall over under load, your costs won't spiral, and that whoever picks this up next (you, us, or future-you with a fresh AI session) can actually make sense of it.

A report you can actually act on. Or hand it back to us and we'll patch it ourselves.

You get a written report sorted by severity, not by 'things we noticed'. Critical issues at the top, with a clear explanation of what's wrong, why it matters, and exactly how to fix it – usually with a prompt or patch you can drop straight back into Claude or Cursor.

We're not trying to make you feel dumb, and we're definitely not trying to sell you a six-month rebuild. Most vibe-coded apps are 80% of the way there. We help you find the 20% that matters before your users do.

If you'd rather we just fixed the critical stuff for you, we can do that too. Same team, same care, and you go back to building features instead of reading OWASP top tens.

Built for the founder who codes their own stuff and wants a grown-up to check the homework.

If you're a solo founder, indie hacker, or non-technical operator who's shipped something with Claude Code, Codex, Cursor, Lovable, Bolt, v0, Replit Agent, or any combination of the above – this is for you. You don't need to know what a CSRF token is, or what that "middleware" error means. You just need someone in your corner who does.

We also work with funded startups whose technical co-founder is moving fast with AI and wants a sanity check before a launch, an investor demo, or a compliance conversation.

We don't judge the stack. Next.js, Laravel, Supabase, Convex, Firebase, raw Cloudflare Workers, a Postgres database held together with hope – whatever you've got, we can read it.

Frequently asked questions.

Claude (and Cursor, and the rest) are confident in a way that doesn't always match reality. They'll cheerfully tell you something is secure because the code pattern looks correct, while quietly missing that your API keys are in the wrong file, your database lets any logged-in user read every other user's data, or your auth check is one typo away from letting strangers in. We've seen it. A lot. A human pair of eyes catches the gaps the AI is too polite to mention.

Almost certainly, yes. Nine times out of ten you'll have ended up with some combination of Next.js, Supabase, Vercel and Resend – and it's the default AI-built-app stack for good reason. It's fast to ship on, scales well, and the free tiers are generous enough to get you to real traction. We work with it constantly. The stack isn't usually the problem. It's how the bits are wired together, what's exposed, what's missing, and what'll cost you a small fortune the first time something goes viral.

Usually a week or two from kickoff to a written report, depending on how big the app is. We quote a fixed price up front once we've had a quick look and a chat, so there are no surprises – it scales with size and complexity, with smaller MVPs at the affordable end. Get in touch and we'll give you a real number, not a 'starting from' fudge.

Absolutely. A lot of the founders we work with built their app inside a tool like Lovable, Bolt, or Replit and have never touched a terminal. That's fine. Give us a call, tell us what you've built, and we'll walk you through getting us access in plain English. No homework required.

Got an AI-built app?

Let us give it the all clear for launch.

Drop us a line with a sentence or two about what you've built and what's worrying you. We'll jump on a quick call, walk you through how we'd get access to your code (no jargon, promise), and come back with a fixed-price quote and a sensible timeline.

Call us, or use the form – we promise not to be smug about your code.

Phone: 09 929 1216