Revitt Vibe Check

You shipped it fast.

Now find out if it's safe.

A 50-point production-readiness and security audit for apps built with AI coding tools — plus a 6-point AI-Native Readiness review. We read your code, score every point Pass / Warning / Fail, and hand you a plain-English report with a prioritised fix list.

From £249 + VAT · three tiers · 3 business days

Book a Vibe Check See what we check

ThinkThe launch-risk scan£249+VAT Think Harder · most popularThe full Vibe Check£999+VAT UltrathinkA deeper dig, plus a re-test£1,999+VAT

The problem

AI built it to work, not to be safe.

AI tools optimise for the happy path; they do not ask what happens when a real user — or an attacker — shows up. The code ships, the demo looks great, and every critical assumption about auth, trust boundaries, and data isolation goes untested until something breaks in production.

vibe-check --scan ./your-app

[FAIL]GET /api/orders/:id returns any user’s order — no ownership check (IDOR)

[FAIL]Supabase service-role key shipped in the client JavaScript bundle

[FAIL]Checkout trusts the price sent by the browser — £0.01 orders accepted

[WARN]No rate limit on /login — open to credential-stuffing

[WARN]Backups enabled but never restore-tested

[PASS]HTTPS enforced with HSTS

[FAIL]Real customer rows sitting in /fixtures — unsafe to open in an AI tool

— In our experience, almost every vibe-coded app we audit has at least one Critical finding.

The audit

50 points, every one scored Pass / Warning / Fail.

We run through every check manually rather than leaning on an automated scanner, and each point maps to a real failure mode we've seen sink a launch or a funding round.

17Critical checks

26High checks

7Medium checks

See the full 50-point list →

Security

6 points

Authentication & Access Control

Offloaded auth (you should not be storing passwords), session expiry, IDOR, function-level authorisation, multi-tenant isolation, privilege escalation.

5 points

Injection & Input Handling

SQL injection, XSS, file-upload validation, SSRF, and command injection — every place user input reaches something dangerous.

3 points

Secrets & Configuration

Secrets in git history, secrets in the client bundle, and dev/prod credential separation with debug off in production.

3 points

API & Business-Logic Abuse

Rate limiting and brute-force protection, mass assignment, and business-logic tampering — price manipulation, sequence skipping, replay.

3 points

Web & Cloud Hardening

HTTPS with HSTS and security headers, CORS tightening, and cloud basics — least-privilege IAM, no public buckets, blocked metadata endpoint.

Engineering & Ops

5 points

Automated Testing & QA

Critical-path unit/integration tests, end-to-end browser tests, CI gates that block on failure, meaningful coverage, a pre-production check.

4 points

Containerisation & Reproducibility

A Dockerfile or reproducible setup, pinned base images and lockfiles, dev/prod parity, one-command local setup from the README.

4 points

CI/CD & Deployment

Pipeline-only deploys, a tested sub-ten-minute rollback, a promotion-gated staging environment, infrastructure as code.

3 points

Vendor Lock-in & Portability

Can you leave the AI builder platform, export your full database and files, and does the business own every cloud and domain account?

2 points

Dependencies & Supply Chain

No known-vulnerable packages with the lockfile enforced in CI; no abandoned or integrity-unchecked third-party scripts or CI actions.

3 points

Observability & Incident Readiness

Structured logs to a persistent store, no secrets or PII in logs, uptime and error-rate alerting with a named responder.

3 points

Data, Migrations & Backups

Schema constraints and versioned migrations, transactions on money and critical writes, and backups tested with an actual restore.

2 points

Code Quality & Maintainability

Explicit error handling with no stack traces leaking to users, and business logic separated from transport with runnable docs.

2 points

Performance, Scale & Cost

N+1 queries, missing indexes, and unbounded list endpoints — plus cloud spend controls and runaway-cost traps on LLM and SMS APIs.

Compliance

2 points

Privacy & Compliance (UK)

UK GDPR / DPA 2018 basics — privacy policy, lawful basis, processor agreements, a deletion mechanism — plus PECR cookie consent.

See the full 50-point checklist →

AI-Native Readiness · included

Built to work with AI.

We look at whether your app is built to make good use of AI, and whether it is safe to bring AI near your code and data even if there is no AI in it yet. That judgement comes from running our own AI products in production rather than working off a generic checklist.

Why this matters

We built and operate Intervals Pro and MCPlexer — two live products where AI and human judgement are inseparable. The question that matters isn’t simply whether the AI made something work; it’s whether AI is paired with experienced product engineering judgement, and that is what every Vibe Check brings to your app.

live review

6point review

Operable by agents — a scoped, audited management surface (MCP)

Medium

AI-assisted support and operations designed in, not bolted on

Medium

Captures the AI opportunity where it genuinely adds value

Medium

AI and agent access to production is scoped, audited, and human-gated

High

AI features controlled for cost, reliability, and prompt injection

High

Safe to work on this codebase and data with AI — secrets, PII, scoped access

High

These six points are included in every Vibe Check at no extra charge, because AI readiness is now a real part of whether an app is fit for production.

Book a Vibe Check See what we check

Process

How it works

Three steps from booking to a prioritised fix list, without the lengthy onboarding or procurement that a bigger engagement usually involves.

Onboarding call

Book online, then a short onboarding call gets us read-only access to your codebase and the context we need — what the app does, where sensitive data lives, what is worrying you.

We run the audit

Our engineers work through every point against your actual code and running app — an automated pass built from our experience, then review by senior engineers rather than a generic scanner that only flags noise.

Report + findings call

You get the full written report — every point scored Pass / Warning / Fail with severity and a prioritised fix list — then a findings call to walk you through it.

Access & scope

Read-only repo access + a URL for your running app
No production credentials required
We never modify your code or infrastructure

Pricing

Three tiers. Pick your depth.

All prices + VAT, fixed — no hourly overruns. Most teams start with Think Harder. A senior engineer is in the loop on every tier; you’ll never receive raw scanner output.

01/03

SCAN

Think

The launch-risk scan

£249+ VAT

The ~15 highest-severity checks: access control, secrets, data exposure, injection
An automated scan, then reviewed by a senior engineer
A 15-minute onboarding call and a 15-minute findings call
A written risk report within 48 hours

Choose Think

02/03

FULL · most popular

Think Harder

The full Vibe Check

£999+ VAT

All 50 production-readiness points
Plus the 6-point AI-Native Readiness review
A full report, scorecard and prioritised fix list
A 30-minute onboarding call and a 30-minute findings walkthrough
Delivered in 3 business days

Book a Vibe Check

03/03

DEEP

Ultrathink

A deeper dig, plus a re-test

£1,999+ VAT

Everything in Think Harder
A deeper dig into your data, RLS and business logic
A free re-test once you have fixed the findings
Priority, 2-business-day turnaround
A 60-minute onboarding call and a 60-minute strategy call

Choose Ultrathink

Not sure which tier fits? Book a free 15-min scoping call and we’ll help you decide.

Deliverables

What you get

Every Vibe Check ends with the same set of outputs, written and structured so you can act on them immediately, in plain language rather than buried in a slide deck.

The written report

Every point scored Pass / Warning / Fail with a severity and a plain-English explanation of what we found and why it matters to your specific app.

The scorecard

A one-page summary you can show a co-founder, an investor, or a customer who asks whether it has been audited.

A prioritised fix list

What to fix first, what can wait, and roughly what each item involves — ordered by real-world risk, not checklist order.

Onboarding + findings calls

Every tier is topped and tailed by a call — onboarding to get access and context, findings to walk you through it. 15 minutes each on Think, up to an hour each on Ultrathink.

Pricing

Fixed price from £999 + VAT

The flagship audit — returned in three business days.

Three business days

Diagnostic, not a fix engagement

Fixed scope, agreed up front

What comes next

After the audit, you have clear options

The Vibe Check is a diagnostic, so you come away with a clear picture of where your app stands. What happens next is entirely your call, and we are happy to help if you would like us involved.

Fix engagement

We fix the Critical and High findings, harden the app, and get it to a state we would put our name to. Fixed scope, agreed up front.

System Care

Ongoing monitoring, dependency updates, security patching, and a human who picks up the phone when production breaks.

Book a Vibe Check See what we check

Questions

Common questions

Everything you need to know before booking. If something's not covered, drop us a line at hi@revitt.co.

My app was built with Cursor / Lovable / Bolt / v0 — is that a problem?

It is exactly what the Vibe Check is for. These tools ship real software, but many patterns they reach for by default are insecure or fragile under real-world load. We know how each one tends to slip.

Do you need the source code?

Yes — read-only access to the repository and a URL for the running app. We do not need deployment credentials, and we never modify anything during the audit.

Will you fix what you find?

Not as part of the Vibe Check — it is a diagnostic. You get a clear picture and a prioritised fix list. If you want us to fix it, that is a separate engagement we scope after the report.

Is this just an automated scanner?

No. Even the £249 Think tier is our experience productised, with a senior engineer in the loop. The £999 and £1,999 tiers are hands-on human review. You never get raw scanner output.

What is the AI-Native Readiness review?

Six extra checks on whether your app is built to take advantage of AI, and whether it is safe to bring AI near your code and data — even if the product has no AI in it. It is the part most auditors cannot do; we built Intervals Pro and MCPlexer.

Is the price the total cost?

Yes — fixed price, no scope creep. Think £249, Think Harder £999, Ultrathink £1,999, all + VAT.

Still unsure?

Not every project needs the full Ultrathink tier. If you’re not sure which level is right for you, send a brief and we’ll help you choose the right one.

Send a brief →

Vibe Check — Fixed Price Audit

Know where you stand.

Before your users find out for you.

Think£249

Think Harder£999

Ultrathink£1,999

All prices + VAT, with fixed scope and no surprises.

Book a Vibe Check Send a brief

Revitt Ltd · Company no. 13210870 · VAT GB-371727093 · hi@revitt.co