Code audit pricing: real numbers, published
If you've tried to find out what a code security audit costs, you've probably hit the same wall everywhere: “book a call,” “request a quote,” “pricing available on consultation.” Here are actual numbers instead. My audits cost $299, $999, or $1,900: fixed, published, and purchasable tonight without talking to anyone.
The rest of this page explains what each price buys, why the market usually hides its numbers, and how to decide which tier fits where you are.
- Fixed price
- No sales call
- Report in days
- Written for founders, not engineers
Why audit pricing is usually hidden
Most security work is genuinely custom: an agency auditing an unknown enterprise codebase can't quote until it scopes, and scoping means a sales call. Traditional audits and penetration tests are typically priced per engagement, and for firms serving enterprises that routinely lands in the thousands to tens of thousands of dollars. None of that is dishonest; it's just built for a different buyer than a founder who shipped an app with Lovable last month.
Fixed pricing becomes possible when the scope is known in advance. AI-built apps converge on the same stack (Next.js or React, Supabase or Firebase, Stripe or RevenueCat, deployed on Vercel) and the same failure patterns. I audit that stack specifically, so I know what the work takes, and the price can sit on the page.
What each tier buys
Launch Scan: $299, 48 hours.
The 'is anything on fire?' check. Automated scanning (secrets in code and git history, dependency vulnerabilities, security headers, error leakage) plus a human hour reviewing the results. You get a scorecard and your top five risks.
Launch Audit: $999, 5 business days.
The full manual security review. Everything in the Scan, plus row-level security and multi-tenant isolation testing with two live test accounts, server-side auth review, and a full API pass: ID manipulation, over-exposure, input validation, rate limiting. Every finding ships with a fix prompt for your AI tool, plus a 15-minute video walkthrough and 7 days of follow-up.
Launch + Revenue Audit: $1,900, 5 to 7 business days.
Everything above plus the audit almost nobody offers: billing correctness. Stripe webhook verification, the canceled-user test, failed-payment handling, price tampering, trial and refund logic, plus error tracking and uptime monitoring set up before you launch.
Ship Monitor: $149/month, ongoing.
For after launch: automated re-scans on every release and a monthly drift report, because every AI edit can quietly undo a fix. Cancel anytime.
Why the price doesn't change mid-engagement
The quote you see is the invoice you get. Three things make that work: the scope is fixed (a defined checklist per tier, not open-ended exploration), the stack is known (I only audit the modern AI-builder stack, and if your app isn't a fit I'll say so before you pay), and the deliverable is standard (severity-ranked findings, plain-English impact, fix prompts, verify steps, every time).
If your app turns out to be bigger or stranger than the tier fits, I tell you before starting, not after. No surprise invoices is a feature of the product, not a marketing line.
How to choose
Pre-revenue and just want confidence nothing is obviously exposed: Launch Scan. About to put real users and their data into the app: Launch Audit. Charging money, or about to: Launch + Revenue Audit, because a single unhandled cancellation webhook can cost more than the audit in one quarter. Still building weekly after launch: add Ship Monitor.
And if you're not sure the app needs anything yet, the free scan exists precisely for that: a graded scorecard within 24 hours, no charge.
What it costs
The full table, in one place:
| Package | Price | Turnaround | Best for |
|---|---|---|---|
| Launch Scan | $299 | 48-hour turnaround | “I just want to know if anything is on fire.” |
| Launch Audit | $999 | 5 business days | “Real users are about to trust me with their data.” |
| Launch + Revenue AuditMost popular | $1,900 | 5-7 business days | “This app is supposed to make money. Prove the pipes are connected.” |
| Ship Monitor | $149/month | Ongoing | everyone who just passed an audit and plans to keep building. |
Frequently asked questions
Why are your audits cheaper than agencies?
Narrower scope, zero overhead, and no sales process. An agency quote covers account managers, scoping calls, and the flexibility to audit anything. I audit one stack, the one AI builders generate, with a fixed checklist refined on every engagement. You're not getting less audit; you're not paying for the machinery around it.
Are there any costs beyond the listed price?
No. The price includes the audit, the report, the video walkthrough (audit tiers), and seven days of follow-up questions. The only way to spend more with me is to choose to: a re-audit later, Ship Monitor, or the advisory tier.
What if my app is really big?
The tiers assume the typical AI-built app: one product, one database, one billing integration. If yours is substantially bigger, I'll tell you what it actually needs before you pay. Sometimes that's two engagements, sometimes it's 'you've outgrown me, here's the kind of firm to call.'
Do you offer refunds?
If I haven't started, yes, in full. Once the audit is underway you're paying for expert time that's already being spent. But if the report doesn't deliver what this site promises, tell me and I'll make it right.