The product was live and moving real money. A fintech app, with wallets, payments, and withdrawals, built fast and already in the hands of paying users. By every visible measure it was secure: there was a password, there was two-factor authentication, there was a transaction PIN. The founder had done the responsible things. That's exactly why what we found was dangerous. The security was there, but it didn't actually hold.
The two-factor authentication was switched on, but it protected nothing.
Here's what was supposed to happen: you enter your password, the app texts you a one-time code, and you're only let in after you enter that code. Standard 2FA. The app sent the code. The user saw it arrive. Everything looked correct.
Here's what actually happened: the moment you submitted a correct password, the system already handed back a fully valid access token, before the one-time code was ever checked. The code was theater. Anyone with nothing but a stolen password had complete access to the account, money included. The second factor never stood between an attacker and the funds.
This is the kind of gap AI coding tools produce constantly. The code reads as finished. The 2FA function is there, it gets called, it sends the message. A founder reviewing it, or the AI that wrote it, sees a complete feature. What neither catches is that the door opened one step too early. It takes an adversarial read, someone looking for the gap on purpose, to see it.
The fix was small once identified: withhold the real access token at sign-in and release it only after the one-time code is verified. A few lines. The exposure it closed was total account takeover.
A real review is never one finding. Once we were in the codebase, the same pattern, things that looked done but weren't safe, showed up across the money-handling core.
The transaction PIN had 10,000 possible combinations and no lockout after repeated wrong guesses. An automated script could simply try them all. We added attempt limits and rate limiting so a wrong-guess spree gets shut down instead of running to completion.
Payment and withdrawal requests, the most sensitive actions in the entire app, had no per-user limit, only a loose global one that an attacker could sidestep. Money-moving endpoints are exactly where you want strict, per-user ceilings. They had none.
The database connection was set to accept any certificate as valid, including a forged one, on the live production system. The encryption was on, but the check that makes encryption trustworthy was switched off, leaving the door open to an interception attack.
Wallet creation wasn't atomic, so a half-failure could silently leave a user with a broken account and no error raised. The database connection pool was sitting on its out-of-the-box default of five, so enough simultaneous traffic would queue up and freeze the app. Key tables had no indexes, fine now and catastrophic past a few hundred thousand rows. None of these are visible in a demo. All of them surface at exactly the wrong moment: under load, at scale, in front of customers.
Every critical finding above has been fixed. The 2FA now gates access the way the founder always believed it did. The money-moving endpoints are throttled, the PIN is protected, the production certificate check is enforced. The structural issues are on a prioritized list, sequenced by what would hurt first.
What the founder got wasn't a 200-page report. It was a clear, ordered account of what was actually exposed, what it would have cost, and what to do about it first: the difference between "it works" and "it's safe" made concrete.
AI coding tools let you ship in days what used to take months. They do not review their own work, and the things they miss, a door that opens one step too early, a limit that was never set, a check quietly switched off, are precisely the things that cause incidents in production. They don't show up in a demo. They show up when an attacker, an outage, or an investor's technical diligence goes looking.
That's what the audit is for: two senior engineers reading the code the way an attacker or a future hire would, finding the gaps before they find you.
Book a 20-minute fit call. We'll tell you honestly whether an audit is the right move, and if it isn't, we'll say so.
No prep, no pitch. If it's not a fit, we'll say so.