Audit Your AI-Built Product in 30 Minutes.

The Invisible 20%

AI coding tools like Cursor, Bolt, and Lovable are incredible at getting you to a working prototype. You describe what you want, and minutes later you have a running app. It feels like magic.

But here's what we've learned from auditing 50+ AI-built products: AI handles about 80% of what a production app needs. The other 20% — the parts you can't see — is where startups get burned.

That invisible 20% includes:

• Authentication holes — users can access other users' data by changing a URL parameter
• Exposed secrets — API keys and database credentials hardcoded in your source code
• Missing rate limiting — your API can be hammered with unlimited requests
• No input validation — SQL injection and XSS vulnerabilities in every form
• Silent failures — errors get swallowed, and you never know something broke

Why This Matters Now

If you're preparing to raise, investors will do technical due diligence. A codebase full of security holes and architectural shortcuts signals risk.

If you're scaling to your first 500+ users, the problems that didn't matter at 10 users will start breaking things — and you won't know why because there's no logging or monitoring.

What This Guide Gives You

In the next 30 minutes, you'll use Claude Code — an AI-powered terminal tool — to scan your codebase for the most common and dangerous issues. No coding experience required. You'll copy-paste prompts, read the output, and know exactly where you stand.

Let's start by getting set up.

What You'll Need

• A computer with a terminal (Mac: Terminal app, Windows: PowerShell)
• Access to your codebase (if it's on GitHub, you'll clone it locally)
• 5 minutes for setup, then 25 minutes for the audit

Step 1: Install Claude Code

Open your terminal and run:

npm install -g @anthropic-ai/claude-code

If you don't have npm installed, install Node.js first from nodejs.org — download the LTS version and run the installer.

Step 2: Navigate to Your Project

In the terminal, navigate to where your code lives:

cd /path/to/your/project

If your code is on GitHub and you don't have it locally:

git clone https://github.com/your-org/your-repo.git
cd your-repo

Step 3: Launch Claude Code

From inside your project directory, run:

claude

Claude Code will start an interactive session. It can read your files, understand your codebase, and answer questions about your code. Think of it as a senior engineer you can ask anything.

Quick Test

Try asking it something simple first to make sure it's working:

What is this project? Give me a one-paragraph summary.

You should get a clear description of your application. If that works, you're ready to start the audit.

Tip: Claude Code runs locally and reads your files directly. Your code is sent to Anthropic's API for processing but is not stored or used for training. Check Anthropic's privacy policy for details.

The Security Scan

Security is where AI-generated code fails most consistently. In our audits, every single AI-built product had at least one critical security issue. Let's find yours.

Check 1: Authentication & Authorization

This is the most common vulnerability we see. Copy and paste this into Claude Code:

Review my authentication and authorization implementation. Specifically check:
1. Can users access other users' data by changing IDs in URLs or API requests?
2. Are there any API endpoints that don't verify the user is authenticated?
3. Are there admin-only actions that regular users could trigger?
4. Is session management secure (token expiry, refresh logic)?

Show me specific files and line numbers for any issues found.

What good looks like: Every API route checks that the requesting user has permission to access the specific resource. You'll see middleware or guards that verify both authentication (who are you?) and authorization (are you allowed to do this?).

Red flags:

• Routes that fetch data by ID without checking ownership (/api/users/123/data returns data for any user)
• Missing authentication middleware on API routes
• Role checks done only on the frontend (easily bypassed)
• No server-side session validation

Check 2: Exposed Secrets

Scan the entire codebase for hardcoded secrets, API keys, passwords, or credentials. Check:
1. Hardcoded API keys or tokens in source files
2. Database connection strings with passwords
3. Private keys or certificates committed to the repo
4. .env files that might be committed (check .gitignore)
5. Secrets in client-side / browser-accessible code

List every instance found with file path and line number.

What good looks like: All secrets are in .env files (which are in .gitignore), and the code references them via process.env.VARIABLE_NAME. Nothing sensitive appears in files that get committed to git.

Red flags:

• API keys directly in source files (const API_KEY = "sk-...")
• .env files committed to git history (even if now gitignored, they're in the history)
• Secrets in frontend/client-side code (visible to anyone using your app)
• Database URLs with passwords in config files

Check 3: Injection Vulnerabilities

Check for SQL injection, XSS (cross-site scripting), and other injection vulnerabilities:
1. Are database queries using parameterized queries or raw string concatenation?
2. Is user input sanitized before being rendered in HTML?
3. Are file uploads validated for type and size?
4. Is user input validated on the server side (not just client-side)?

Show me the most dangerous instances first.

What good looks like: The app uses an ORM (like Prisma, SQLAlchemy, or ActiveRecord) that parameterizes queries automatically. User input is never directly concatenated into queries or HTML output.

Red flags:

• Raw SQL queries built with string concatenation or template literals
• innerHTML or dangerouslySetInnerHTML with user-provided content
• No server-side input validation (only client-side form checks)
• File uploads accepted without type/size restrictions

Check 4: Rate Limiting & Abuse Protection

Check if this application has rate limiting and abuse protection:
1. Are API endpoints rate-limited?
2. Is there protection against brute-force login attempts?
3. Are expensive operations (AI calls, email sending, file uploads) throttled?
4. Is there any DDoS protection configured?

If any of these are missing, explain the risk.

What good looks like: API routes have rate limiting middleware (e.g., express-rate-limit, Next.js middleware, or API gateway rules). Login attempts are throttled after failures.

Red flags:

• No rate limiting on any endpoint (anyone can make unlimited requests)
• Login endpoints accept unlimited password attempts
• AI/LLM API calls triggered by user input without throttling (expensive!)
• No abuse protection at infrastructure level (no WAF, no Cloudflare)

What Did You Find?

If Claude Code found issues in any of these four areas, you're not alone — nearly every AI-built product we audit has them. The question is how critical they are and what to fix first.

The next four sections of this guide cover architecture, performance, scalability, and compliance — plus a prioritization framework for deciding what to fix now versus later.