Human Audit

The eight checks no scanner can actually do.

Real engineers running real flows against your app. Fixed-scope sprints from $300. The fix ships as a pull request you approve — no agency retainer, no offshore team, no ghosting.

The split

The scanner ends where business logic begins.

A URL scanner sees what an attacker sees from outside — exposed keys, missing headers, world-readable databases. It can't see what an attacker does next: stack free trials, jump between users' orders, replay a webhook. That's this side of the line.

Automated scanner~ 6s

What runs on every URL.

Free or $19. No signup. Read-only. Catches the technical misconfigurations that AI tools ship by default.

Security headers (CSP, HSTS, XFO, ...)
Cookie flags (Secure, HttpOnly, SameSite)
Secrets in JS bundles (Stripe sk_live, OpenAI, AWS)
Platform fingerprint
Supabase RLS probing (CVE-2025-48757)
Firebase Realtime / Firestore rules
Exposed files (.env, .git, backup.sql, source maps)
Open-redirect via discovered params

Human checker2–3 weeks

What only a human can confirm.

From $300, fixed scope. Real engineers running real flows. Fix shipped as a pull request you approve.

Trial / promo abuse (Stripe fingerprint dedup)
IDOR / BOLA (multi-account testing)
Business-logic flaws (race conditions, step-skipping)
Payment-webhook signature integrity
Stored XSS + second-order injection
BOPLA — field-level authorization
LLM excessive agency / agent blast-radius
Compliance signals (GDPR / PCI / HIPAA)

What we check

What a scanner physically cannot do.

Each of these requires multiple test accounts, real payment flows, knowledge of your intended access model, or code review. A URL-only scanner can flag candidates — only a human can confirm and fix them.

Featured

Trial / promo abuse

OWASP API6:2023 · A04:2025

Every SaaS needs this and almost none have it dialed in. We sign up multiple times with new emails and the same payment method, attempt plus-addressing (foo+1@gmail.com), gmail dot-stripping, fresh devices, and VPN'd IPs — and document exactly what your dedup catches.

A founder we know watched their friend stack six free trials on a $39/mo SaaS by changing the email and reusing the same card. The fix was a 30-minute change to dedupe on Stripe's card.fingerprint. Most teams never check that field.

IDOR / BOLA confirmation

OWASP API1:2023 · CWE-639

OWASP WSTG mandates ≥ 2 authenticated accounts to reliably test for insecure direct object references. We log in as User A, change /orders/123 to /orders/124, and document whether User B's data leaks back.

Business-logic flaws

OWASP A04:2025 · API6:2023

Race conditions on concurrent state changes, multi-step workflows that accept POSTs skipping earlier steps, coupon stacking, negative-quantity carts. Code that does the happy path correctly but breaks under adversarial use.

Payment-webhook integrity

OWASP API8:2023 · CWE-345

Stripe / PayPal webhooks must verify HMAC signatures and reject replays. We attempt forged webhooks against your endpoint and audit the verification path. Missing signature checks have leaked > $200K in our case-study research.

Stored XSS + second-order injection

OWASP A05:2025 · CWE-79

Payloads that only fire after persisted data is rendered by a second user. We submit canary content as User A and audit how the app renders it for User B in admin views, exports, notifications, and emails.

BOPLA — field-level authorization

OWASP API3:2023

Whether role A should see field X but not Y on the same resource. Requires understanding your intended access model — a scanner can't guess what each field is supposed to permit.

LLM excessive agency / agent blast-radius

OWASP LLM06:2025

For apps with agentic tool-calling — Cursor or Devin-built backends, Claude Code agents — what tools the agent can invoke, with what permissions, and whether the autonomy boundary is appropriate. This is review work, not endpoint probing.

Compliance signals

GDPR · PCI · HIPAA

Whether your data handling meets the laws you're subject to. Cookie consent, data residency, retention policies, DPAs with sub-processors, BAAs if you touch health data. Legal posture, not technical — needs a human eye.

Who runs the audit

Named engineers. Direct line.

No outsourcing. No project-manager middle layer. The same engineer who scopes the audit reviews and signs the PR.

Ali Saeed

Founder & lead engineer

Production engineer fluent in the vibe-coding stack — React, Node, PostgreSQL, Supabase, Vercel — and the AI builders (Claude Code, Cursor, Lovable, Bolt). Runs every scoping call. Reviews every PR before it ships.

10+ years production engineering
Vibe-coding native (Lovable / Bolt / Cursor)
Built bleek's own scanner from scratch

Senior reviewer

Security review · placeholder

Second pair of eyes on every audit. Background in application security and secure code review. (Profile coming soon — replace headshot via Studio when added.)

Application security background
OWASP WSTG-driven methodology

How it works

Four steps. Two to three weeks.

01Step 1

Scoping call (30 min)

We walk through your app together, agree on the audit scope, and write down a fixed-price quote. No retainer, no surprises.

02Step 2

Read-only access

Add us as read-only collaborators on your repo + provide two test accounts. NDA on request. Access revocable any time.

03Step 3

Audit + report

We run every applicable check from the list above. You get a prioritized report with severity, evidence, and a proposed fix for each finding.

04Step 4

Fix shipped as a PR

We open one PR per finding for you to review and merge. Demo / re-test included.

Your repo stays yours

Read-only access by default. We open pull requests; you merge them. We never push directly.

Fixed scope, fixed price

Agreed up front in the scoping call. No hourly billing surprises.

Named founder

Ali runs every audit. Direct line — no project manager, no offshore team.

Get on a call.

We'll scope your audit in 30 minutes and quote a fixed price. If your app doesn't need an audit, we'll tell you that too.

Book a scoping call Start with a free scan