White-label available for agencies

Your client just asked: “Is it secure?”

A fixed-price security review of your Rails app by a senior engineer — 13 years of production Rails. Dependency CVEs, static analysis, and a manual read of the code paths attackers actually target. Report in 5–7 days.

Book an audit →

What gets reviewed

Dependency & CVE Scan

bundler-audit + ruby-advisory-db. Every gem in your Gemfile.lock checked against known CVEs, prioritized by real exploitability — not just CVSS scores.

Static Analysis, Expert-Triaged

Brakeman across the full codebase. Every finding hand-verified, false positives removed. You get signal, not tool noise.

Authentication & Sessions

Password handling, session fixation, remember-me tokens, reset flows, MFA hooks. The front door, checked properly.

Authorization

IDOR checks, scope leaks, mass assignment, admin boundary review. The bugs that leak one customer's data to another.

Injection Surfaces

SQL injection via raw or interpolated queries, XSS escapes, command injection, unsafe deserialization.

Secrets & Config

Credentials handling, encrypted secrets, security headers, cookie flags, CSRF setup, production config hardening.


Fixed price. No hourly meter.

Turnaround 5–7 days from repo access.

For smaller apps

Report

$500
  • Full dependency + CVE scan
  • Brakeman with expert triage
  • Manual code review
  • Prioritized findings report (impact × effort)
  • Fix guidance per finding
Most popular

Report + Fixes

$1,200
  • Everything in Report
  • Patch PRs for all critical findings
  • Patch PRs for all high findings
  • Fixes reviewed and test-covered
Complete cycle

Full

$2,500
  • Everything in Report + Fixes
  • Patches for medium/low findings
  • Re-audit verification pass after fixes land
  • Final clean-bill report
For agencies — white-label

Your client asked about security. You don't need a security hire.

I audit your client's Rails app; you deliver the results under your brand. Unbranded or agency-branded report, your markup, your client relationship — I stay invisible. One agency partner typically sends multiple apps per year: every project you ship is an audit your client will pay for.

Report branded to your agency (or unbranded)
I never contact your client
Repeat pricing for agency partners
NDA-friendly

See the deliverable before you buy

See exactly what you get — findings format, severity scoring, and fix guidance.

View a sample report →

Straight answers

Is this a penetration test?

No, and I won't pretend it is. This is a code-level security review: I read your code and dependencies the way an attacker-aware senior engineer does. Dynamic/network penetration testing is a different discipline — if you need it, I'll say so and can refer you.

What access do you need?

Read access to the repository. No production access, no database, no customer data.

What if you find nothing serious?

Then the report says so, with evidence — that's a result your client can take to their stakeholders. Most audits find something worth fixing.

Which Rails versions?

Rails 4 through 8. Old versions are where the findings live.

How is this so much cheaper than the big firms?

Same core scope the $10k firms sell — dependency analysis, Brakeman with expert triage, manual review — minus the agency overhead. One senior engineer, fixed price.

Know where your app stands

Fixed-price audit. Clear findings. Report in a week.

Book an audit →