Make your AI app production-ready, spot technical risks before real users
An AI-built app runs in the demo, but does it hold up under real users, load and failure cases? I review what really matters before launch, auth, database, APIs, deployment, monitoring and CVEs, and keep the app under ongoing technical oversight afterwards, instead of stopping at a snapshot.
- Launch risk checklist
- Repo + CVE + infrastructure
- Ongoing oversight, not a one-off audit
- German point of contact
Direct point of contact
Timo Wevelsiep
Software engineer, cloud architect, founder & managing director
I review code, security and infrastructure and surface what is technically risky before launch, customer use or due diligence.
I have delivered production software, infrastructure and cloud systems for clients worldwide, including Europe, the UAE, Asia, Australia and the Americas: from automated multi-location platforms and cloud migrations to remote access systems for industrial plants.
For questions like:
- Is this release production-ready?
- Which CVEs are really critical?
- Are auth, data access and tenant isolation clean?
The demo runs, production is something else
To make an AI MVP production-ready is not just about keeping it running. A demo shows the ideal case, production shows everything else. Most teams underestimate this gap:
In the demo, the founder clicks through the happy path, with clean inputs, a single user and no load. Real users do the opposite: they send broken data, double-click, arrive at the same time, poke at endpoints and hit errors that never showed up in the demo.
AI tools optimise for exactly that demo. They quickly ship something that works, but rarely make the decisions that matter for real operation: what happens on an error, who is allowed to see which data, how you recover after an outage, and how you even notice that something broke.
Production-ready means the app holds up not only on the ideal day but also on the bad one. We make exactly this difference between demo and production visible before real users, with concrete findings instead of a green gut feeling.
Launch risk checklist
Before real users hit your app, we run through a fixed list and rank every finding by severity. These points decide production readiness:
- Auth: roles and permissions model, session handling, no open endpoints
- Database: tenant isolation, RLS and policies, no unprotected access
- APIs: validation, rate limiting, error handling on open interfaces
- Deployment: reproducible builds, separated environments, no hand deploys
- Monitoring: alerts and health checks so outages are not reported by users first
- Backups: regular backups and a tested recovery path
- Logging: traceable error trails without secrets or personal data in plain text
- CVEs: known vulnerabilities in the packages and dependencies you use
- Rollback: a defined way back to the last working version
- Secrets: no API keys or credentials in the frontend or the repository
What needs checking before real users
Not every finding is a showstopper, but some points belong before the first real user, not after. Before launch we look specifically at:
- Access protection: can a user see or change another tenant's data?
- Data loss: is there a backup, and can it actually be restored?
- Load and concurrency: does anything break when several users work in parallel?
- Error behaviour: does the app show clean messages or stack traces and raw data?
- Visibility: do you notice an outage yourself, or hear it from the customer?
- Cost and limits: do open AI or API endpoints run up the bill unchecked?
Production readiness is not a one-off question
Ticking off a checklist on launch day feels like the finish line, but it is only a snapshot. As soon as the app is live, the state shifts with every new feature: new endpoints, new dependencies, new attack surface, and every week new CVEs surface in packages that were clean on launch day.
AI-built code accelerates that movement further. Features ship in days instead of weeks, and every prompt shifts the architecture a little. Production readiness is therefore not a property you reach once, but a state you have to hold.
Veriploy treats production readiness as an ongoing operations question: I make the app production-ready before launch (Baseline) and then keep it under ongoing technical oversight. New dependencies and CVEs are watched, risky changes are flagged early, and before larger releases you get a human judgement instead of an automated score.
Launch plan: support beyond launch day
For the step from prototype to real product, Launch is the plan that fits. It covers the phase where the most happens before and after launch, with fixed monthly support instead of a one-off check.
| Baseline 790 € | Oversight 990 €/mo | Launch 3.900 €/mo | |
|---|---|---|---|
| Role | One-off assessment before launch | Ongoing baseline monitoring after launch | Close support around the launch |
| Launch checklist | Full run-through as a baseline | Regular repeat of the core points | Ongoing, plus a pre-release check before each release |
| CVEs and dependencies | Full baseline as a reference point | Ongoing monitoring with heads-ups | Ongoing monitoring with prioritised alerts |
| Support | One-off, with a recommendation for the right plan | Reports and heads-ups on a standard cadence | Async sparring and a direct channel with a short response time |
| Best for | Clean starting point before launch | Stable products with little movement | Active launch and growth phase |
How the production-readiness review works
- 01
Fit check
A short, free conversation about stack, tool and current state. This clarifies whether a Baseline or ongoing support fits the phase before launch.
- 02
Scope and access
We define the review scope and set up read-only access to the repository. For hosting, deployment and monitoring we look at the configuration together with the team.
- 03
Technical analysis
I review the path from demo to production: backups and a tested recovery, monitoring and alerts, logging without secrets in plain text, secret handling, scaling under load and ongoing operation. Known CVEs in dependencies are included.
- 04
Report and recommendations
Findings come prioritised with a risk rating and concrete recommendations, classified as fix now, fix before launch or plan for later.
- 05
Next step
From the baseline it follows whether an ongoing plan like Oversight, Guard or Launch makes sense, so production readiness is held after launch instead of becoming an open question again.
Many projects start with a Baseline review. If the product is then developed further with AI, I can support it continuously.
What I need for the review
- read-only access to the repository
- a short description of stack, tool and goal
- details on hosting and deployment
- database and auth context
- notes on sensitive data or user roles
- open questions or concrete concerns
What the review delivers
- an understandable risk rating
- top risks at a glance
- prioritised findings
- concrete recommendations
- classification: fix now, fix before launch, plan for later
- an optional recommendation for Oversight, Guard or Launch
What a finding looks like
Database backups run, but have never been restored and a restore is not documented. In an emergency it is unclear whether and how fast data can be recovered. Recommendation: test the restore before launch and document the recovery path.
Check once before launch or secure it continuously?
| Check on launch day | Veriploy ongoing | |
|---|---|---|
| Timing | Point-in-time snapshot at launch | Continuous, with every new change |
| CVEs and dependencies | State on launch day | Ongoing monitoring with alerts |
| New features after launch | Not covered | Risky changes are flagged early |
| Before the next release | Another check needed | Pre-release check included in the plan |
| Assessment | Checklist ticked off at launch | Human prioritisation, not just a score |
Frequently asked questions
What does production-ready actually mean in concrete terms?
To make an AI MVP production-ready means the app runs reliably not only in the demo but also under real users, load and failure cases. That includes access protection, a tested recovery, clean error behaviour, monitoring and a rollback path. We review exactly these points before real users and rank every finding by severity.
Is checking once before launch enough?
For the launch itself a Baseline is a sensible starting point. But as soon as the app is live, the state shifts with every feature and every new CVE. That is why we treat production readiness as an ongoing operations question: make it production-ready once, then keep it under ongoing technical oversight with Oversight, Guard or Launch.
Do you do the fixes yourselves?
Not within the plan. We review, prioritise and explain what to do before launch. Implementation runs separately through Wevelsiep Advisory or WZ-IT, or your own team. That keeps the review independent from the implementation.
Do you need repo and infrastructure access?
For the review, read access to the repository is usually enough, read-only by default. For infrastructure, deployment and monitoring we look at the configuration together with you. We do not need write access, because we do not commit the fixes ourselves.
Which plan fits an upcoming launch?
For the active launch phase, Launch at 3.900 € per month is the fit: ongoing oversight plus a pre-release check before each release and a direct channel with a short response time. Before that we recommend a Baseline at 790 € as an assessment. Stable products with little movement are well served by Oversight from 990 €.
What does it cost?
The entry point is fixed: Baseline 790 € as a one-off review. Ongoing oversight starts at 990 € per month (Oversight), then Guard at 1.950 €, Launch at 3.900 € and Scale on request. All prices net plus VAT. Ongoing packages start with a 3-month minimum term, then cancelable monthly, unless agreed otherwise.
- Launch-readiness review for AI-built products, go or no-go before you deploy
- Infrastructure audit for AI-built software, review your deployment, backups, monitoring and secrets
- Get your Claude Code project reviewed, architecture, security and infrastructure in view
- Get your AI app reviewed, with ongoing technical oversight instead of a one-off gut check
Do you recognize these risks in your own app?
The AI-app risk self-check assesses product status, stack, auth, data access, infrastructure, CVEs and your technical knowledge, and shows whether a review makes sense.
Check your launch fit before real users hit your app.
Start with a Baseline before launch, then ongoing oversight in the plan that fits.
Check repo fit
Briefly describe the project.
Direct contact with me, no anonymous ticket system. I get back to you with a first assessment and the right entry point.
Timo Wevelsiep
Software engineer, cloud architect, founder & managing director