Get your AI app reviewed, with ongoing technical oversight instead of a one-off gut check
AI ships apps in days, but is the result actually production ready? I review the repo, security, CVEs and infrastructure of your AI app and keep it under ongoing technical oversight afterwards, instead of stopping at a one-off report.
- Baseline from 790 €
- Fixed monthly plans
- Repo + CVE + infrastructure
- German point of contact
Direct point of contact
Timo Wevelsiep
Software engineer, cloud architect, founder & managing director
I review code, security and infrastructure and surface what is technically risky before launch, customer use or due diligence.
I have delivered production software, infrastructure and cloud systems for clients worldwide, including Europe, the UAE, Asia, Australia and the Americas: from automated multi-location platforms and cloud migrations to remote access systems for industrial plants.
For questions like:
- Is this release production-ready?
- Which CVEs are really critical?
- Are auth, data access and tenant isolation clean?
What I review
We look at the points that decide production readiness and rank every finding by severity. We review:
Repo and architecture: structure, dependencies, obvious weak spots
Security and access control: auth, roles, exposed secrets
CVEs and dependencies: known vulnerabilities in the packages you use
Database and RLS: tenant isolation, policies, access protection
Infrastructure, deployment, backups and monitoring
Production readiness: what is still missing before real users
Common risks in AI-built code
AI tools produce working code fast, but they rarely make the security and operations decisions that real production needs. These are the gaps we find most often:
- Critical
Authentication without a roles and permissions model
- Critical
Supabase RLS not enabled or incomplete
- Critical
Secrets and API keys in the frontend or in the repository
- High
Unchecked dependencies with known CVEs
- High
Missing or shallow tests
- High
Deployment without a backup and recovery plan
- Medium
No monitoring and no logging when things break
- Medium
Missing rate limiting on open endpoints
Which AI tools it works for
Whatever AI tool built the app, we review the repository, not the vendor.
Classic code reviews deliver a thorough one-off assessment with an action plan. That is a sensible starting point. I pick up right after: you get an AI-generated app reviewed once (Baseline) and then keep it under ongoing technical oversight with Oversight, Guard or Launch.
Stacks we see every day
- Lovable
- Cursor
- Claude Code
- Bolt
- Replit
- v0
- GitHub Copilot
One review is not enough: ongoing oversight
A one-off report describes yesterday's state. AI-built code drifts fast: every new feature adds new dependencies, new CVEs surface every week, and every prompt shifts the architecture a little. An action plan that is four weeks old no longer covers that movement.
Baseline or ongoing plan
- 01
Baseline 790 €
Deep initial baseline: repo, architecture, dependencies, config. Result: risk dashboard, CVE baseline, secrets check and a plan recommendation. A clean starting point before any plan.
- 02
Plan from 990 €/mo
Recurring reviews based on the baseline with recurring reports and fix prioritisation. Async sparring and a direct channel by plan. Best for products that keep evolving.
What a finding looks like
Supabase RLS for the invoices table is incomplete, users could see other tenants' invoices. Recommendation: enforce a policy per user_id.
One-off report or ongoing oversight?
Timing
- One-off report
- Point-in-time snapshot on a fixed date
- Veriploy ongoing
- Continuous, with every new change
CVEs and dependencies
- One-off report
- State on the review day
- Veriploy ongoing
- Ongoing monitoring with alerts
New features
- One-off report
- Not covered
- Veriploy ongoing
- Risky changes are flagged early
Before a release
- One-off report
- Another review needed
- Veriploy ongoing
- Human judgement included in the plan
Assessment
- One-off report
- Action plan at the end
- Veriploy ongoing
- Human prioritisation, not just a score
- 790 €Baseline, one-off
- from 990 €Plan per month
- read-onlyRepo access
How the AI app review works
- 01
01 Fit check
Free first contact: a short description of the AI app, the stack and the goal. I clarify whether a review fits the project and which type of review makes sense.
- 02
02 Scope and access
We define the scope and set up read-only access to the repository. Add context on hosting, database and auth, plus the open questions the review should answer.
- 03
03 Technical analysis
The focus is on the repository, not the tool: architecture and dependencies, auth and roles, secrets, database and RLS, known CVEs, plus deployment and operations. Every finding is ranked by severity.
- 04
04 Report and recommendations
Next comes a clear report with a risk dashboard, prioritised findings and concrete recommendations, cleanly split into fix now, fix before launch and plan for later.
- 05
05 Next step
On request, guidance on the right next step: a one-off Baseline as a reference point, or an ongoing plan if the app keeps being built with AI.
Many projects start with a Baseline review. If the product keeps being built with AI afterwards, I can support it on an ongoing basis.
What I need for the review
- read-only access to the repository
- a short description of stack, tool and goal
- details on hosting and deployment
- database and auth context
- notes on sensitive data or user roles
- open questions or concrete concerns
What the review delivers
- a clear risk dashboard
- top risks at a glance
- prioritised findings
- concrete recommendations
- guidance: fix now, fix before launch, plan for later
- an optional recommendation for Oversight, Guard or Launch
Frequently asked questions
Is this a penetration test?
No. Veriploy is an ongoing technical review of repo, security, CVEs and infrastructure, not a classic pentest. A pentest can complement it well when you want to simulate targeted attacks. We continuously check whether your code and infrastructure are production ready.
Do you also do the fixes?
Not within the plan. We review, prioritise and explain what needs to be done. Implementation runs separately through Wevelsiep Advisory or WZ-IT, or your own team. That keeps the review independent from the implementation.
Do you need repo access?
Yes, read-only by default. Read access to the repository is enough for the review. We do not need write access, because we do not commit the fixes ourselves.
Which tools do you cover?
We review the result, not the tool. Code from Lovable, Cursor, Claude Code, Bolt, Replit, v0 or GitHub Copilot can be reviewed just like hand-written code. What matters is the repository, not the generator.
What does it cost?
The entry point is fixed: Baseline 790 € as a one-off review. Ongoing oversight starts at 990 € per month (Oversight), then Guard at 1.950 € and Launch at 3.900 € per month. All prices net plus VAT. Ongoing packages start with a 3-month minimum term, then cancelable monthly, unless agreed otherwise.
How fast do I get results?
We deliver the Baseline within a few business days. On an ongoing plan you get regular reports and a prompt heads-up on critical CVEs.
- Get your Lovable app reviewed before Supabase, RLS or secrets become a risk
- Get your Bolt app reviewed before architecture and auth become a problem
- Get your Base44 app reviewed before data access, auth or integrations become a risk
- Vibe coding security audit, plus ongoing control as the code keeps growing
- Make your AI app production-ready, spot technical risks before real users
Do you recognize these risks in your own app?
The AI-app risk self-check assesses product status, stack, auth, data access, infrastructure, CVEs and your technical knowledge, and shows whether a review makes sense.
Get your AI app reviewed and keep it monitored afterwards.
Start with the Baseline, then ongoing oversight in the plan that fits.
Check repo fit
Briefly describe the project.
Direct contact with me, no anonymous ticket system. I get back to you with a first assessment and the right entry point.
Timo Wevelsiep
Software engineer, cloud architect, founder & managing director