Security Rescue for an AI-Built SaaS Before Investor Demo
Outcome
7 critical vulnerabilities remediated in 5 days — including full database exposure via missing access controls.
Context
A non-technical solo founder had built a functional SaaS MVP using AI coding tools in under three weeks. With an investor demo 10 days away, they needed a professional security review before going live with real user data.
Problem
Initial reconnaissance revealed that database access controls were disabled on most tables — a single unauthenticated API request returned the full user table. Two third-party API keys were exposed in the client-side code, and source maps were served in production, exposing the entire original codebase.
What we built
A prioritized remediation plan covering database access policy implementation, migration of sensitive API keys to server-side functions, source map removal, security header hardening, and authentication flow fixes to enforce server-side validation.
Our approach
Started with a structured 30-minute reconnaissance — platform fingerprinting, JavaScript bundle analysis, and full API surface enumeration. Applied a lightweight threat model to map attack surfaces. Remediation executed in severity order over 5 working days, each fix verified before moving to the next.
Outcome
All 7 critical and high-severity findings remediated before the investor demo. Access control policies enforced across 100% of database tables. API keys rotated and moved server-side.
""
- ,
Want results like these?
Request a strategy call and we'll show you how.
No pressure - if we're not a fit, we'll tell you quickly.