1 Week Sprint

AI Security Sprint

Find exploits with AI before the attackers do.

A 1-week security audit run by frontier AI. Branded report, configured AI tooling, and prioritized rollout plan.

1 week Typically $5,000

Fixed price, set once we scope it over email. A simpler build costs less, a more complex one more.

Most teams are doing neither of the two things that matter right now: configuring AI coding tools correctly for their codebase, or scanning their code the way attackers now can. Bad actors already have access to these same frontier models. I find the exploits first. This engagement closes both gaps in a single week.

I run a structured one-week audit using two frontier models (Claude Opus and OpenAI Codex) against the OWASP Top 10, OWASP LLM Top 10, secrets, dependencies, infrastructure, and business logic. You get a branded report your team can hand to clients, auditors, or the board. You also get Claude Code and Codex configured for your repo, so your team can keep finding and fixing issues after I leave. If the audit surfaces issues, the report is yours to keep no matter what you do next. First-round fixes are already opened as PRs, and anything larger comes back as a fixed-price remediation sprint scoped straight from the findings, so you see the number before you commit to it.

Security is not a new lens for me. I spent over a decade building HIPAA-grade clinical software, where a data leak is a reportable event. The AI tooling is new; the judgment behind every severity call is not.

How it breaks down

What happens

Intake & Setup

26-question scoping + tooling configured

Project context, tech stack, AI features, compliance posture, top concerns. Codebase running locally. Claude Code and Codex configured for your repo. Custom CLAUDE.md and AGENTS.md tuned to your conventions.

Scan

Automated scans + frontier-model manual review

Semgrep, gitleaks, Trivy, OSV-Scanner, npm/pip audit, plus manual review against OWASP Top 10, OWASP LLM Top 10, secrets, dependencies, infrastructure, and business logic.

Verify

Dual-model cross-verification

Every CRITICAL/HIGH finding reviewed by Codex as adversarial peer review. Drops false positives, validates severity, surfaces alternative remediation. This is the step that makes the report defensible.

Report & Handoff

Branded report + rollout plan + first-round PRs

Branded report (audit register, domain scorecards, finding cards). Prioritized rollout plan: immediate, short-term, pre-launch, ongoing. First-round fixes opened as PRs. A live handoff demo over Zoom for your team covering findings and the AI tooling setup, with follow-up Q&A over email.

Deliverables

What you walk away with

Audit register

Inspection-style checklist of every control reviewed during the engagement. Each control classified PASS, ISSUES, or FAIL. Scope and findings together in one view, so a buyer or auditor can see exactly what was checked and how it scored.

Domain scorecards

How each domain performed at a glance: Auth, Authorization, Crypto, API Security, Mobile, Infrastructure, AI/LLM. Skim-readable for executives in 10 seconds. The chart your CTO drops into a board update.

Finding cards

Per-issue detail: severity, OWASP/CWE references, code location, "Why this matters" in plain English, evidence, impact, and concrete remediation. Cross-verified by both frontier models so severity calls hold up.

Prioritized rollout plan

Immediate, short-term, pre-launch, and ongoing remediation buckets, with effort estimates and dependencies. Your team knows exactly what to ship next and what can wait.

Also included

  • First-round fixes opened as PRs you can review and merge
  • Claude Code and Codex configured for your repo
  • Custom CLAUDE.md and AGENTS.md so your team can keep using the tools
  • Team handoff documentation for ongoing AI-assisted security work
  • Live demo of findings and next steps over Zoom, with follow-up Q&A over email

Who it's for

This sprint is built for

Regulated codebases (HIPAA, SOC 2, PCI) that need a security baseline before adopting AI workflows

Teams rolling out Claude Code or Codex who want it configured properly from day one

Older applications that have never been reviewed by frontier AI

Founders preparing for a security questionnaire from an enterprise prospect

Sound like you? Email me what you're building and I'll come back with a written scope.

Email me about this sprint

Why this is fast

Agentic AI is the leverage

Two frontier models cross-verify every CRITICAL/HIGH finding in parallel. What used to take a 3-person review team weeks now takes one engineer plus agents in 5 days.

What I do vs. what agents do: I make every severity call, write the executive summary, and decide what gets patched in-sprint vs. handed to your team. Agents do the parallel scanning, dependency analysis, and first-pass remediation drafts.

AI stack used in this sprint

Claude Code Codex CLI Semgrep gitleaks Trivy OSV-Scanner

To get started quickly

What I need from you

  • Quick demo or walkthrough of the application (a recorded video works great)
  • Access to the source code repository
  • Any existing code documentation or wikis
  • Staging or testing environment (if available)
  • Sample or backup data to test against
  • Brief assist getting the project running locally
  • Kickoff email to align on priorities

After the sprint

Two paths from here

Hand it off

Your team gets the full report, configured AI tooling, and a prioritized backlog. They run with it independently. No retainer, no obligation.

Keep me on

If you want the findings fixed, I quote a fixed-price remediation sprint scoped straight from the audit and patch the priority items myself. Or I stay on monthly to keep hardening and scanning as the codebase evolves. Cancel anytime.

Ready to scope this sprint?

Email me what you are working on and I will come back with a written scope. No meetings required; a Zoom is there if you want one.

Get in Touch