1 Week Sprint
AI Security Sprint
Find exploits with AI before the attackers do.
A 1-week security audit run by frontier AI. Branded report, configured AI tooling, and prioritized rollout plan.
Fixed price, set once we scope it over email. A simpler build costs less, a more complex one more.
Most teams are doing neither of the two things that matter right now: configuring AI coding tools correctly for their codebase, or scanning their code the way attackers now can. Bad actors already have access to these same frontier models. I find the exploits first. This engagement closes both gaps in a single week.
I run a structured one-week audit using two frontier models (Claude Opus and OpenAI Codex) against the OWASP Top 10, OWASP LLM Top 10, secrets, dependencies, infrastructure, and business logic. You get a branded report your team can hand to clients, auditors, or the board. You also get Claude Code and Codex configured for your repo, so your team can keep finding and fixing issues after I leave. If the audit surfaces issues, the report is yours to keep no matter what you do next. First-round fixes are already opened as PRs, and anything larger comes back as a fixed-price remediation sprint scoped straight from the findings, so you see the number before you commit to it.
Security is not a new lens for me. I spent over a decade building HIPAA-grade clinical software, where a data leak is a reportable event. The AI tooling is new; the judgment behind every severity call is not.
How it breaks down
What happens
26-question scoping + tooling configured
Project context, tech stack, AI features, compliance posture, top concerns. Codebase running locally. Claude Code and Codex configured for your repo. Custom CLAUDE.md and AGENTS.md tuned to your conventions.
Automated scans + frontier-model manual review
Semgrep, gitleaks, Trivy, OSV-Scanner, npm/pip audit, plus manual review against OWASP Top 10, OWASP LLM Top 10, secrets, dependencies, infrastructure, and business logic.
Dual-model cross-verification
Every CRITICAL/HIGH finding reviewed by Codex as adversarial peer review. Drops false positives, validates severity, surfaces alternative remediation. This is the step that makes the report defensible.
Branded report + rollout plan + first-round PRs
Branded report (audit register, domain scorecards, finding cards). Prioritized rollout plan: immediate, short-term, pre-launch, ongoing. First-round fixes opened as PRs. A live handoff demo over Zoom for your team covering findings and the AI tooling setup, with follow-up Q&A over email.
Deliverables
What you walk away with
Audit register
Inspection-style checklist of every control reviewed during the engagement. Each control classified PASS, ISSUES, or FAIL. Scope and findings together in one view, so a buyer or auditor can see exactly what was checked and how it scored.
Domain scorecards
How each domain performed at a glance: Auth, Authorization, Crypto, API Security, Mobile, Infrastructure, AI/LLM. Skim-readable for executives in 10 seconds. The chart your CTO drops into a board update.
Finding cards
Per-issue detail: severity, OWASP/CWE references, code location, "Why this matters" in plain English, evidence, impact, and concrete remediation. Cross-verified by both frontier models so severity calls hold up.
Prioritized rollout plan
Immediate, short-term, pre-launch, and ongoing remediation buckets, with effort estimates and dependencies. Your team knows exactly what to ship next and what can wait.
Also included
- First-round fixes opened as PRs you can review and merge
- Claude Code and Codex configured for your repo
- Custom CLAUDE.md and AGENTS.md so your team can keep using the tools
- Team handoff documentation for ongoing AI-assisted security work
- Live demo of findings and next steps over Zoom, with follow-up Q&A over email
Who it's for
This sprint is built for
Regulated codebases (HIPAA, SOC 2, PCI) that need a security baseline before adopting AI workflows
Teams rolling out Claude Code or Codex who want it configured properly from day one
Older applications that have never been reviewed by frontier AI
Founders preparing for a security questionnaire from an enterprise prospect
Sound like you? Email me what you're building and I'll come back with a written scope.
Email me about this sprintWhy this is fast
Agentic AI is the leverage
Two frontier models cross-verify every CRITICAL/HIGH finding in parallel. What used to take a 3-person review team weeks now takes one engineer plus agents in 5 days.
What I do vs. what agents do: I make every severity call, write the executive summary, and decide what gets patched in-sprint vs. handed to your team. Agents do the parallel scanning, dependency analysis, and first-pass remediation drafts.
AI stack used in this sprint
To get started quickly
What I need from you
- Quick demo or walkthrough of the application (a recorded video works great)
- Access to the source code repository
- Any existing code documentation or wikis
- Staging or testing environment (if available)
- Sample or backup data to test against
- Brief assist getting the project running locally
- Kickoff email to align on priorities
After the sprint
Two paths from here
Hand it off
Your team gets the full report, configured AI tooling, and a prioritized backlog. They run with it independently. No retainer, no obligation.
Keep me on
If you want the findings fixed, I quote a fixed-price remediation sprint scoped straight from the audit and patch the priority items myself. Or I stay on monthly to keep hardening and scanning as the codebase evolves. Cancel anytime.
Pairs well with
Where this goes next
Ready to scope this sprint?
Email me what you are working on and I will come back with a written scope. No meetings required; a Zoom is there if you want one.
Get in Touch