Pre-launch security for solo app devs.

The gap nobody fills

Enterprise security platforms cost five figures a year and assume a dedicated AppSec team to interpret findings. Bug-bounty programs cost more (and the bounties go to hackers, not to you). Pentest engagements run $10k–$50k. None of that works for a solo dev about to push their first build to TestFlight.

What that solo dev actually needs is closer to a code review with security goggles on: catch the obvious secret-in-commit-history, catch the over-privileged Android manifest, catch the dependency with a known CVE. The free open-source tools that do this (semgrep, gitleaks, grype, nuclei, ZAP, MobSF) are excellent but each one produces a wall of JSON and no two speak the same finding format. You spend an afternoon configuring them, then a second afternoon making sense of the output.

Our Solo Dev tier is the glue layer. You install the OSS scanners once, run one command pointed at your repo or your live site, and a single readable markdown + PDF report drops out the other end.

Under the hood

The technical shape is straightforward. Free OSS scanners do detection. Claude does triage and translation.

• Detection layer: semgrep on source, gitleaks on commit history, grype + osv-scanner on dependencies, nuclei + ZAP baseline on live URLs, checkov on infra-as-code, MobSF on iOS/Android binaries. All OSS, all free.
• Triage layer: Claude Sonnet 4.6 reads every raw finding and decides confirmed / false-positive / needs-review. The OSS tools are noisy; the triage layer cuts the noise so you only see the things worth your time.
• Translation layer: Claude Haiku 4.5 writes a one-sentence explanation of what each finding actually means in plain English, plus the specific fix. No CWE jargon, no "consult OWASP M9". Just “here’s the file, here’s the line, here’s what to change.”
• Output: one markdown file, one PDF, both with an App Store / Play Store readiness checklist auto-rolled-up from the findings. Submit-ready.

The bill: about $0.50 in Claude API calls per scan. We cap each run at $1.00 by default. Compare to a single hour of consultant time.

What it actually catches

We ran the first real engagement on ProudMe, a Flutter + Node + MongoDB health app for kids, built by the Pedagogical Kinesiology Lab at LSU. The numbers below are real; nothing redacted besides specific credential fragments.

The patterns we see most often on a first scan of a real codebase:

• An old database connection string in commit history that nobody scrubbed. Easy fix, embarrassing to discover post-launch.
• A transitive dependency with a known CVE that landed three lockfile-bumps ago.
• An Android manifest requesting more permissions than the app actually uses, usually because a SDK pulls in extra ones by default.
• An http.get call without explicit TLS verification, copy-pasted from an old tutorial.
• A web endpoint missing security headers Apple’s reviewers actually check (HSTS, Content-Security-Policy).

None of these are sophisticated. They’re also the exact issues that get apps pulled from the store after a security researcher writes a Twitter thread.

Run it on your app

The Solo Dev tier doesn’t self-serve yet — for now it’s a managed engagement. We run the scan against your repo, triage with you, hand you the report, and you keep it forever. Re-scans are at cost.

If you’re weeks from a launch and don’t have a security review on the calendar, book a 15-minute scoping call below. We’ll tell you in five whether your codebase is a good fit, and we’ll usually have the report back to you the same week.