Skip to content
Nash Software Services
NASHSOFTWARE SERVICES
AI Code Audit

Get an independent audit before your AI-assisted build goes live.
A senior engineer checks what's actually there.

Built with Cursor, Bolt, Lovable, v0, Codex, or another AI tool - it doesn't matter which. AI tools write fast. They don't have opinions about what they should have included, and they don't have the instinct that tells a senior engineer “this pattern fails in production.”

I go in, find what's actually there, and give you a plain-English report on what's ready, what isn't, and what to fix before you ship.

The Problem

AI builds look solid. They're not always.

The variable names make sense. The comments explain what each function does. There's even error handling. It has the shape of something a senior engineer wrote.

But shape and substance aren't the same thing. AI writes to the spec it's given - it doesn't flag the ten things that should have been in the spec, and it doesn't know what happens when an edge case hits production at 2am.

What I find in most AI-assisted builds:

  • Authentication that works in the happy path and breaks under specific conditions
  • Data validation that passes at the API layer and falls apart at the database
  • Session handling that would let a determined attacker enumerate users
  • Secrets in places they shouldn't be
  • Error handling that exposes stack traces to the client
  • Third-party integrations that haven't been tested under load

None of this is catastrophic on its own. All of it adds up to something that looks like a product but isn't ready to handle real users and real data.

What the Audit Covers

Everything that matters before go-live.

Authentication & Authorisation

JWT handling, session management, role-based access, endpoint protection, and everything that controls who can see or do what.

Data Handling & Integrity

How data moves through the system, where it's validated (and where it isn't), write conflicts, and what happens when something fails mid-transaction.

Security Surface

OWASP Top 10, secrets management, CORS configuration, injection vectors, dependency vulnerabilities, and exposure at the API boundary.

Architecture & Design Patterns

Whether the structure will hold under real load, where the single points of failure are, and whether the patterns used have a habit of going wrong in production.

Third-Party Integrations

Payment providers, authentication services, AI APIs, webhooks - what happens when they're slow, down, or return something unexpected.

Infrastructure & Deployment

Environment separation, secrets in config, logging and observability, and whether the production setup matches the security assumptions in the code.

Pricing

Three tiers. Fixed fee. No surprises.

All prices exclude VAT. 50% on engagement, 50% on report delivery. Audit and remediation are quoted separately - you get an honest report, not a sales pitch.

Clarity Audit

£3,500

Know exactly what's broken before you go live.

Best for: Smaller builds - MVPs, internal tools, early-stage products.

Scope

  • Up to 30,000 lines of code
  • 1–2 repos, up to 25 endpoints, up to 3 integrations
  • Security review: auth, OWASP Top 10, secrets, session handling
  • Architecture spot-check: data flow, key design patterns, structural risks
  • Dependency vulnerability scan

You get

  • 12–18 page written report, findings by severity
  • Fix recommendations with exact file and line references
  • 1 × 45-minute walkthrough call

Timeline: 5 business days

Fewer than 3 findings → 50% refund.

Book a scoping call
Most popular

Production Audit

£6,500

Production-ready sign-off, with a roadmap your team can execute.

Best for: Builds handling real users, payments, or sensitive data.

Scope

  • Up to 75,000 lines of code
  • Up to 2 repos, 50 endpoints, 5 integrations
  • Full OWASP, multi-tenancy, data isolation, third-party integrations
  • Architecture review: scalability, coupling, error handling, logging
  • Infrastructure and deployment config review
  • Data handling and GDPR surface review

You get

  • 20–25 page report: executive summary + full technical findings
  • Developer-ready fix specs - exact file, line, and change required
  • Phased remediation roadmap with effort estimates
  • 2 × live calls (scoping + findings walkthrough)
  • 30-day async Q&A support

Timeline: 7–8 business days

Book a scoping call

Regulated & Investor-Ready

£9,500

Senior technical sign-off for regulated industries and investor due diligence.

Best for: Complex builds, FinTech, HealthTech, LegalTech, or pre-investment.

Scope

  • No line-count ceiling, multi-repo, full integration surface
  • Everything in Production Audit, plus:
  • Compliance mapping: GDPR, FCA, CQC/HIPAA - whichever applies
  • AI model integration risk assessment
  • Infrastructure security: IAM, secrets management, environment separation
  • Production readiness scorecard: pass / amber / fail per category

You get

  • 25–35 page full technical report
  • 3–4 page executive summary written for investors and board
  • Developer-ready fix specifications
  • Compliance readiness checklist - shareable with legal advisors
  • Re-audit of critical findings after fixes applied (within 30 days, included)
  • 3 × live calls: scoping, mid-audit, final walkthrough
  • 30-day async support window

Timeline: 10–12 business days

Book a scoping call

Not sure which tier fits? Book a 30-minute call - I'll tell you exactly what your build needs, and whether it's worth the review at all.

Who Books This

Three situations where this gets called in.

01

You built with AI tools and you're about to go live.

Cursor, Bolt, Lovable, v0, Codex - whatever you used. You can see it works. You're not sure if it's solid. Before it handles real users and real data, you want someone with no stake in the outcome to have a look.

02

An agency or freelancer built it with AI assistance.

You've received the build. It passed a review. But you're not the one who'll be explaining things to customers if something goes wrong - and you want independent confirmation it's actually ready.

03

You're preparing for investment or a regulated launch.

Investors ask. Regulators ask. You need a written technical assessment from someone senior enough to be credible, and independent enough to be trusted.

Who Does This

A senior engineer who's seen how these things fail.

I'm Mike Nash. I've run architecture at ASX Top-50 and Fortune 500 scale — financial services, identity systems, government platforms - and I've built production AI agent systems from scratch. Not demos. Not prototypes. Actual infrastructure handling real work.

What I bring to an AI code audit is the accumulated pattern recognition of someone who's watched these specific failure modes play out in production. AI writes convincing code. The gaps aren't always in the code itself - they're in the decisions that weren't made, the edge cases that weren't considered, and the production assumptions that were never tested.

I find those. I tell you exactly what they are. And I leave you with a report you can act on.

Based in Mallorca and the UK · Working remotely with clients worldwide

Not sure if your build needs this?

Book a free 30-minute call. No pitch, no deck. Tell me what you built and what you're worried about - I'll tell you whether I'm the right person for it, and if so, which tier fits.

Most calls end one of two ways: you book the audit, or you leave with a clear enough picture to make a confident decision yourself. Either way, 30 minutes is worth it before you go live.