WithDoneBetter logoWithDoneBetterBack to main site
Coverage

Real pentest-style checks for the issues AI scans usually miss.

We combine automated coverage with human pentesters so you get practical findings on auth, data exposure, OWASP risks, business logic, and platform-specific mistakes before users find them.

Run my first auditSee pricing
Coverage illustration
What we look for first

The hidden paths that can leak data, break auth, or let the wrong user do the wrong thing in production.

What you get back

A short summary of what is wrong, why it matters, how to fix it, and ready prompts when they help your team move faster.

What this avoids

Support tickets, exposed data, confused customers, and the late surprise that the app was not as locked down as it looked.

OWASP

Core review mapped to the OWASP Top 10.

We use the OWASP Top 10 as a base lens, then push further into product-specific logic, platform misconfigurations, and generated code mistakes that standard lists do not fully cover.

A01 Broken Access Control
A02 Cryptographic Failures
A03 Injection
A04 Insecure Design
A05 Security Misconfiguration
A06 Vulnerable and Outdated Components
A07 Identification and Authentication Failures
A08 Software and Data Integrity Failures
A09 Security Logging and Monitoring Failures
A10 Server-Side Request Forgery (SSRF)
What pentesters do

These are the kinds of tests that go into the scan.

The goal is not a noisy list of automated results. The goal is to simulate the paths a real pentester would inspect before launch.

Authenticated testing

We test what a normal user, a wrong user, and a stale session can still do after login.

Unauthenticated attack paths

We probe public endpoints, reset flows, invites, upload paths, previews, and open actions that should fail from the outside.

Business-logic abuse

We try the path that works in demos but breaks under real misuse: wrong tenant, wrong role, broken billing state, repeated action, or stale context.

Configuration and secret review

We look for exposed keys, unsafe defaults, weak environment separation, and deployment shortcuts that quietly lower security.

AI-assisted feature review

We test prompt-driven actions, tool access, generated code assumptions, and whether the assistant can reach something a user should not control.

Retest and fix guidance

The output is not only a finding list. We show what is wrong, how to fix it, and retest the critical issue after the patch when scope includes it.

Platform examples

Examples of platform-specific checks we run.

These are examples, not the full list. The last block covers the wider set of stacks and combinations we regularly review.

Supabase

Checks focused on the places Supabase apps usually leak risk under launch pressure.

  • RLS gaps and tenant-isolation mistakes
  • Storage bucket exposure and public file paths
  • Anon key misuse, service-role leakage, and unsafe client assumptions
  • Auth flow edge cases like magic links, invites, and stale sessions

Loveable and AI app builders

Checks for generated app flows that look finished but still ship risky assumptions.

  • Generated auth and role logic that trusts the frontend
  • Broken server-side validation behind clean UI flows
  • Insecure defaults copied into routes, actions, and policies
  • Missing guardrails around generated integrations and admin paths

Next.js

Checks around the common places a fast Next app silently leaves attack surface open.

  • Route handlers, server actions, and API validation gaps
  • Preview paths, middleware logic, and cache leakage
  • Session handling across auth boundaries and role changes
  • Client bundle exposure of secrets, tokens, or internal config

Stripe

Checks around payment state, customer boundaries, and webhook trust.

  • Webhook verification and replay risk
  • Broken customer-to-account boundaries
  • Plan, billing, or upgrade paths that can be abused
  • Unsafe assumptions around success states and retries

Firebase

Checks for auth, rules, and client trust mistakes that often hide in Firebase-based apps.

  • Firestore or storage rule mistakes
  • Auth flow abuse and stale client state
  • Over-trusting client role or claim logic
  • Public data paths that were meant to stay internal

Vercel and deployment config

Checks for production config drift, exposed environment values, and preview mistakes.

  • Preview deployments exposing unfinished or unsafe paths
  • Environment-variable exposure through client code or logs
  • Deployment defaults that weaken auth or data separation
  • Operational blind spots that make incidents harder to notice early

Auth and AI-assisted actions

Checks where prompt-driven or agent-assisted features expand risk unexpectedly.

  • Prompt injection paths that reach tools or data they should not
  • Weak boundaries around agent actions and internal endpoints
  • Role and permission mismatches once AI features call real actions
  • Unsafe generated code assumptions in the final trust boundary

+10 more common stacks

Examples above are the usual launch paths. We also test common combinations around Railway, Cloudflare, Bolt, auth providers, storage, queues, and custom API setups.

  • Infrastructure and edge config review
  • Third-party service trust boundaries
  • Generated code and integration assumptions
  • Custom app logic that sits between the tools

Check the app before a real user becomes your first pentester.

Scope a reviewRun my first audit