Find and fix the vulnerabilities your codebase is shipping.
A senior AI lead runs the Claude Code security plugin across your repositories, triages every finding against your stack, and ships the fixes as merged pull requests. Two weeks. £3,500 fixed. No PDF report on a shelf.
Most breaches in 2025 came through a known, patchable vulnerability. The fix existed. The advisory existed. The engineer who would have seen it was on a sprint deadline.
Traditional pen-tests don’t close that gap. They run a scan, deliver a 40-page PDF, and leave. Your team gets the report on top of their backlog. The findings sit there. The next investor diligence call comes. The PDF gets forwarded.
An AI-led sprint changes the maths. A senior engineer runs the Claude Code security plugin across your repositories, triages every finding against your stack and risk profile, then ships the fixes as merged PRs — with regression tests and a written playbook your team owns after we leave.
OWASP Top 10
Injection, broken access control, cryptographic failures, SSRF and the rest. Triaged with stack context, not boilerplate severity scores.
Dependency CVEs
Every package, every transitive dependency, checked against current advisories. PRs raised against the highest-risk first.
Secrets In Code
API keys, tokens, credentials, environment leaks across the git history. Pre-commit hooks installed to stop the next one.
Auth & Session
JWT handling, session fixation, MFA gaps, password reset flows. Common in B2B SaaS and rarely caught by scanners.
Infrastructure as Code
Terraform, CloudFormation, Kubernetes manifests. Public buckets, over-permissive IAM, missing encryption, exposed metadata endpoints.
AI & LLM Risks
Prompt injection, jailbreaks, model exfiltration, RAG poisoning, agentic tool abuse. The new attack surface most security teams have not seen yet.
Scoping · Days 0–1
Confidential intake. We map your codebase, stack, risk profile, and which areas matter most. NDA signed before any access; short-lived deploy keys, feature branch only.
Scan & Triage · Days 2–5
Claude Code security plugin runs across the repo. Senior AI lead triages every finding against your context. False positives killed. Real findings ranked by exploitability.
Fix & Verify · Days 6–12
PRs raised against your repo with fixes, regression tests, and senior code review. Your engineers review and merge at their pace. Average sprint ships 12–25 critical fixes.
Playbook & Handover · Days 13–14
Written playbook for ongoing use. Pre-commit hooks, CI integration, team walkthrough. Your engineers own it after handover. No retainer required.
| What you get | Traditional pen-test | AI Security Sprint |
|---|---|---|
| Output | 40-page PDF report | ✓ Merged PRs, fixes, playbook |
| Timeline | 2–4 weeks to scan, weeks more to remediate | ✓ 14 days end-to-end including fixes |
| Code review | Findings only, no fixes | ✓ Senior-led fixes with regression tests |
| Cost | £8k–£25k for the scan | ✓ £3,500 fixed (scan + fix + playbook) |
| Stack-aware triage | Generic severity scores | ✓ Triaged against your code & risk |
| AI & LLM-specific risks | Usually not covered | ✓ Core part of the sprint |
| Re-test fee | Often £2k–£5k extra | ✓ Included in the fixed fee |
| Team enablement | Usually not | ✓ Playbook + walkthrough included |
Illustrative example. Customer details under NDA — available on request after scoping.
A 22-person UK SaaS company, fintech-adjacent, with Series A diligence 90 days out. Two existing security tools were running, neither producing actionable output. We ran the standard two-week sprint: Claude Code security plugin across the primary repositories, senior AI lead triaging every finding, fixes shipped as PRs with regression tests. By day 14: 47 findings triaged, 19 critical and high severity merged into main, dependency upgrades planned for the rest, pre-commit hooks live in CI.
Triaged Vulnerability Report
Every finding ranked against your stack and exploitability — not a generic CVSS table. Proof-of-concept included where relevant.
Shipped Fixes
Pull requests merged into your repository with regression tests and senior code review. Average sprint ships 12–25 critical fixes.
Security Playbook
Written guide for ongoing use of the Claude Code security plugin. Pre-commit hooks, CI integration, on-call runbook, escalation paths.
Team Walkthrough
Two-hour session walking your engineers through every finding, every fix, and how to keep the bar high without us.
What does the sprint cost?
£3,500 fixed. Includes the scan, the triage, the merged PRs, the playbook, and the team walkthrough. No retainer. No re-test fee. No per-finding upcharge. If the scoping call shows there isn’t a real sprint to run, we’ll say so on the call — you pay nothing.
How is this different from a penetration test?
A pen-test ends with a PDF of findings. The sprint ends with merged fixes in your repository. We use the Claude Code security plugin to scan, then a senior AI engineer writes and reviews the actual code changes. You get working code, not paperwork.
Our codebase isn’t perfect. Are you going to make us feel stupid?
No. Every codebase has problems — including ours. The job isn’t to score you, it’s to fix the highest-risk stuff before someone else finds it. The report focuses on what was fixed and what’s queued, not on what shouldn’t have been there in the first place. We have never met a startup codebase we couldn’t work with.
Will our engineers feel like they’re being graded?
Not how we set it up. The senior lead works alongside your team, not over them. PRs come in with context and reasoning, not just “this is wrong.” The walkthrough at the end is collaborative — your engineers learn the tooling so they can run it themselves next quarter. The goal is to make your team more capable, not more anxious.
What if you find more than we can fix in two weeks?
Everything critical and high-severity gets fixed inside the sprint. The rest goes into a written backlog with severity, remediation guidance, and effort estimate. Your team owns the priority order. You don’t leave the sprint with a panicked todo list.
Do you cover AI and LLM-specific risks?
Yes — prompt injection, jailbreaks, RAG data poisoning, model exfiltration, agentic tool abuse. Most pen-test firms don’t yet, and it’s the fastest-growing attack surface in 2026. If you’re shipping AI features this year, this is probably the biggest gap in your security posture right now.
Will you try to sell us something at the end?
No. The sprint is the engagement. When it’s done, you own the playbook, the hooks, the CI integration, and the knowledge to run it yourself. Some clients re-engage us annually for a fresh sprint. Some never need us back. Both outcomes are fine.
What happens after the sprint?
Your team owns it. The playbook is yours. The pre-commit hooks are yours. The CI integration is yours. You don’t need us back unless you want us. If you bring us back annually it’s because the codebase has grown — not because we made ourselves indispensable.