Security audit · Next.js / Supabase
The vertical risks — authorization, RLS, tenant isolation — closed by design and implementation
The free OSS Aegis takes you as far as “detect.” Beyond that — actually closing authorization, RLS, and tenant-isolation risks with design and implementation — is what I take on as a security audit.
It does not make anything “completely safe.” It systematically closes known high-severity risks and leaves regression-proofing behind (tests, CI gates). Whatever risk remains, I state plainly.
Pricing
Prices are honest “from” anchors. The exact quote depends on your app’s size and requirements — we scope it on a free intro call.
Spot review
From $680
scoped per project
Get an accurate picture of how exposed you are right now. Automated scanning plus manual review, delivered as a prioritized findings report (no fix implementation).
- Aegis scan (SAST: taint/dataflow) + Supabase RLS verification + DAST correlation
- Manual review of authorization/IDOR, RLS, and tenant isolation (the vertical risks automation can’t see)
- A findings report with severity & reproducibility (source→sink traces / the relevant SQL)
- A prioritized remediation plan you can act on immediately
- Turnaround
- ~1 week
- Best for
- Knowing your exact exposure before a release
Recommended
Standard audit
From $1,900
scoped per project
A full audit that goes into the design. Reviews the authorization model, RLS policies, service_role paths, and tenant boundaries, and delivers a concrete remediation design.
- Everything in the spot review
- Design review of the authorization model, RLS policies, service_role paths, and tenant boundaries
- Manual verification of IDOR/BOLA, cross-tenant access, and business-logic abuse
- A threat model and an implementable remediation design
- A live readout (Q&A + priority alignment)
- Turnaround
- ~2–3 weeks
- Best for
- Shipping/operating a B2B, multi-tenant SaaS safely
Embedded fix
From $4,800
scoped per project
Don’t stop at detection — close the vertical risks together, from design through implementation and tests. Solo × AI (Claude Code), fast and safe.
- Everything in the standard audit
- Implementation of the fixes (RLS redesign, ownership checks, tenant isolation, input boundaries)
- Regression-proofing tests and CI gates (Aegis CI · SARIF, permanently in GitHub)
- A re-audit that confirms the fixes hold (proving it’s actually fixed)
- Turnaround
- Scoped (a few weeks+)
- Best for
- Reaching “actually fixed, and it won’t regress,” not just detected
OSS detects, the audit fixes
How far the free Aegis tells you, and what the audit closes. The roles, split honestly.
Authorization / IDOR · BOLA
OSS (free) detects
Statically detects & warns on tainted input with no ownership scope
The audit closes
Redesigns the authorization model and implements ownership checks to actually close it
Supabase RLS
OSS (free) detects
Detects RLS-off, missing WITH CHECK, USING(true), and service_role paths from migrations
The audit closes
Designs & implements correct RLS policies and verifies no cross-boundary access
Tenant isolation
OSS (free) detects
Correlates non-admin access to weak-RLS tables as a confirmed exposure
The audit closes
Redesigns the tenant boundary and proves isolation isn’t broken
Business-logic flaws
OSS (free) detects
Out of scope (a library can’t judge quantity/price/state-transition abuse)
The audit closes
Surfaces abuse paths via human review that understands the domain
Horizontal controls (headers/CSP · rate limiting · CSRF · typed env)
OSS (free) detects
Drops them in via one middleware file and detects drift in CI
The audit closes
Verifies they’re in place and closes gaps/misconfigurations (the audit behind the automation)
Surfacing your current state with the free OSS first, then talking, is the most cost-effective way in.
FAQ
Frequently asked questions
The OSS Aegis is free — why would I need an audit?
Aegis (OSS) automates the horizontal controls a library can correctly own (headers/CSP, rate limiting, CSRF, typed env, input validation) and only detects & warns on the vertical risks it can’t fix (authorization/IDOR, Supabase RLS design, tenant isolation, business logic). Actually closing those vertical risks is design judgment and implementation — that’s the audit. Detection (free OSS) and fixing (audit) are different jobs.
What exactly does the audit look at?
The authorization model and IDOR/BOLA; Supabase RLS policies (RLS-off, missing WITH CHECK, USING(true), over-broad anon grants, SECURITY DEFINER without a pinned search_path); service_role key paths and ownership checks; multi-tenant crossing; input boundaries (SQLi, SSRF, XSS, open redirect, etc.); and business-logic abuse of quantity, price, and state transitions. Aegis’s static analysis, RLS verification, and dynamic checks are the base; human review confirms the real risk.
How much does it cost?
Spot review from $680, standard audit from $1,900, embedded fix from $4,800 — all “from” anchors, scoped per project. The exact quote depends on your app’s size, table count, and requirements; we scope it on a free intro call.
Can you work on stacks other than Next.js / Supabase?
The ideas — authorization, input validation, defense in depth — are general and apply to many stacks. The deepest, fastest, safest work is on Next.js (App Router) × Supabase. For other setups, let’s scope it on a free intro call.
Is production data and confidentiality handled safely?
NDAs are fine. Dynamic checks (DAST) run only non-destructive, localhost-default, scope-locked, request-budgeted probes against staging/production you own — no destructive operations. The default design is to not receive secrets, and any required access is kept minimal.
After an audit, is my app “completely safe”?
No — don’t trust anyone who promises that. An audit systematically closes known high-severity risks and leaves regression-proofing behind (tests, CI gates). But security is continuous, not one-and-done; there is no “complete” or “absolute.” I close what can be closed, honestly, and state the residual risk.
Start with a free 30-min call
Tell me your app’s size and what’s worrying you, and I’ll propose the right plan and a quote. No hard sell.