An automated scan and a human review answer different questions. A scan tells you what the public web can see in seconds. A human review tells you whether private data, payments, and deploys are actually safe. Most AI-built apps need both.
An automated security scan inspects what is reachable from a URL: API keys in the client bundle, missing security headers, wildcard CORS, guessable routes, runtime errors, and known vulnerable dependencies. It runs in seconds and is the right first filter.
A human review reads the actual code, database policies, secrets, and hosting. It finds access-control flaws, broken authorization, missing Row Level Security, and unsafe workflows that no scanner can detect because they depend on intent, not patterns.
The scan removes obvious issues cheaply. The review confirms that private data is protected, payments fail safely, and a bad deploy can be rolled back. For an app handling real users, both are needed before launch.
Client-shipped keys, missing headers, open CORS, reachable routes, source maps, runtime errors, and outdated dependencies — quickly and repeatably.
Missing or permissive database rules, broken authorization, cross-tenant data access, unsafe webhooks, and missing rollback or monitoring.
The app has logins, payments, customer data, admin tools, or automated workflows — anything expensive to get wrong in front of real users.
Start with the free scorecard to clear surface issues, then book the production readiness review for the rest.
Exactly what the automated public scan checks and misses.
The items a human review verifies one by one.
The broader launch readiness list beyond security.