Found problems? We can fix them.

A pentest report is only useful if someone acts on it. If you've run a scan and don't have the in-house bandwidth to remediate the findings — or you want a security-aware developer to review the fixes — we can help.

What we do

Security remediation

You have a GetCodeAudit report with findings. We work through them one at a time: implement the fix, run targeted tests to confirm it's resolved, push to your repo. Findings are billed per item; complexity varies wildly so we quote per finding after looking at the report.

Pre-launch hardening

You're about to ship a new app and want a security pair-of-eyes before it goes live. We review your code, run a scan, fix what we find, and put basic monitoring in place. Typical engagement: 1–2 weeks, fixed scope.

Custom development

Beyond security — we also build full-stack PHP, Node.js, React Native, and React applications. If you have a project that doesn't fit a security-only engagement, we can take that on too.

How it works

1. Email us with your scan order number (from the confirmation email) and what you'd like help with. If you don't have a scan yet, send a description of what you're building.
2. We respond within one business day with a scope and quote.
3. 50% upfront, 50% on delivery. For smaller engagements we sometimes do 100% on delivery — depends on the work.
4. We work async over email + screen-share calls. Code goes to your repo, not ours.

What we charge

Every engagement is quoted per project — pricing depends entirely on the scope and complexity of the work:

• Per-finding remediation: quoted per finding, after we look at your report.
• Pre-launch hardening package: quoted as a fixed-scope engagement.
• Custom development: quoted by project, or hourly for open-ended work.

You'll always get a clear scope and quote up front, before any work starts — no surprises. Bigger engagements get bulk pricing. We're a small team and only take on as much as we can do well, so there's sometimes a 1–2 week wait to start.

What we don't do

• SaaS retainers or ongoing managed services. One-time engagements only.
• Compliance audits (SOC 2, ISO 27001, PCI-DSS). We can prepare you for an audit but we aren't auditors.
• Work for clients we believe are doing harm (we reserve the right to decline anything that crosses our line).

Looking for hands-on security testing rather than dev work? That's a separate service — see expert manual testing.

Email us about dev services →