FAQ · Frequently asked questions
Frequently asked questions
about freelance technical audits
Cost, timelines, exact scope, difference with a pentest, vibe coding, supported technologies. Direct answers, no jargon — because good decisions start with clear information.
General
Cost, timelines and scope
How much does a freelance technical audit cost?
Between €1,500 and €5,000 depending on scope:
— Pre-launch audit (AI-built app or solo founder check): from €1,500
— SaaS technical debt audit: between €2,500 and €4,000
— Setting up automated tests (Cypress + CI/CD): from €3,000
The first 30-minute call is free and non-committal.
How long does a technical audit take?
— Pre-launch verification (AI-built app or solo founder): 2 to 3 days
— SaaS technical debt audit: 3 to 5 days
— Automated test bootstrap (Cypress + CI/CD): 10 to 15 days
The report is delivered within 2 days of the audit completing, with a 45-minute debrief session.
What does a technical audit include exactly?
Depending on the chosen scope: source code review, architecture evaluation, critical security point verification (authentication, data exposure), basic load testing, dependency analysis.
The systematic deliverable is a structured written report with each issue classified by criticality (blocking / important / minor), the reason for the risk, recommended fix, and effort estimate. A 45-minute debrief session is always included.
What is the difference between an audit and a security pentest?
A pentest is run by an offensive security expert seeking to exploit known vulnerabilities (SQL injections, XSS, privilege escalation). It assumes a stable, documented application already in production for some time.
An application audit like mine targets the real risks of a pre-launch or recently launched application: absent error handling, misconfigured authentication, inadvertently exposed data, no monitoring. Both approaches are complementary. For an MVP app, starting with the application audit is the right sequence.
My application has been in production for 2 years without issues — do I need an audit?
Without issues often means without visible issues. Security vulnerabilities and technical debt accumulate silently.
An audit is relevant if you plan to add major features, scale user numbers, or if your team hesitates to touch certain parts of the code. If the application is stable, non-critical and no longer evolving, the audit is not a priority.
Vibe coding & AI
AI-built applications
What is vibe coding and why does it need external verification?
Vibe coding refers to building applications using generative AI tools (Claude Code, Cursor, Bolt, v0) as the primary development engine — often by people without deep technical training.
These tools generate functional code but without awareness of systemic implications, error handling, or security configurations. The code has never had a human second look with a global architecture perspective. That's exactly the role of an external application audit.
I used Claude Code to build my app — is that risky?
Not more risky than an unsupervised junior developer — nor less. AI generates code that follows the patterns it learned, including bad practices. Without human review, the same blind spots appear: absent error handling, exposed data, misconfigured auth.
I use Claude Code myself in my work. The tool is powerful — but it doesn't replace the judgment of an experienced developer who knows the production pitfalls.
Can you audit an app entirely generated by AI, with no human code?
Yes. The source of the code doesn't matter for the audit. What counts is what the code actually does — the authentication patterns, error handling, data exposure. These checks apply regardless of how the code was written.
Practical
How it works in practice
Do you work remotely or on-site?
Primarily remote — auditing code doesn't require being on-site. I'm based in Saint-Pierre, Réunion Island (974) and can work on-site for clients in Réunion if needed.
Exchanges happen via video call (scoping call, debrief). Code is shared via Git (read access to the repository, or archive if necessary).
What technologies do you work with?
My core expertise is fullstack web:
— Backend: Symfony, PHP 8, Laravel, Node.js, API Platform
— Frontend: React, TypeScript, Vue.js
— Testing: Cypress, PHPUnit, Behat, Jest
— CI/CD: GitHub Actions, GitLab CI, Azure DevOps, Jenkins
— Infrastructure: Docker, Linux VPS, common cloud providers
For Python, Go, or Java stacks, I work on the architectural scope and generic patterns — line-by-line code review then requires a specialised co-auditor (whom I can recommend).
What happens after the audit?
You receive the report and a 45-minute debrief session. If you want me to support the implementation of the recommendations, I can engage as a consultant or developer — but this is not systematic.
Many clients apply the recommendations themselves with their team. I remain available for questions for 2 weeks after report delivery.
How does first contact work?
Book a 30-minute call on Calendly or send me an email describing your situation in a few lines. During the call, I ask questions about your application (stack, stage, team, perceived problem) and give you an honest first read.
If an audit is relevant, I send you a detailed quote within 48 hours. No commitment after the call.
Use cases
Your situation in detail
Each page answers a concrete case with a full breakdown of what I examine and what you receive.
First contact
Your question isn't in the FAQ?
Write to me. I read every message and reply within 24 hours.