Automated security audits, in plain English

Is your product actually safe?

Attackers have AI on their side now, and they spot weak products faster than ever. Patchable runs an automated audit on yours, then tells you in plain English what they'd find first. Free to scan. You only pay if something needs fixing.

No login required No load on your live systems One email when we open
Patchable
Security check yourproduct.com
2 to fix 1 to review 3 all good
!
Your OpenAI key is in the JavaScript your site sends to visitors
Anyone who opens your site can read it, then run up charges on your account.
View fix
!
An admin page responds to anyone, not just logged-in users
/admin/users returned a list of email addresses without a login.
View fix
~
Your sign-up form has no spam protection we could see
No CAPTCHA, no obvious rate limiting. Worth fixing before traffic hits.
View fix
Your protected pages do ask for a login
We tried a few obvious ones. Got redirected, as you'd want.
Uploaded files aren't sitting at guessable URLs
We tried common patterns. Nothing came back.
Your domain and email setup look healthy
SPF, DKIM, DMARC. All in place.
What a fix looks like

Every finding ships with a prompt. Ready to paste.

We write each fix as a prompt your AI assistant can run. Hand it to Claude Code, Cursor, or whichever tool you build with, and the fix lands without you reading a single security blog.

High Exposed credentials FIND-001 · Sample

Your OpenAI key is in the JavaScript your site sends to visitors.

What we found
// in /assets/app-7f3.js, line 12,488
const openai = new OpenAI({
  apiKey: "sk-proj-aB3kL...x9Qz",
  dangerouslyAllowBrowser: true
});
Why it matters

Anyone who opens your site can read this key from their browser's developer tools. Once copied, they can use it on your OpenAI account, and you'll get the bill.

Ready for your AI assistant
Claude Code · Cursor · Copilot 
Move my OpenAI API call out of the browser bundle and into a new backend endpoint at /api/ai/generate.

The frontend should POST the user's input to this endpoint. The endpoint should:
  • read OPENAI_API_KEY from environment variables, never ship it to the client
  • call OpenAI server-side and stream the response back
  • rate-limit each user to 10 requests per minute, using a library that fits this codebase

When you're done, leave a note in the PR description reminding me to rotate the exposed key (sk-proj-aB3kL...x9Qz) in my OpenAI dashboard before this ships.

One paste, one PR. We write each fix to work with the stack we see in your codebase.

What we check

What an attacker would find first

An automated audit, run from the outside. No credentials. No surprise traffic on your live systems. Nothing a pentest could break.

What's reachable

Admin pages, exports, internal tools that quietly went live. Anything the open internet can answer when it shouldn't.

What your site hands out

Every site ships code and config to the browser. We read it the way a visitor's browser does, and flag keys, secrets and internal URLs.

The basics that get missed

Email setup, security headers, form protections, guessable file URLs. None of it sounds dramatic. Each one trips up real products.

What to do about it

Every finding comes with a plain explanation and a step-by-step fix. No jargon, no severity codes, no homework.

Plans

Pay once, sleep easier

Three levels, depending on how deep you want us to look. Each one is automated, one-time, and safe to run on a live product.

Get the Report
$99$49one-time

A complete outside-in surveillance scan. What an attacker would see on first contact, written up for you.

  • Every finding from the outside-in scan
  • Step-by-step fix for each one
  • 1 rescan within 30 days
  • Shareable PDF report
Available at launch
Most popular
Get Verified
$299$149one-time

Everything in Get the Report, plus an advanced codebase audit for the bugs only production reveals.

  • Everything in Get the Report
  • Codebase audit: security holes, business logic errors, missing validation, edge cases
  • 3 rescans over 90 days
  • Investor-ready security PDF, reviewed by a human
  • Patchable Verified badge for your site
Available at launch
Enterprise
$999$499one-time

Everything in Get Verified, plus a compliance and sales packet. A head start on the SOC2 path, before you're ready for the audit.

  • Everything in Get Verified
  • 12 rescans over 365 days
  • Legal posture scan: GDPR, CCPA, privacy policy, DPA gaps
  • Sales-ready packet: security questionnaire, DPA template, incident response plan
  • Hosted security and document portal
  • Personal help prioritising what to ship first
Available at launch
Patchable Verified

Earn the badge. Show your customers.

Fix what we find and your product earns the Patchable Verified badge. Drop it on your site, your security page, your sales decks. Quiet, public proof you take this seriously.

Patchable Verified
Audited Jun 2026 · ID PV-A7K2
Patchable Verified
Audited Jun 2026 · ID PV-A7K2

Be the first to know.

We'll email you once when Patchable opens. No marketing. No newsletter. No other emails. Just the one.