Services
You shipped it fast. Now make sure it's not an open door.
An AI application security audit is a structured review of software built with or around AI (vibe-coded apps, chatbots, automations, internal tools) that finds the vulnerabilities this new way of building creates: exposed API keys, missing authentication, unprotected endpoints, prompt injection, runaway API costs and leaking customer data. Islands AI offers fixed-price audits from £950, delivered in under a week, with a severity-rated findings report, a prioritised fix list and a remediation session. We audit systems built by your team, by freelancers, or by AI tools themselves.
Why this exists
AI coding tools mean anyone can ship software in a weekend. Brilliant. It also means production apps are going live with the classic failure modes: secrets in client-side code, admin routes with no auth, databases open to the internet, AI endpoints anyone can hammer at your expense, and no rate limiting anywhere. You usually find out from an invoice, a customer, or worse.
What we check
- Secrets and keys: API keys, tokens and credentials exposed in front-end code, repos or logs.
- Authentication and access: who can actually reach what, including the admin pages and API routes nobody remembered to protect.
- AI-specific attack surface: prompt injection, data exfiltration through the model, unbounded tool permissions.
- Cost exposure: endpoints that let strangers spend your OpenAI or Anthropic budget, missing rate limits and quotas.
- Data handling: what personal data flows where, and whether that matches what you tell users and what data protection law expects.
- Dependencies and infrastructure: known-vulnerable packages, exposed databases, missing backups.
Packages
Rapid Audit
One application. Automated scanning plus expert manual review, severity-rated findings report, prioritised fix list. Delivered within 5 working days.
Full Audit
Everything in Rapid, plus authentication and data-flow review, AI cost-exposure analysis, and a one-hour remediation session walking your builder through the fixes.
Audit + Team Training
Everything in Full, plus a half-day on-site session training your team to build securely with AI tools, and a written secure AI development playbook tailored to your stack. We train someone in-house to carry this on, so you're not dependent on us.
Ongoing: quarterly re-audit retainer available, because the app you ship in July won't be the app running in December.
Frequently asked questions
We used AI tools to build our app. Is that the problem?
No. AI-built software can be excellent. The problem is that the tools optimise for 'it works' and stay silent about 'it's safe'. The audit closes that gap.
Do you need our source code?
For the best result, yes, under NDA. We can do a black-box external review without it, but code access finds more, faster.
Will you fix the issues too?
The remediation session gets most teams there on their own. If you want us to implement fixes, that's a scoped follow-on and we'll quote it in the report.
Can you audit something a freelancer or agency built for us?
Yes, and it's one of the most common cases. You get an independent view before you rely on it, written in plain language for a non-technical owner.
Talk to us before you talk to a platform.
A 20-minute call is enough to tell you whether AI is worth it for your operation, what it would cost, and what could go wrong. No pitch deck, no obligation.
Book a 20-minute call