Between June and July 2026 I audited 26 real apps built with AI tools. That record, the AxonBuild audit corpus, answers the question in this post’s title more honestly than any pitch: zero of the 26 came out green, 22 of 26 had at least one confirmed critical finding, and scores ran 29 to 81 out of 100. If real users, data, or payments already depend on your app, the odds say yes.

You should know the incentive problem before you weigh anyone’s answer, mine included: almost everyone positioned to tell you whether you need an AI app security audit sells one. I sell one too. So the rest of this post leans on the numbers, not the pitch.

The same record says something no vendor page will. In 3 of 21 third-party apps I audited, security scanners flagged 33 to 44 known vulnerabilities, and I traced exactly zero of them as reachable from the app’s actual code. Sometimes the right verdict is “ignore the report.” An audit worth paying for tells you both.

Here is the record at a glance, with the honest denominators attached; the rest of the post unpacks it.

The record (June–July 2026)Number
Apps audited26 (21 third-party, 5 of my own)
Came out green0 of 26
Red: at least one confirmed critical22 of 26
Amber: no critical, an honest finish list4 of 26
Score range29 to 81 out of 100
Confirmed findings, 21 third-party apps958 (roughly 46 per app)
Of those findings, critical58 (about 6%)

Do you need a security audit for your AI-built app?

The question usually arrives in a specific shape: the app works, launch is weeks away, and the plan says “get a professional security audit at some point.” So can the AI tools and free scanners cover it until then? Founders who ask it in public get back tool acronyms (SAST, DAST, OWASP ZAP): answers about how to check, to a question about whether to bother.

Here’s the decision. You need one when something real is at stake and you can’t verify the app’s guarantees yourself: live payments, other people’s data, an AI endpoint that bills you per call, or an external party (an investor, an enterprise customer) about to ask questions you can’t answer. You don’t need one yet when the app is a prototype nobody depends on. Between those two poles the honest answer is something cheaper and more specific than an audit, and the rest of this post maps which situation is yours.

One thing before the data, because it changes how you read everything below: a real audit cuts both ways. It tells you which findings are genuine ship-stoppers, and it tells you which scary-looking ones you can ignore. Vendors rarely lead with the second half, because it argues against their own invoice.

What “AI app security audit” means here, and what it means everywhere else

If you search “security audit AI,” nearly everything that ranks is written for a different buyer: a CISO auditing the AI systems their company deploys, meaning model governance, agent permissions, red-teaming, alignment with frameworks like the NIST AI Risk Management Framework or the EU AI Act. That’s a legitimate field, aimed at a different job.

This post is about the other thing: a security review of an app that AI tools helped build. The enterprise guides won’t tell you whether a stranger can read your users’ rows, and this post won’t help you write an AI governance policy. If you’ve been bouncing off compliance-flavored search results wondering why none of them mention Supabase, this is why.

What 26 real audits found

The record: 26 real production apps built with AI tools, audited June–July 2026, with every finding pinned to file and line and none counted until it survived an attempt to disprove it. Zero came out green. 22 of 26 were red, meaning at least one confirmed critical. The four ambers had no critical, just an honest finish list.

The failure profile is the useful part, because the stereotype predicts a different one. Leaked API keys, the thing every scanner leads with, turned out to be the strongest area: the secrets pillar averaged 84/100 across the 21 third-party apps, the best of twelve. The worst was reliability, at 31/100. At least 23 of 26 apps had zero working automated tests, and 17 of 21 recorded errors nowhere: when something breaks for a user, nothing tells you. Apps built with AI tools mostly fail at the invisible engineering no prompt asked for, rather than at the visible, scannable surface. The holes ship by default, because the version that works in the demo and the version that’s guarded look identical in the browser.

Two more numbers frame what “audit” has to mean for this class of app. First: 958 confirmed findings across the 21 third-party apps (roughly 46 per app), of which only 58 were critical. Knowing which 6% matters is the entire job. Second: I ran the same audit on my own 5 production apps. All five red, scores 36 to 63. The method has no mercy setting, which is exactly what makes its “you’re fine here” worth something.

When a scan is enough

Scanners are genuinely good at presence-class questions: is a known-vulnerable dependency version in your tree, is a key sitting in your client bundle, is row-level security enabled on this table. If your app is pre-launch, holds nothing sensitive, and nobody’s money moves through it, a free scanner plus your platform’s built-in advisor is a reasonable posture. That’s a real answer, and it’s free.

What a scanner can’t do is tell you whether a flagged problem is your problem. That’s the 33-to-44 story from the top of this post: tracing each flagged CVE through the actual code found zero reachable, because the vulnerable functions were never called from any path an attacker could reach. In 8 other apps, one reachable CVE was a genuine ship-stopper, often fixable with a one-line version bump. Same report format, opposite verdicts. The report can’t tell you which app you are.

The smallest app in the corpus taught me not to guess at that answer. It was a client-side guitar-theory tool: no login, no database, no user data, four runtime dependencies. The scanner flagged a critical remote-code-execution advisory against its pinned Next.js version, and I traced it the same way as the false alarms above. This one was live: a server-side image route meant the app wasn’t the static export it looked like, so a real server answered every anonymous request on the vulnerable endpoint. One out-of-date version number was the entire finding, and the fix was a one-line bump.

What a scanner report tells you
What a verified audit tells you
44 known CVEs in your dependency tree
Which of the 44 are reachable from your code (in 3 of the 21 apps I audited, the answer was none)
Row-level security is enabled on the table
Whether a second logged-in account can actually read the first one’s rows
A severity score per finding (CVSS 9.8)
file:line evidence, plus what this specific finding costs you if someone uses it
What a scanner report tells you
44 known CVEs in your dependency tree
Row-level security is enabled on the table
A severity score per finding (CVSS 9.8)
What a verified audit tells you
44 known CVEs in your dependency tree
Which of the 44 are reachable from your code (in 3 of the 21 apps I audited, the answer was none)
Row-level security is enabled on the table
Whether a second logged-in account can actually read the first one’s rows
A severity score per finding (CVSS 9.8)
file:line evidence, plus what this specific finding costs you if someone uses it

This is the presence-versus-correctness gap, applied to the report itself. A scanner verifies that risks exist in a database; an audit verifies whether they work against your app. Raw scanner output is only the input to a risk assessment, and it still needs the assessment.

When you definitely need one

Five signals, with the audit numbers attached where I have them:

  1. 01 Real users trust the app with their data: 7 of 21 apps let one logged-in customer read or write another’s records
  2. 02 The app has an AI endpoint: 12 of the 14 audited apps with an AI surface had a confirmed denial-of-wallet path, where a stranger could burn the owner’s API bill
  3. 03 Money moves through it: payments, subscriptions, or anything a browser can claim it already paid for
  4. 04 An external checkpoint is coming: investor due diligence, an enterprise security questionnaire, a compliance ask
  5. 05 You’re about to launch with any of the above true on day one

Two or more of these and the question stops being whether to verify and starts being who does it. One caution about reading the list as a diagnosis: the signals measure what’s at stake, not what’s wrong. What’s wrong, if anything, is precisely what an audit establishes, claim by claim, against the code.

What a real audit must hand you

The deliverable is where a real AI code security audit separates from a scan with an invoice, and you can check for everything below before paying anyone.

Evidence per finding, pinned to file:line: “your webhook doesn’t verify signatures, here, at this line,” never “implement security best practices.” A habit of trying to disprove its own findings: every candidate carries the check that could have killed it, and the ones that can’t be proven get dropped, not padded into the count. Triage in both directions, so the scary scanner output gets downgraded in writing when it’s unreachable. And a verdict you can act on: what to fix first, what to ignore, and whether this codebase is worth completing at all (the rebuild-versus-complete call, from someone who doesn’t earn more if the answer is “rebuild”).

That last one matters more in this category than anywhere else, because the people most often telling founders “this needs a rewrite” are the people selling rewrites. It’s the reason I structured the Beyond the Demo Audit as a fixed-scope diagnosis rather than a door into an open-ended engagement: the price is the same whatever the verdict says, so the verdict has no reason to lie.

An audit that can’t tell you what you don’t need to fix is a sales letter.

What it costs, and what to refuse to pay for

The market for this is wide and mostly unreadable. At the bottom, double-digit fixed-price “audits” on gig marketplaces: at that price the economics only work if a tool runs and a human doesn’t, so you’re buying a scanner report with a cover page. At the top, formal penetration tests, priced for compliance budgets and quoted in the thousands to tens of thousands; excellent work, built for a different buyer. In between sits a band of productized audits in the hundreds to low thousands (mine is $500, scope stated up front), where the real differences are the ones the previous section listed, not the price.

So judge the deliverable, not the number. Refuse to pay for a finding count with no file-and-line evidence behind it: that’s a tool run, and you can run the tool. Refuse severity scores with no reachability call, because you now know 44 flagged CVEs can mean zero real ones. And refuse a security verdict bundled with a proposal to rebuild the app, for the incentive reason above. Any of those three, at any price, is the expensive option.

Common questions before you decide

How much does an AI app security audit cost?

Anywhere from double digits to five figures, and price alone tells you almost nothing. The floor is automated-scan-plus-PDF; the ceiling is compliance-grade penetration testing. The productized middle runs a few hundred to a few thousand dollars (mine is $500, scope stated up front), and within that band you’re paying for evidence quality (file:line findings, reachability triage, a rebuild-versus-complete verdict), never for page count.

Can I just have AI audit its own code?

It’s better than nothing and worse than it looks. AI review catches presence-class issues (missing auth middleware, a key in client code), but the failure classes that dominated the 26 audits are contextual: whether this user should see that row, whether an endpoint should exist at all. Those need someone to try the attack, with two accounts and intent, and to verify the result against the code rather than pattern-match it. The tool that wrote the blind spot re-reads it with the same blind spot.

Should I get the audit before or after launch?

Before, if any signal from the list above is already true on day one: pre-launch is when a finding costs a code change instead of a disclosure email. An audit after launch still works; it just costs more for every week of exposure. The wrong answer is “after the next feature,” on repeat.

What if the audit finds nothing serious?

Then the audit did its job, because “nothing serious, verified” is a real deliverable. It’s rare (4 of the 26 apps I audited had no confirmed critical), and each of those four got a prioritized finish list plus, in writing, the things that checked out. That’s a document you can put in front of an investor. An audit that can’t return “you’re mostly fine” is the one to walk away from.

Where to start

If you’re still on the fence, you don’t have to start at $500 or at zero. The scorecard takes about two minutes, scores your app across nine readiness domains (of the twelve launch readiness is made of; the other three are audit territory), and names your weakest one, which is usually enough to tell you whether the audit question is live. The record from 26 apps says the gap between “works” and “verified” is real. Whether it’s your gap is exactly the thing you can’t see from inside the demo, and exactly the thing that’s checkable from outside it.