Jurij Tokarski

Jurij Tokarski

What a Code Audit Looks Like

Code audit, software audit, technical due diligence — same work, different buyers. One week, $997, prioritized by risk: security, architecture, tech debt.

retainer-shapes

Vibe coding cleanup is becoming its own job category. Collins Dictionary named "vibe coding" word of the year in 2025. TechCrunch ran a piece on the rise of "AI babysitters" — developers hired not to write code, but to audit what the tools already wrote. Cursor, Lovable, v0, Bolt.new, Replit Agent ship features fast. They also ship silent problems no linter catches and no test suite covers, because no test suite was written.

One developer put it bluntly: "10x the productivity measured by lines of code written, but 1/100th the quality measured by pain in the ass to clean up." An AI code audit — call it vibe code review, call it cleanup — is the senior pair of eyes that should have been there during generation, applied after the fact.

Yes, I Use the Same Tools You Do

The obvious objection: "You're charging $997 to audit code I generated with Cursor, but you're using Cursor too — what makes your output different from mine?"

The tools are the same. Cursor, Claude Code, Copilot, v0, Bolt — I use them daily. They make me 2-3x faster than I was without them. They don't make me a different kind of engineer. The thing they amplify isn't writing speed; it's whatever judgment you bring to the conversation.

I've been shipping commercial software since 2011. Fifteen years of debugging things at 2am that worked fine in dev, of inheriting codebases from previous developers who "got it working" and disappeared. None of that experience is replaced by AI tooling. AI accelerates the part of the job I was already good at — typing — and leaves the hard part untouched. The hard part is knowing where the bombs are buried.

The First 80% Is Easy. The Last 20% Is Where Production Lives.

Software is shaped like an iceberg. The visible 80% — features that work on the happy path — is what AI tools generate fluently. Describe what you want, the model produces working code, you click through the flows, everything looks fine. That part has gotten cheap.

The remaining 20% is what keeps the product alive in production. It's a list of things that look small until they aren't:

None of these break the demo. All of them break the product. Most don't surface as crashes — they surface as customers churning quietly, support tickets that don't resolve, metrics drifting without an obvious cause. AI tools generate the first 80% beautifully and have no concept of the second 20% existing.

The audit is the second 20%. I'm not grading the code AI generated against AI's standard. I'm grading it against fifteen years of watching production fail in specific, repeatable ways.

What the Audit Covers

A code audit service touches four areas, roughly in priority order:

Security. Auth flows, input validation, exposed secrets, API key handling. AI generates auth code that looks correct — and often is. Sometimes a missing httpOnly flag, a JWT verified without checking the signing algorithm, an env variable committed because the .gitignore template didn't catch it. Polish over security is a real cost.

Architecture. Component structure, data flow, dependency management. AI-generated code produces coherent local decisions and incoherent global structure. State lives in three places. The same fetch call appears in four files. None of it breaks anything until someone needs to change it.

Performance. Re-renders, slow queries, bundle size. A component re-rendering on every keystroke is invisible on a MacBook and noticeable on a phone on a slow connection. A query without an index works fine in development. These are the bugs that were actually the prompts.

Technical debt. Dead code, inconsistent patterns, missing error handling. Every catch (e) { console.log(e) } is a failure that will look like a success. These accumulate quietly. Silent failures that look like success are the hardest to catch.

The standard throughout: does this code handle failure gracefully? Can a new developer understand it in a week? Will it break when traffic doubles?

The Deliverable

Not a 50-page document nobody reads. One report, structured by severity. Each issue: the file and line, what's wrong, how to fix it. Organized by risk — security first, then anything that breaks under real conditions, then debt that slows the team down. You know exactly where to start.

This is the quality gate applied to inherited code, and the scout rule for what to do next. The audit is current state. What you do with it is the cleanup.

Code Audit, Software Audit, Technical Due Diligence — Same Work, Different Buyer

The same week of work gets called three different things depending on who's writing the check.

Code audit is the founder framing. You built something with Cursor or inherited it from a contractor and you want a senior pair of eyes before you ship the next round of features. The output is a fix-it list ordered by risk. Same shape as a code audit service from a bigger firm, minus the multi-phase SOW.

Software audit is the existing-team framing. You have a SaaS in production, the original developer left, and the team that owns it now isn't sure what's a landmine and what isn't. A software audit (or codebase audit, or application audit) maps the surface area: where the bombs are, what's load-bearing, what can be touched safely. Same deliverable as the code audit, written for the team that has to live with it.

Technical due diligence is the investor framing. Sometimes it's vendor-side — a startup preparing for a fundraise or acquisition runs its own technical due diligence first so the investor's diligence doesn't surface anything ugly. Sometimes it's buy-side — an acquirer or VC wants an independent software due diligence read on a target before the term sheet. Same scan, framed as a technical due diligence report: what's the technical risk, what's the cost to fix, what does the team look like. The TDD framing also gets formalised into checklists more often — happy to follow a specific technical due diligence checklist if the investor provides one.

The work underneath is identical. Security, architecture, performance, technical debt — graded against fifteen years of watching production fail. The output is the same one report, the price is the same $997 for the week. What changes is the cover: who's reading it, and which decision it informs.

Who This Is For

Founders who built with Cursor, Lovable, v0, Bolt.new, or Replit Agent and need a senior code review for hire. Startups preparing for fundraising who need an independent technical assessment or vendor-side technical due diligence. VCs and acquirers who need a fast, independent technical due diligence consultant on a target. Teams inheriting a contractor's codebase. Non-technical founders who need code health translated into business risk.

One week, $997, fixed deliverable. This sits inside the Varstatt retainer — subscribe, the audit ships, cancel — same as any other shape.

Other Shapes the Retainer Takes

Same retainer, different shapes — pick the one that matches the work in front of you:

How to Start

The path is the same for every shape:

  1. Submit a project brief — 2–3 minutes. Within 24 hours, you get an honest read on whether this engagement fits.
  2. 15-minute discovery call — confirm scope and timing, no sales pitch.
  3. Subscribe to the weekly retainer — work begins the next business day. Cancel anytime through Stripe, no paperwork.

If you have questions before any of that, the project brief form has a free-text field — write whatever you need to.

Got thoughts on this post?Reply via email

Subscribe to the newsletter:

About Jurij Tokarski

I run Varstatt and create software. Usually, I'm deep in work shipping for clients or building for myself. Sometimes, I share bits I don't want to forget.

x.comlinkedin.commedium.comdev.tohashnode.devjurij@varstatt.comRSS