SaaS Startup AI Security Repo Audit

The situation

The team was a 5-to-20-person SaaS startup moving quickly. Much of the codebase was written with AI coding assistants, the product wrapped an LLM, and a retrieval-augmented generation (RAG) pipeline pulled in customer and third-party content to ground answers.

That velocity created blind spots. The founders knew generic scanners like Snyk and Semgrep covered some ground, but they were unsure about the AI-specific surface: prompt handling, what the retrieval layer could expose, and how much an autonomous agent was actually allowed to do. A large launch was a few weeks out, and they wanted a clear read on practical risk before customers arrived.

What we reviewed

We reviewed the repository end to end with an AI application security lens. That included system and tool prompts, the RAG ingestion path and document sources, vector retrieval boundaries and tenant isolation, and the permissions granted to the agent and its tools, including any MCP tool integrations.

Alongside the AI-specific layer, we covered the fundamentals that AI-generated code often gets wrong: dependency hygiene, hardcoded secrets and key handling, authentication and authorization on internal endpoints, and infrastructure-as-code (IaC) configuration. The output is a prioritized findings report with a risk score per issue and concrete remediation steps, meant to complement existing scanners rather than replace them.

What we found

The highest-priority issue was prompt injection exposure: untrusted content flowed from RAG documents and user input straight into the model context with no separation from instructions, so a crafted document could redirect the agent's behavior. Because the agent held broad tool permissions, that exposure had real blast radius.

We also found over-broad agent permissions, where tools could take write and external actions that the product never intended to expose. Retrieval boundaries were weak: the vector store lacked consistent per-tenant filtering, creating a path for one customer's data to surface in another's results. RAG ingestion accepted documents without sanitization or source trust controls.

On the conventional side, we flagged an exposed secret committed to the repository, several vulnerable and outdated dependencies, and IaC settings that left storage and network access more open than needed. Findings were ranked by practical risk so the team could act on severity, not noise.

Remediation

We gave the team a prioritized remediation plan and worked through it before the launch. High-severity items came first: separating untrusted retrieved content from trusted instructions, adding input and output handling around the model, and rotating the exposed secret with proper secret management going forward.

We scoped the agent down to least-privilege tool permissions, added per-tenant filtering and access checks at the retrieval boundary, and introduced sanitization and source-trust rules on RAG ingestion. Dependency upgrades and tighter IaC configuration closed out the conventional findings. Each recommendation shipped as a practical, reviewable change the small team could own.

Results

Several high-severity, AI-specific issues were identified and fixed before the launch rather than after customers found them. The team went in with a clear, ranked view of its practical risk and a remediation path it could maintain.

These outcomes are illustrative and estimated for a representative engagement, not audited guarantees. The audit complements tools like Snyk and Semgrep; it is a security review and set of recommendations, not a penetration test or certification.

Why it matters

AI features introduce risk that generic scanners are not built to catch: prompt injection, leaky retrieval boundaries, unsafe ingestion, and agents with more authority than the product intends. For a fast-moving startup shipping AI-generated code, those gaps are easy to miss and expensive to discover in production.

Catching them in a focused review, before a major launch, means fixing AI-specific risk on your timeline instead of your customers'.