Production Engineering
What a Production-Readiness Audit Actually Checks: A 12-Point Checklist for UK Apps
A production-readiness audit reviews your app against 12 categories of engineering risk. See exactly what a senior engineer checks, which gaps cost you the most, and how much the audit costs in the UK.
Curated by Matt Perry
CTO
A production-readiness audit is a structured review of a web application against 12 categories of engineering risk, from authentication and observability to cost controls and incident readiness. It tells you, in writing, exactly where your app will break under real user load and what to fix first. Our fixed-price audit costs £1,950 and is delivered as a written report within 10 business days.
This guide explains what each of the 12 categories covers, what a senior engineer looks for, and which findings usually turn out to be the most urgent. It is written for UK founders and product owners who have shipped something, often with vibe coding tools like Cursor, Lovable or v0, and want an honest read on whether it is ready for real users.
Why a Production-Readiness Audit Matters
Most apps that reach production without an audit fail in predictable ways. The database wipes out because nobody tested a migration. The LLM bill hits £1,200 after a bot finds the chat endpoint on a Saturday morning. A customer logs in and sees another customer's data. None of these are exotic bugs. They are missing categories of work, and an audit finds them before the users do.
A production-readiness audit is cheap insurance. The £1,950 cost is less than one weekend of runaway API bills, one ICO fine, or one serious outage. You get a prioritised list of what to fix and either the confidence to ship or the honesty to delay.
What Gets Checked: The 12 Categories
Here is the full checklist a senior engineer works through. Each category gets a pass, partial or fail rating with severity and a specific recommendation. Think of it as a production MOT for your app.
| # | Category | What a Senior Engineer Looks For |
|---|---|---|
| 1 | Authentication and Authorisation | Role-based access, row-level security, session handling |
| 2 | Secrets and Environment Hygiene | Keys in a vault, nothing in source control or browser |
| 3 | Observability | Structured logs, error tracking, alerts, uptime monitoring |
| 4 | Error Handling and Resilience | Retries, timeouts, graceful fallbacks, no bare exceptions |
| 5 | LLM Cost Controls | Per-user budgets, rate limits, spending alerts, hard caps |
| 6 | Test Coverage and CI/CD | Tests on critical paths, pipeline that blocks on failure |
| 7 | Database Integrity and Migrations | Versioned migrations, rollback path, tested backups |
| 8 | Security Posture | OWASP top 10, input validation, dependency scanning |
| 9 | Performance and Scale Ceilings | Indexes, caching, pagination, CDN, connection pooling |
| 10 | GDPR and Data Protection | Privacy notice, lawful basis, deletion path, DPAs |
| 11 | Deployment and Rollback | Automated deploys, gradual rollout, 60-second rollback |
| 12 | Incident Readiness | Runbook, status page, on-call rota, post-incident reviews |
1. Authentication and Authorisation
The question here is not "can a user log in" but "can a user only see and do what they should". Most apps pass the login test. Most apps fail the row-level security test. A senior engineer checks whether every database query knows which user is asking and whether permissions are enforced server-side.
Common failure: any logged-in user can read any record by changing the ID in the URL. Fix: role-based access control and row-level security policies.
2. Secrets and Environment Hygiene
API keys, database credentials and signing keys are the keys to your business. The auditor checks whether they live in a vault (Vercel, AWS Secrets Manager, Azure Key Vault, Cloudflare Workers Secrets) or scattered through the repo. A 60-second key rotation is the benchmark.
Common failure: .env files committed to GitHub, or API keys hardcoded into frontend code where any visitor can read them.
3. Observability
Observability is how you know what your app is doing right now. The auditor checks for structured logs, error tracking, uptime monitoring and alerts. For a Next.js app on Vercel, a working stack looks like Sentry for errors, Axiom or Vercel Logs for logs, and Better Uptime for endpoint checks.
Common failure: no error tracking at all. The founder finds out about bugs from angry customer emails, days after the problem started.
4. Error Handling and Resilience
What happens when an API call fails? When the LLM returns malformed JSON? When the database times out? The auditor traces the failure paths and checks for retries, timeouts, graceful fallbacks and useful user-facing error messages.
Common failure: happy path only. One failed API call crashes the whole session.
5. LLM Cost Controls
This category is new. Five years ago it did not exist. Today it is one of the fastest ways to lose serious money. The auditor checks for per-user token budgets, per-request maximum tokens, rate limits by IP and by account, spending alerts and hard stops.
Common failure: a public chat endpoint with no rate limit. One scraping bot on a Saturday morning costs you £1,200.
6. Test Coverage and CI/CD
Tests are how you know the app still works after a change. CI/CD is the pipeline that runs them automatically. The auditor does not check for 100 percent test coverage. They check for tests on the critical paths (signup, payment, main user journey) and a pipeline that blocks a deploy when tests fail.
Common failure: no tests, no pipeline, every release is a prayer.
7. Database Integrity and Migrations
The database is where your business lives. The auditor checks whether schema changes are versioned migration files in source control, whether migrations can roll back, and whether backups are tested.
Common failure: schema changes made by editing tables in the Supabase dashboard. No version history, no rollback, no tested restore.
8. Security Posture
Security is the broad check of what an attacker can do to your app. The auditor runs through the OWASP top 10 (SQL injection, cross-site scripting, broken access control, and the rest) plus AI-specific risks like prompt injection and training data leakage. Our vibe coding security checklist covers the most common gaps in more detail.
Common failure: inputs not validated, outputs not escaped, dependencies never scanned.
9. Performance and Scale Ceilings
Most vibe coded apps work fine for 50 users and fall over at 500. The auditor looks for missing indexes, unpaginated lists, N+1 query patterns, missing caching, and static assets served from origin instead of a CDN.
Common failure: a homepage query that loads 10,000 records on every request.
10. GDPR and Data Protection
If your app stores personal data on UK or EU residents, the auditor checks for a privacy notice, a lawful basis, a working deletion endpoint, signed data processing agreements with every vendor (including OpenAI if you pass user content to it), and a record of processing activities.
Common failure: no data deletion path. A subject access request would be impossible to honour.
11. Deployment and Rollback
Deployment is how new code gets live. Rollback is how old code comes back when the new code breaks. The auditor tests the rollback path and times it. Under 60 seconds is production-grade. Anything more is a liability.
Common failure: push to main, hope for the best, no way to undo a bad deploy.
12. Incident Readiness
Every app goes down eventually. The auditor checks whether you have a runbook, a status page, an on-call rota and a post-incident review process. Incident readiness is not about preventing problems. It is about surviving them with your reputation intact.
Common failure: no on-call, no runbook, no plan for the day production breaks.
What You Get in the Audit Report
A written report, delivered in 10 business days, that includes:
- A pass, partial or fail rating for each of the 12 categories
- Severity ranking (critical, high, medium, low) for every finding
- Specific remediation steps for each finding
- A prioritised roadmap so you know what to fix first
- A 60-minute walkthrough call with the senior engineer who ran the audit
You can take the report and fix the issues yourself, hand it to your development team, or move straight to a two-week hardening sprint where we fix the critical issues for you.
How Much Does a Production-Readiness Audit Cost in the UK?
The fixed price is £1,950. No day rates, no open-ended engagements, no estimates. You pay once, you get a written report inside 10 business days, and you know exactly where your app stands.
| Tier | What You Get | Price | Timeline |
|---|---|---|---|
| Audit | Written report and 60-minute walkthrough | £1,950 | 10 business days |
| Hardening Sprint Lite | Audit plus one week of focused fixes | £4,950 | 1 week |
| Full Hardening Sprint | Audit plus two weeks of focused fixes | £9,950 | 2 weeks |
| Managed Service | 24/7 monitoring, on-call, quarterly re-audit | From £1,495/month | 6-month minimum |
Compare that to the cost of a single junior DevOps engineer at around £60,000 a year, or the cost of one serious incident: lost data, a surprise API bill, or a GDPR fine. The audit pays for itself many times over.
When NOT to Get a Production-Readiness Audit
A production-readiness audit is not right for everyone. Here is when you should hold off:
- You have no live users and no imminent launch. If you are still building, the audit is premature. Come back when you have real users or a launch date within 60 days.
- You already have a senior engineering team. A good senior engineer should be doing this review continuously. If you have one, use them.
- Your stack is not supported. We audit .NET, Next.js, Azure, AWS, Vercel, Supabase and Cloudflare apps. We do not audit Python/Django or Ruby/Rails apps.
- You need new features more than rigour. An audit tells you what to fix, not what to build. If your core product still needs work to find product-market fit, spend the money on features first.
- The app is a throwaway prototype. If it is a spike, a demo, or an internal tool with three users, skip the audit.
If any of these apply, the honest answer is to spend the £1,950 elsewhere. We will tell you the same on a discovery call.
What Happens After the Audit
Most founders take one of three paths after the audit report lands:
- Fix it themselves. The report is specific enough that a competent developer can work through the recommendations. Good for founders with engineering experience and no live users yet.
- Move to a hardening sprint. Two weeks of focused engineering (£9,950) where we fix the critical and high-severity findings, install the missing pieces, and hand over production-grade infrastructure. A one-week Lite version is available at £4,950 for apps with only a handful of critical issues.
- Go to a managed service. If the app is live and revenue-generating, the managed service (from £1,495 per month) keeps it healthy with 24/7 monitoring, on-call response and a quarterly re-audit.
No path is required. The audit stands on its own and the report is yours to keep.
Related Reading
- Vibe Coding Security Checklist — ten things to fix before you deploy a vibe coded app
- Best AI Tools for UK Small Businesses — the broader AI toolkit
- Business Process Mapping with AI — map your workflows before automating them
Book a Production-Readiness Audit
If your app is live, about to launch, or starting to handle real user data, an audit is the cheapest insurance you can buy. Fixed price £1,950, written report in 10 business days, no surprises.
Book a 20-minute discovery call to talk through your app and decide whether an audit makes sense. We will give you an honest answer, even if the answer is "not yet".
More in AI Production Systems
View all
Ready to put AI to work in your business?
Book a free 30-minute discovery call. We will discuss your goals, identify quick wins, and outline a practical plan to get started.
Book a discovery callCurated by Matt Perry
CTO
A production-readiness audit is a structured review of a web application against 12 categories of engineering risk, from authentication and observability to cost controls and incident readiness. It tells you, in writing, exactly where your app will break under real user load and what to fix first. Our fixed-price audit costs £1,950 and is delivered as a written report within 10 business days.
This guide explains what each of the 12 categories covers, what a senior engineer looks for, and which findings usually turn out to be the most urgent. It is written for UK founders and product owners who have shipped something, often with vibe coding tools like Cursor, Lovable or v0, and want an honest read on whether it is ready for real users.
Why a Production-Readiness Audit Matters
Most apps that reach production without an audit fail in predictable ways. The database wipes out because nobody tested a migration. The LLM bill hits £1,200 after a bot finds the chat endpoint on a Saturday morning. A customer logs in and sees another customer's data. None of these are exotic bugs. They are missing categories of work, and an audit finds them before the users do.
A production-readiness audit is cheap insurance. The £1,950 cost is less than one weekend of runaway API bills, one ICO fine, or one serious outage. You get a prioritised list of what to fix and either the confidence to ship or the honesty to delay.
What Gets Checked: The 12 Categories
Here is the full checklist a senior engineer works through. Each category gets a pass, partial or fail rating with severity and a specific recommendation. Think of it as a production MOT for your app.
| # | Category | What a Senior Engineer Looks For |
|---|---|---|
| 1 | Authentication and Authorisation | Role-based access, row-level security, session handling |
| 2 | Secrets and Environment Hygiene | Keys in a vault, nothing in source control or browser |
| 3 | Observability | Structured logs, error tracking, alerts, uptime monitoring |
| 4 | Error Handling and Resilience | Retries, timeouts, graceful fallbacks, no bare exceptions |
| 5 | LLM Cost Controls | Per-user budgets, rate limits, spending alerts, hard caps |
| 6 | Test Coverage and CI/CD | Tests on critical paths, pipeline that blocks on failure |
| 7 | Database Integrity and Migrations | Versioned migrations, rollback path, tested backups |
| 8 | Security Posture | OWASP top 10, input validation, dependency scanning |
| 9 | Performance and Scale Ceilings | Indexes, caching, pagination, CDN, connection pooling |
| 10 | GDPR and Data Protection | Privacy notice, lawful basis, deletion path, DPAs |
| 11 | Deployment and Rollback | Automated deploys, gradual rollout, 60-second rollback |
| 12 | Incident Readiness | Runbook, status page, on-call rota, post-incident reviews |
1. Authentication and Authorisation
The question here is not "can a user log in" but "can a user only see and do what they should". Most apps pass the login test. Most apps fail the row-level security test. A senior engineer checks whether every database query knows which user is asking and whether permissions are enforced server-side.
Common failure: any logged-in user can read any record by changing the ID in the URL. Fix: role-based access control and row-level security policies.
2. Secrets and Environment Hygiene
API keys, database credentials and signing keys are the keys to your business. The auditor checks whether they live in a vault (Vercel, AWS Secrets Manager, Azure Key Vault, Cloudflare Workers Secrets) or scattered through the repo. A 60-second key rotation is the benchmark.
Common failure: .env files committed to GitHub, or API keys hardcoded into frontend code where any visitor can read them.
3. Observability
Observability is how you know what your app is doing right now. The auditor checks for structured logs, error tracking, uptime monitoring and alerts. For a Next.js app on Vercel, a working stack looks like Sentry for errors, Axiom or Vercel Logs for logs, and Better Uptime for endpoint checks.
Common failure: no error tracking at all. The founder finds out about bugs from angry customer emails, days after the problem started.
4. Error Handling and Resilience
What happens when an API call fails? When the LLM returns malformed JSON? When the database times out? The auditor traces the failure paths and checks for retries, timeouts, graceful fallbacks and useful user-facing error messages.
Common failure: happy path only. One failed API call crashes the whole session.
5. LLM Cost Controls
This category is new. Five years ago it did not exist. Today it is one of the fastest ways to lose serious money. The auditor checks for per-user token budgets, per-request maximum tokens, rate limits by IP and by account, spending alerts and hard stops.
Common failure: a public chat endpoint with no rate limit. One scraping bot on a Saturday morning costs you £1,200.
6. Test Coverage and CI/CD
Tests are how you know the app still works after a change. CI/CD is the pipeline that runs them automatically. The auditor does not check for 100 percent test coverage. They check for tests on the critical paths (signup, payment, main user journey) and a pipeline that blocks a deploy when tests fail.
Common failure: no tests, no pipeline, every release is a prayer.
7. Database Integrity and Migrations
The database is where your business lives. The auditor checks whether schema changes are versioned migration files in source control, whether migrations can roll back, and whether backups are tested.
Common failure: schema changes made by editing tables in the Supabase dashboard. No version history, no rollback, no tested restore.
8. Security Posture
Security is the broad check of what an attacker can do to your app. The auditor runs through the OWASP top 10 (SQL injection, cross-site scripting, broken access control, and the rest) plus AI-specific risks like prompt injection and training data leakage. Our vibe coding security checklist covers the most common gaps in more detail.
Common failure: inputs not validated, outputs not escaped, dependencies never scanned.
9. Performance and Scale Ceilings
Most vibe coded apps work fine for 50 users and fall over at 500. The auditor looks for missing indexes, unpaginated lists, N+1 query patterns, missing caching, and static assets served from origin instead of a CDN.
Common failure: a homepage query that loads 10,000 records on every request.
10. GDPR and Data Protection
If your app stores personal data on UK or EU residents, the auditor checks for a privacy notice, a lawful basis, a working deletion endpoint, signed data processing agreements with every vendor (including OpenAI if you pass user content to it), and a record of processing activities.
Common failure: no data deletion path. A subject access request would be impossible to honour.
11. Deployment and Rollback
Deployment is how new code gets live. Rollback is how old code comes back when the new code breaks. The auditor tests the rollback path and times it. Under 60 seconds is production-grade. Anything more is a liability.
Common failure: push to main, hope for the best, no way to undo a bad deploy.
12. Incident Readiness
Every app goes down eventually. The auditor checks whether you have a runbook, a status page, an on-call rota and a post-incident review process. Incident readiness is not about preventing problems. It is about surviving them with your reputation intact.
Common failure: no on-call, no runbook, no plan for the day production breaks.
What You Get in the Audit Report
A written report, delivered in 10 business days, that includes:
- A pass, partial or fail rating for each of the 12 categories
- Severity ranking (critical, high, medium, low) for every finding
- Specific remediation steps for each finding
- A prioritised roadmap so you know what to fix first
- A 60-minute walkthrough call with the senior engineer who ran the audit
You can take the report and fix the issues yourself, hand it to your development team, or move straight to a two-week hardening sprint where we fix the critical issues for you.
How Much Does a Production-Readiness Audit Cost in the UK?
The fixed price is £1,950. No day rates, no open-ended engagements, no estimates. You pay once, you get a written report inside 10 business days, and you know exactly where your app stands.
| Tier | What You Get | Price | Timeline |
|---|---|---|---|
| Audit | Written report and 60-minute walkthrough | £1,950 | 10 business days |
| Hardening Sprint Lite | Audit plus one week of focused fixes | £4,950 | 1 week |
| Full Hardening Sprint | Audit plus two weeks of focused fixes | £9,950 | 2 weeks |
| Managed Service | 24/7 monitoring, on-call, quarterly re-audit | From £1,495/month | 6-month minimum |
Compare that to the cost of a single junior DevOps engineer at around £60,000 a year, or the cost of one serious incident: lost data, a surprise API bill, or a GDPR fine. The audit pays for itself many times over.
When NOT to Get a Production-Readiness Audit
A production-readiness audit is not right for everyone. Here is when you should hold off:
- You have no live users and no imminent launch. If you are still building, the audit is premature. Come back when you have real users or a launch date within 60 days.
- You already have a senior engineering team. A good senior engineer should be doing this review continuously. If you have one, use them.
- Your stack is not supported. We audit .NET, Next.js, Azure, AWS, Vercel, Supabase and Cloudflare apps. We do not audit Python/Django or Ruby/Rails apps.
- You need new features more than rigour. An audit tells you what to fix, not what to build. If your core product still needs work to find product-market fit, spend the money on features first.
- The app is a throwaway prototype. If it is a spike, a demo, or an internal tool with three users, skip the audit.
If any of these apply, the honest answer is to spend the £1,950 elsewhere. We will tell you the same on a discovery call.
What Happens After the Audit
Most founders take one of three paths after the audit report lands:
- Fix it themselves. The report is specific enough that a competent developer can work through the recommendations. Good for founders with engineering experience and no live users yet.
- Move to a hardening sprint. Two weeks of focused engineering (£9,950) where we fix the critical and high-severity findings, install the missing pieces, and hand over production-grade infrastructure. A one-week Lite version is available at £4,950 for apps with only a handful of critical issues.
- Go to a managed service. If the app is live and revenue-generating, the managed service (from £1,495 per month) keeps it healthy with 24/7 monitoring, on-call response and a quarterly re-audit.
No path is required. The audit stands on its own and the report is yours to keep.
Related Reading
- Vibe Coding Security Checklist — ten things to fix before you deploy a vibe coded app
- Best AI Tools for UK Small Businesses — the broader AI toolkit
- Business Process Mapping with AI — map your workflows before automating them
Book a Production-Readiness Audit
If your app is live, about to launch, or starting to handle real user data, an audit is the cheapest insurance you can buy. Fixed price £1,950, written report in 10 business days, no surprises.
Book a 20-minute discovery call to talk through your app and decide whether an audit makes sense. We will give you an honest answer, even if the answer is "not yet".
More in AI Production Systems
View allReady to put AI to work in your business?
Book a free 30-minute discovery call. We will discuss your goals, identify quick wins, and outline a practical plan to get started.
Book a discovery callFrequently Asked Questions
What is a production-readiness audit?
A production-readiness audit is a structured review of a web application against 12 categories of engineering risk, from authentication and observability to cost controls and incident readiness. It produces a written report with severity-ranked findings and a prioritised list of what to fix. Our audit costs £1,950 and is delivered within 10 business days.
How much does a production-readiness audit cost in the UK?
Our audit is a fixed price of £1,950, delivered in 10 business days. There are no day rates or hidden fees. Hardening sprints to fix the issues start at £4,950 for one week and £9,950 for two weeks. A single junior DevOps engineer costs over £60,000 a year, so an audit is much cheaper than hiring.
What does a production-readiness audit actually check?
It checks 12 categories: authentication, secrets management, observability, error handling, LLM cost controls, test coverage and CI/CD, database integrity, security posture, performance ceilings, GDPR compliance, deployment and rollback, and incident readiness. Each category is rated pass, partial or fail, with severity-ranked findings and specific remediation steps.
How long does a production-readiness audit take?
Ten business days from kick-off to written report. A senior engineer spends the first week reviewing your repository, deployed app and infrastructure. The second week is spent writing the report and preparing the 60-minute walkthrough call. You receive the report, the walkthrough, and a prioritised roadmap.
Do I need an audit if my app was built with Cursor or Lovable?
Probably yes, if you have real users or are about to launch. Vibe coding tools optimise for the first run, not the ten-thousandth. They rarely ship with observability, LLM cost controls, proper rollback or GDPR compliance. An audit tells you in writing what is missing and how urgent each gap is.
Subscribe to the AI Growth Newsletter
Get weekly AI insights, tools, and success stories — straight to your inbox.
Here’s what you’ll get when you subscribe::
- AI for SMBs – adopt AI without big budgets or complex setup
- Future Trends – what’s coming next and how to stay ahead
- How to Automate Your Processes – save time with workflows that run 24/7
- Customer Service AI – chatbots and agents that delight customers
- Voice AI Solutions – smarter calls and seamless accessibility
- AI News – how to stay ahead of the ever changing AI world
- Local Success Stories – how AI has changed business in the UK.
No spam. Just practical AI tips for growing your business.
Not sure if your app is production-ready?
Not sure if your app is production-ready?
Take the AI Readiness Quiz