A security audit kit that adapts to your business.
A real audit, not a 50-item checklist that ignores your industry, your stack, or what you actually collect.
Answer 8 questions about your business. The kit generates a tailored audit — an automated code scan against your codebase, dashboard checks you walk through yourself, areas where you may want to consult a professional, and a vendor security questionnaire your B2B customers will eventually ask you to fill out. Built for indie founders, small business owners, and the developers who get handed “we need to be secure” with no budget.
By purchasing, you agree to our Terms.
See what’s inside$49 launch price · One-time payment · 12 months of free updates included
Most security advice is built for enterprise. You aren’t.
“You need SOC 2.” Pay $7,500+/year for Vanta, Drata, or Secureframe.
“You need a pentest.” Pay $5,000–$50,000 for a real one.
“You need a security policy.” Pay an attorney $2,000+ to draft one.
Or — buy a $5 Notion template that ignores your industry, asks you 200 generic questions, and leaves you no closer to knowing whether your customer data is actually locked down. Nobody serves the middle.
Everything you need to run the audit. One bundle.
Every file is brand-styled, plain-English, and built for a non-technical reader (with a “send to your developer” handoff where it gets technical).
Business audit questionnaire
Answer 8 questions about your industry, what data you collect, your team size, and where your customers live. Generates a customized checklist — you only see the security items that apply to your setup, and flags compliance topics that may be relevant for you to discuss with a qualified professional.
AI terminal scan prompt
Paste into Claude Code, OpenAI Codex, Cursor Agent, or Windsurf Cascade. The AI scans your actual codebase for exposed secrets, missing security headers, SQL injection, missing rate limits, and outdated dependencies — and tells your developer exactly where to look.
Dashboard checks with SQL
Six checks that live inside your provider dashboards — your database access controls, hosting 2FA, domain registrar lock, database backups, admin team list, and production secret keys. The kit walks you through each one with illustrated step-by-step visuals and (where it applies) copy-paste SQL.
Vendor security questionnaire (interactive)
When a B2B customer sends you a 25-question vendor security questionnaire (and they will), this template has pre-written answers with verification checklists telling you what must be true before you say “yes.” Generates a downloadable response document.
Panic mode — 15-minute emergency stabilization
If you got hacked, your contractor walked out, or you got a breach notice today: 5 actions in 15 minutes covers ~80% of immediate exposure. Email, domain, access revocation, financial alerts, emergency contacts.
Bonus pack — 10 deeper checks Included free
The next layer for businesses past the basics: user access controls, admin page protection, file upload risks, webhook signature verification, password reset flows, logging & alerts, vendor access reviews, AI tool data safety, and URL-import sanitization. Use after the main 3 steps when you’re ready to go deeper.
Inside the kit.
No code, no command line, no Notion-template feel. Every file opens in your browser like a clean web page.
Click-by-click walkthrough for Supabase, Firebase, Neon, and others. Paste the SQL below into your SQL editor.
FROM pg_tables
WHERE schemaname = 'public';
To honestly say YES, all of these must be true:
Stylized previews. Actual kit files include illustrations, copy-paste SQL, interactive checkboxes, and a generated report.
Three steps.
Open one file. It walks you through everything. Stop and resume whenever — your progress saves.
Browser questionnaire
Open in your web browser. Answer 8 questions. Get a tailored checklist with every item tagged “YOU DO THIS” / “ASK YOUR DEV” / “ASK AN ATTORNEY” so you know who handles what. Flags compliance topics that may be relevant to your business.
AI terminal scan (or hand it to your developer)
Paste the prompt into Claude Code on your project. The AI runs grep scans against your real code, asks you about your stack, and produces a prioritized report. Not technical? One click on the questionnaire page generates a Slack-ready message to send to your developer.
Dashboard checks
Walk through 6 settings in your Supabase, Vercel, GitHub, and domain registrar dashboards. Includes annotated illustrations of where to click and the SQL to run. This is where most actual small business breaches happen. Don’t skip it.
Built for small teams without a security department.
✓ This is for you if…
- You run a small business with a website and you collect customer data
- You’re an indie SaaS founder who just landed a customer asking about your security
- You’re a developer building solo or in a small team without a dedicated security person
- You’re an agency running this audit for client websites
- You bought Vanta / Drata and you’re drowning in their first questionnaire
- You got hacked once and you don’t want it to happen again
✗ This is NOT for you if…
- You need a SOC 2 Type II certification (go talk to an auditor)
- You need a real penetration test (hire a pentest firm — $5K–$50K)
- You handle regulated data at scale (you need a compliance consultant)
- You expect us to write your legal documents (consult an attorney)
- You’re looking for a one-click “make me secure” magic button (doesn’t exist)
After the audit, you’ll know:
- Whether old contractors or employees still have access to your business accounts
- Whether your domain is protected against transfer-away theft or expiration
- Whether your customer database is exposed to anyone who can log in
- Whether your code has obvious leaked secrets (API keys, passwords, tokens)
- Whether your hosting account would survive a stolen password
- Whether your backups actually work when you need them
- Which security tasks belong to you vs. your developer vs. an attorney
- Which compliance or legal topics are worth raising with a professional
- How to answer the security questionnaire your next B2B customer will send
A sample finding from the audit looks like this:
If your password is leaked (phishing, breach, or reused on another site), someone could log into your hosting dashboard and change, take down, or delete your live website. Two-factor authentication adds a second step they wouldn’t have.
Affordable. Smarter than templates.
This kit does not replace enterprise compliance certification or a professional pentest. It helps you close the common gaps that take down most small businesses before you need those.
| Option | Cost | What you get |
|---|---|---|
| Real penetration test | $5,000–$50,000 | Deep, professional. Overkill for most small businesses. |
| Vanta / Drata / Secureframe | $7,500–$15,000 / year | Built for enterprise compliance teams, not small-business first audits. |
| Sucuri / Probely / Intruder | $19–$99 / month | Automated scanners. Useful, but no questionnaire, no compliance signposting. |
| Random Gumroad checklist | $5–$30 | Generic. Doesn’t know your industry, your stack, or your data. |
| Cautellus Security Audit Kit | $49 launch price | Customized · code-scan AI · dashboard checks · vendor questionnaire · compliance signposts |
“Why pay $49 when AI is free?”
Fair question. Here’s the honest answer.
When you cold-prompt ChatGPT or Claude with “audit my site for security,” you get a generic top-10 list. The AI doesn’t know your industry, your data, your stack, your team size, or your customers’ region. It can’t open your Supabase dashboard. It won’t volunteer a vendor questionnaire template. It might suggest grep commands that don’t work on your codebase. And every conversation starts over — you re-explain your business every time.
This kit is the curation layer the AI doesn’t have.
“Audit my Next.js site” → generic top-10 list
Custom audit based on your industry, data, team size, and customer region
Suggests grep commands; some hallucinated, some that break on your stack
Tested grep patterns designed to reduce common false positives
Dumps 30 findings at once — you freeze, close the tab
Communication rules baked in: AI walks one section at a time, translates jargon, offers to make fixes for you
You re-explain your business every new conversation
Step 1 → Step 2 handoff carries your answers — the AI skips the questionnaire on round two
Doesn’t have access to your Supabase, Vercel, or registrar dashboards
Pre-built dashboard checks with annotated illustrations + copy-paste SQL
If a B2B customer sends a security questionnaire, you start from scratch
Pre-built 25-question vendor questionnaire template with verification checklists
If you got hacked today, you’d Google “what do I do now”
Panic mode: 15-minute playbook, 5 actions, ready before you need it
AI is the engine. This kit is the steering wheel and the map.
I built this because most small businesses don’t need enterprise compliance software to start. They need to know whether the obvious doors are locked — the reused password, the contractor who never got removed, the database table that forgot to lock itself.
The fancy threats get headlines. The boring stuff takes businesses down. This kit catches the boring stuff.
Founder, Cautellus
Security Audit Kit
- 11 files: full audit, AI prompt, dashboard checks, vendor questionnaire, panic mode, bonus checks
- HTML format (most files) + Markdown format (for Notion / Obsidian / dev editors)
- One-click developer-handoff message generator
- Copy-paste SQL for Supabase RLS verification
- Industry-specific checks (healthcare, e-commerce, finance, legal, etc.)
- Flags compliance topics worth raising with a qualified professional
- 12 months of free updates included — always have the current version
- Lifetime access to the version you buy — no expiration
By purchasing, you agree to our Terms.
12 months of updates included. Every refresh of the bundle gets delivered to you for a full year from your purchase date. After 12 months, optional renewal keeps it current.
Honest answers.
I use Shopify / Wix / Squarespace / WordPress (no custom code). Is this for me?
Yes. Skip the AI code scan (Step 2) — you don’t have a codebase to scan. Run the browser questionnaire (Step 1), the dashboard checks (Step 3), and the vendor questionnaire (Step 4) if you ever need one. That covers the security side of your business even without custom code.
Is this actually a security audit, or just a checklist?
Both, on purpose. The business questionnaire customizes a checklist to your specific business. The AI terminal scan runs real grep commands against your real code and finds real vulnerabilities. The dashboard checks walk you through provider settings the AI doesn’t have direct access to. Together they cover the boring stuff that takes most small businesses down — without pretending to be a pentest.
Will this replace a real pentest?
No. A real pentest costs $5K–$50K and pays a human security professional to actively try to break in. This kit finds the most common gaps before a pentester would. If you’re high-risk (regulated data, large enterprise customers, public profile), you should still get one.
I’m not technical. Can I still use this?
Yes — Steps 1, 3, and 4 are browser-based with plain-English instructions and no terminal required. Step 2 is the technical part; the questionnaire generates a one-click message to send to your developer with all the context they need. You can run Steps 1, 3, 4 yourself while they handle Step 2 in parallel.
Does it provide legal advice or write my privacy policy / terms of service?
No. This kit does not provide legal advice and does not write legal documents. The audit may flag general topics or policy areas (like privacy notices or vendor agreements) that small businesses commonly need to think about — based on your answers — but any actual legal text, regulatory determination, or compliance certification must come from a qualified attorney or compliance professional in your jurisdiction.
What AI tools does the terminal scan work with?
Best tested in Claude Code. Designed to also work in OpenAI Codex, Cursor Agent, and Windsurf Cascade — these have terminal and project-folder access. Plain chat modes (ChatGPT Free, GitHub Copilot Chat) can’t run the scans because they lack terminal access. Full compatibility matrix is included in the kit.
What’s included with updates?
12 months of free updates ship with every purchase. When Vercel renames a menu, Supabase ships a new dashboard, a new state passes a privacy law, or a new vulnerability pattern emerges, you get the updated bundle delivered to you for a full year. After 12 months, optional renewal keeps the updates flowing — but the version you have always works.
How long is the $49 launch price available?
The $49 launch price is available through June 30, 2026. After that, the kit returns to the regular $69 price. Buy now if you want the launch rate locked in.
Can I use this on client websites if I’m an agency?
Yes — the license allows agency use on client projects. For white-label resale or bulk licenses, email us.
You can’t fix what you don’t know.
$49 once. The audit a small business actually needs — not a 200-question enterprise questionnaire and not a $5 generic checklist.
By purchasing, you agree to our Terms.
$49 launch price ends June 30 · Then $69 · Instant download