HikmShield

The security review for Next.js + Supabase apps.

66 OWASP-mapped checks, plus expert review of what scanners can't judge — your RLS policies, auth flows, and business logic. Fixed price. Plain-English report with a letter grade, in five business days.

Fixed price, fixed turnaround. No quote forms, no sales calls unless you want one.

Next.js + Supabase is the specialty — Express and any TypeScript/Node app are covered too.

22
categories
66
OWASP-mapped rules
A–F
letter grade
5 days
turnaround

Scanners check if security is switched on. We check if it actually works.

AI codegen ships fast — and ships the same mistakes at scale. A scanner can tell you RLS is enabled. It can't tell you the policy lets any signed-in user read every row. That judgment is the review.

RLS policy logic

Whether your row-level security policies actually isolate users and tenants — correctness, not presence.

Auth flows

Session handling, middleware gaps, privilege boundaries, and the routes that quietly skip all three.

Business logic

The bugs only context finds: payment paths, role escalation, the admin action a user can reach.

How it works

1 — Scan

The deterministic pass: 66 rules across 22 categories, every finding mapped to OWASP. Reproducible checks, not vibes.

2 — Expert review

AI-assisted expert review of the things pattern-matching can't judge: RLS logic, auth flows, business logic.

3 — Report

A plain-English HTML report with a letter grade and a prioritized remediation plan. Fix, then use your free re-scan to verify the grade improved.

All 22 categories

SecretsRLSAuthValidationAccess controlInjectionPath traversalXSSCSRFDependenciesRate limitingWebhooksCryptoJWTLLM injectionCookiesAI securityCORSFile uploadExposureSilent failuresHeaders

See the exact deliverable before you pay.

Most firms gate their reports behind a sales call. Ours is one click away — the full report, generated by the real scanner against a deliberately vulnerable demo app. Letter grade and all.

Open the sample report
HikmShield Security ReportGrade F
  • critical — service-role key exposed to the client
  • critical — RLS disabled on user data table
  • high — SQL built from unvalidated input
  • high — auth check missing on API route
  • … 28 more findings, each with location + fix

Fixed prices. Published, like they should be.

Sitting between $200 automated scans that judge nothing, and $5,000+ assessments you don't need yet.

Baseline Scan

Know where you stand

$500

2 business days

  • Deterministic scan — 66 rules across 22 categories, OWASP-mapped
  • Client-ready HTML report with a letter grade
  • Findings prioritized by severity, with plain-English business impact
  • Full $500 credited toward a Full Review within 30 days
Book Baseline Scan
Most reviews start here

Full Review

The complete picture

$1,800

5 business days

  • Everything in Baseline Scan
  • AI-assisted expert review of what scanners can't judge — RLS policy logic, auth flows, business logic
  • Prioritized remediation plan with per-finding fix guidance
  • Optional 30-minute findings walkthrough call
  • Free re-scan after you fix, within 30 days — updated grade
Book Full Review

Review + Fix

Done for you

$4,000

10 business days

  • Everything in Full Review
  • All critical and high-severity findings fixed by us (one app / one repo)
  • Verification re-scan with an updated grade and report
  • Medium/low fixes quoted separately if you want them
Book Review + Fix

A security review, not a penetration test. No exploit simulation, no compliance certification — and no pretending otherwise. What you get is a rigorous, reproducible review of your actual code, written so you can act on it, with evidence you can attach to a security questionnaire.

You talk to the person who built the scanner.

HikmShield is built and run by Hikm Systems. No BDRs, no junior analysts, no handoffs — the person who wrote the 66 rules does your review and writes your findings in language your whole team can read.

Is this a penetration test?

No — and we won't call it one. This is a code security review: a deterministic scan plus expert review of your repo. It's the right depth for pre-launch and pre-handoff apps, at a fraction of pentest pricing. The report is evidence you can attach to a security questionnaire; it is not a compliance certification.

What do you need from me?

Read access to the repo, and five minutes of context on what the app does. That's it — no calls required unless you want the walkthrough.

What happens to my code?

It's reviewed privately with proprietary tooling. Access is scoped to the review and removed after delivery. Your code and findings are never shared.

What stacks do you cover?

Next.js + Supabase is the specialty — including whether your RLS policies actually isolate users, not just whether they exist. Plain Next.js, Express, and generic TypeScript/Node apps are covered too.

Ship it knowing what's in it.

Tell us where the code lives and which tier you want. We reply within one business day — straight to admin@hikmsystems.com, no sales call unless you ask for one.

Want proof first? See the sample report.