Securityhigh
Missing Strict-Transport-Security header
The response is served without an HSTS header. Browsers won't enforce HTTPS-only connections after the first visit, leaving users open to a downgrade-to-HTTP attack on a hostile network.
Pricing
Pick the depth that fits.
Start free. Upgrade when you want more. Findings only — your team ships the fixes.
| Feature | Free Scan $0per scan 60-second automated, every result shown | Most popular Spot Check $150one-off 48-hour deep audit, reviewer pass + Loom | Standard Audit $400one-off 5-day expert audit with strategy call | Cost Optimization $350one-off Egress, compute, storage waste audit | AI-Feature Safety $450one-off Prompt-injection, key handling, rate limits | Investor-Ready from $2,500one-off Architecture diagram, risk register, tech-DD |
|---|---|---|---|---|---|---|
| Turnaround | ~60s | 48 hours | 5 business days | 5 business days | 5 business days | 10–14 days |
| Checks | 8 essential | 25 (8 + 17 deeper) | 75 | Cost specialist | AI specialist | 75+ |
| AppPulse Score across 4 dimensions | ||||||
| Every result shown — no cap | ||||||
| Reproduction steps | ||||||
| Code-level scans (file + line) | ||||||
| Post-login flow coverage | ||||||
| Multi-route Lighthouse | ||||||
| Report | Email summary | 5-page report | 15-page report | 10-page report | 12-page report | 20+ page report |
| Loom walkthrough | 10 min | 25 min | 20 min | 20 min | 45 min | |
| Reviewer pass + 1 round of clarification | ||||||
| 30-min strategy call | ||||||
| Cost projection at 10× and 100× users | ||||||
| Prioritised fix roadmap with hour estimates | ||||||
| Architecture diagram | ||||||
| Risk register (CSV) | ||||||
| Tech-DD questionnaire pre-fill | ||||||
| Re-audit included (within 90 days) | ||||||
| Run free scan | Book Spot Check | Book Standard | Book Cost Opt | Book AI Safety | Talk to us |
What we typically find
Anonymised findings from real audits.
These came out of paid AppPulse audits in the last quarter. App identity stripped — just the class of issue and severity.
Securityhigh
Missing Content-Security-Policy header
No CSP is set. The browser will execute any script the page loads, including ones a successful XSS attacker injects. CSP is the largest single mitigation for XSS-class bugs.
Performancehigh
Mobile LCP at 14.4s (poor)
Largest Contentful Paint at 14.4s on mobile. Google's threshold for poor is over 4s.
Continuous Monitoring
Stay verified between audits.
Re-scans on a schedule. Alerts when something drops. Verified badge tied to a live A or B score.
| Feature | Basic $97/mo Weekly re-scan + email digest | Pro $297/mo Daily scans + alerts + Verified badge | Enterprise $997/mo Continuous + reviewer escalation + SLA |
|---|---|---|---|
| Full scan cadence | Weekly | Daily | Continuous |
| Security scan cadence | Weekly | Daily | Continuous |
| New CRITICAL alert | Email + Slack | Phone + Slack | |
| New HIGH alert | Email digest | Email + Slack | Email + Slack |
| Score-drop alert | |||
| New CVE alert (on declared stack) | |||
| AppPulse Verified badge | |||
| Apps included | 1 | 5 | Unlimited |
| Quarterly strategic review call | |||
| Talk to us | Talk to us | Talk to us |
FAQ
Frequently asked questions
What if you find fewer than three medium-or-higher findings?
Refund half within seven days of delivery. It's a Terms of Service clause, not a marketing claim — calibration is the brand.
Can I pause monitoring?
Yes. 14-day pause with 50% credit applied to your next billing cycle. After 14 days the subscription resumes.
What if I can't grant code access for Spot Check?
Spot Check has a 'no code access' opt-out — same price, URL + database probes only. The deeper code-level checks skip; everything else still runs.
Re-audit pricing
Re-audit any tier within 90 days of delivery for 50% of the original price. Outside the window, it's a fresh order at full price.
Do you white-label?
Not in v1. Agencies — drop a line at olamide@apppulse.net and we can talk about reseller terms once we've shipped enough audits to know what white-labelling actually requires.
Can I request custom checks?
Enterprise Monitoring includes one custom check definition per quarter. Below that tier, custom checks aren't supported — the standard 8 / 25 / 75 are the same for every customer so calibration holds.
How long do you keep findings?
Free: 30 days. Paid one-off audits: 12 months active + 12 months cold archive. Monitoring: retained while subscribed plus 90 days after cancellation.
Start with a free scan.
See what we catch in 60 seconds. Upgrade when you want depth.