AI coding tools — Cursor, Copilot, Claude, ChatGPT, Lovable, Bolt, and others — can build a working application in hours. What they can't do is know to ask about your privacy obligations, your PCI scope, your data residency requirements, your authentication architecture, or the OWASP vulnerabilities that will get you hacked six months after launch. ThreeShield reviews the code your AI generated, and reviews the requirements your AI was never given.
SAST and DAST tools are excellent at finding known vulnerability patterns. They are poor at understanding business logic, authentication flows, and the context-specific flaws that make the difference between a theoretical issue and an exploitable breach.
PCI DSS v4.0.1 Requirement 6 mandates secure development practices, security training for developers, and code review for custom application code in the cardholder data environment. ThreeShield's code reviews satisfy the Requirement 6.3.2 code review obligation with documentation suitable for QSA review.
Reviews are structured against the OWASP Top 10 (Injection, Broken Auth, XSS, IDOR, Security Misconfiguration, Vulnerable Components, Logging Failures, SSRF, and others) and where appropriate, the Application Security Verification Standard (ASVS) for more comprehensive verification requirements.
Applications handling personal or health information need to implement privacy-by-design principles in code — not just in policy documents. ThreeShield's reviews assess data minimization, storage encryption, access logging, and consent mechanisms in code, mapping findings to your applicable privacy framework.
For organizations running bug bounty programs, ThreeShield can review incoming submissions, triage severity, and manage the response process. We can also help scope and structure your bug bounty program to encourage high-quality submissions while limiting the scope to what you can actually remediate. Note: third-party services and code are excluded from ThreeShield's own bug bounty program.
A one-time code review finds point-in-time issues. But code changes every week — new features, new plugins, new integrations, new developers making decisions without a security lens. ThreeShield offers ongoing security review that fits into your development process at a cadence and budget that makes sense for your team. Not every organization needs a full-time security engineer in every pull request. Most do need someone reviewing the security-critical changes before they ship.
ThreeShield reviews your codebase on whatever cadence suits your budget and development pace — weekly, monthly, per-release, or per-sprint. We focus on changes that matter most for security: authentication flows, authorization logic, data handling, payment processing, API endpoints, and new third-party integrations. This model gives development teams a consistent security checkpoint without the overhead of a dedicated in-house security engineer. Code doesn't have to be hand-written for this to apply — we review AI-generated code, vibe-coded features, and prompt-engineered components on the same cadence as anything else.
ThreeShield configures pre-commit security checks and provides developer-facing secure coding guidelines specific to your stack and business context. The goal is shifting security left — catching issues when they are cheapest to fix, not during a penetration test that delays your release. Guidelines are written for your developers with concrete examples from code that looks like theirs: patterns to avoid and patterns to use instead.
We integrate appropriate SAST/DAST tools into your CI/CD pipeline — GitHub Actions, GitLab CI, Jenkins, Azure DevOps, or whatever you use — and configure them to surface results without flooding developers with noise. ThreeShield reviews SAST/DAST output and provides context on which findings are genuine versus false positives, so your developers are acting on real issues rather than chasing scanner artifacts.
WordPress plugins are one of the most common breach vectors for small and medium organizations — not because WordPress is inherently insecure, but because plugin updates are irregular, abandoned plugins accumulate, and new plugin installs rarely go through security review. ThreeShield monitors WordPress, WooCommerce, Drupal, and other CMS installations for known-vulnerable plugin versions, unauthorized plugin additions, core version lag, and configuration issues. When a plugin vulnerability is disclosed, you find out before an attacker exploits it. We also review custom WordPress theme and plugin code for common vulnerabilities: SQL injection through custom queries, XSS in output functions, improper nonce handling, and privilege escalation in capability checks.
ThreeShield participates in focused security review for high-stakes changes — a new payment integration, a new authentication system, a new API that exposes customer data, or a major refactor of security-critical code. This is the "axe-sharpening" model: a targeted security review of a specific change costs a fraction of what it costs to remediate the same issue during a penetration test or after a breach. We review pull requests, staged changes, or code branches — whatever fits your workflow.
Security review findings are most valuable when they teach developers to avoid the same issue in future code. ThreeShield provides developer-facing training on the specific vulnerability classes relevant to your stack — concrete examples from code that looks like yours, not generic slide decks. Training is most effective immediately after a code review, while the examples are fresh and directly relevant.
Vibe coding, prompt engineering, and LLM-assisted development produce real products that go into production every day. The tools are remarkable. The gap is that AI coding assistants — Cursor, Copilot, Claude, ChatGPT, Lovable, Bolt — optimize for working code, not for secure, compliant, or auditable code. The requirements that matter most for security are exactly the ones nobody thought to include in the prompt.
You described what you wanted to build. The AI built it. It works. Users can log in, data saves, emails send. Then a security auditor — or a sophisticated attacker — looks at it and finds that session tokens never expire, the admin panel is accessible to any authenticated user, database queries are injectable, and users' personal data is stored in a US data centre in violation of your healthcare client's data residency requirement.
None of this is the AI's fault. It built exactly what was described. The problem is that security requirements, compliance obligations, and threat modelling were never part of the description — because most people don't know to include them.
ThreeShield reviews what you built against what it should have been built to do. We've been doing secure code review since before AI could write code. We know what the requirements look like, we know what's missing, and we know how to fix it before your product fails its first security audit or gets compromised.
The cheapest fix is the one made before anything is built. ThreeShield offers requirements review for organizations building new applications — whether through traditional development, AI-assisted tools, or describing an idea to an LLM and iterating from there.
Who uses your application? What can go wrong? What does a malicious user try to do? Threat modelling before development identifies the security requirements your prompt never included. For AI-assisted projects, this is the conversation that should happen before you generate the first component.
Your application may be subject to Alberta PIPA, PIPEDA/CPPA, Quebec Law 25, HIPAA, PCI DSS, or GDPR — without you knowing it. ThreeShield determines which regulations apply based on what your application does, who it serves, and where it operates. These obligations don't appear in your requirements unless someone who knows them puts them there.
If your application touches payment card data, PCI DSS applies. The scope of compliance depends entirely on how your application is designed. ThreeShield reviews the design before development to minimize scope, identify the right SAQ type, and ensure the architecture doesn't create unnecessary compliance obligations. Scope reduction is far cheaper than scope remediation.
How users log in, how sessions are managed, how permissions are enforced, and how privileged access is controlled — these decisions made at the design stage determine most of an application's security posture. ThreeShield reviews authentication architecture against OWASP standards and your specific compliance requirements before the first line of code is written.
AI tools often select infrastructure defaults that are convenient for development and insecure in production — publicly accessible storage buckets, database instances with no network restriction, logging disabled by default. ThreeShield reviews infrastructure-as-code and cloud configurations before deployment.
The output of a requirements review is a security requirements document you can give directly to your development team — or use as additional context for your AI tools. Specific, testable requirements covering authentication, data handling, session management, input validation, error handling, logging, and applicable compliance obligations. Build the right thing the first time.
You used Cursor, Lovable, Bolt, ChatGPT, or Claude to build your MVP. It works. Now a prospective enterprise client is asking about your security posture, you're entering a regulated market, or you just want to know if it's safe before you scale. ThreeShield reviews what was built and tells you what needs to change.
You know how to build things with AI. You're not a security professional. Your product is real and users are depending on it. ThreeShield provides the security review that bridges the gap between "it works" and "it's safe" — written in plain language, prioritized by risk, with specific fixes your AI can help you implement.
AI-assisted development is faster. It's also subject to the same vulnerabilities as hand-written code — plus some new ones introduced by models that optimize for functionality over security. ThreeShield augments your development process at the code, architecture, and requirements level.
Your application is about to go through a penetration test, a SOC 2 audit, a PCI assessment, or a customer security review. ThreeShield's pre-audit review identifies what the auditor will find — so you can fix it before the report is written.
A penetration test found critical vulnerabilities. An audit failed. A breach happened. ThreeShield's remediation-focused review identifies root causes and the systemic changes that prevent recurrence — not just the symptoms that got exploited.
Your application is entering healthcare, financial services, or another regulated sector. The requirements you didn't know about — Alberta HIA, OSFI B-13, PCI DSS, HIPAA — apply regardless. ThreeShield identifies what applies and what needs to be built before your first regulated client signs.
A penetration test looks at your application from the outside — it finds vulnerabilities that are externally exploitable by someone without source access. A code review looks at the source code directly and finds vulnerabilities that aren't yet externally reachable, logic flaws that no scanner can detect, and security debt in code that hasn't been deployed yet. Ideally you do both: code review before release, penetration test after. Many compliance frameworks — PCI DSS Requirement 6, SOC 2, ISO 27001 — specifically require code review in addition to penetration testing.
Yes — and this is increasingly the most important use case. AI-generated code has the same vulnerability classes as hand-written code, plus patterns introduced by models that optimize for functionality over security. The deeper problem is that AI tools don't ask about your compliance requirements, privacy obligations, threat model, or regulatory environment — so even functionally correct AI code often has systemic gaps in authentication, authorization, data handling, and error management. ThreeShield reviews the code and the requirements it was given — and identifies what was missing from the prompt.
ThreeShield can work with full repository access, targeted file access, or code snippets depending on your comfort level. Targeted access focused on authentication, authorization, data handling, payment flows, and third-party integrations typically yields the highest-value findings in the least time. Full access enables a comprehensive review including dependency analysis and configuration review. We recommend the right scope after an initial conversation about your application.
Code shared with ThreeShield is handled under NDA and subject to the same security controls we apply to all client data — encrypted storage, access controls, and retention limits. We never copy, store, or retain source code beyond the scope of the engagement. Secure transfer options include direct repository access with revocable credentials or encrypted file transfer. We do not retain copies after engagement completion. For particularly sensitive codebases, we can discuss air-gapped review options.
Yes — for custom code, plugins, themes, and configurations built on top of those platforms. For WordPress specifically, ThreeShield reviews custom theme and plugin code for common vulnerability patterns (SQL injection through custom queries, XSS in output functions, improper nonce handling, capability escalation), monitors for known-vulnerable plugin versions, and assesses configuration against security hardening baselines. Third-party core code is not in scope for a standard code review, but we assess how your customizations interact with those platforms and whether they introduce risk.
Scope and timeline depend on the size of the codebase, the languages and frameworks involved, and the compliance requirements that apply. A targeted review of an authentication system or payment flow for a small application can be completed in a few days. A comprehensive review of a large application with multiple frameworks takes longer. ThreeShield provides a scoping estimate after reviewing your application description — contact us with a description of what you've built and what concerns you most.
Yes — and this is the highest-value service we offer for new applications. A requirements review identifies what security and compliance requirements apply to your application before any code exists, produces a security requirements document your developers or AI tools can work from, and eliminates the most expensive category of problem: systemic architectural decisions made at the start that have to be undone later. For applications entering regulated markets — healthcare, financial services, payment processing — a requirements review before development is strongly recommended.
No — a code review of a live application is one of the most common engagements ThreeShield performs. The priority shifts from prevention to risk assessment and remediation: which vulnerabilities are currently exploitable, which need immediate fixes, and which can be scheduled into a normal development cycle. ThreeShield produces a prioritized finding report with remediation guidance so you can address the highest-risk issues first without taking the application offline.
Yes — ThreeShield offers code review on a cadence that fits your development pace and budget: monthly, per-sprint, per-release, or on-demand for significant changes. Ongoing review is especially valuable for organizations that ship frequently, use AI tools to generate code rapidly, or have WordPress and CMS installations where plugin updates happen regularly. We also offer WordPress and CMS plugin monitoring as a standalone service for organizations that have production sites with regular plugin changes but no active custom development.
ThreeShield maps findings to whichever frameworks apply to your application: PCI DSS Requirement 6 (secure development), SOC 2 (change management and security controls), ISO 27001 (application security), OWASP ASVS (application security verification standard), Alberta PIPA and PIPEDA/CPPA (privacy-by-design), HIPAA (application-layer safeguards), and OSFI B-13 (technology risk management). For applications subject to multiple frameworks, findings are mapped to all applicable requirements so a single review satisfies multiple compliance obligations.
ThreeShield's secure code reviews find what automated tools miss — before penetration tests or real attackers do. Our discovery of CVE-2023-27739 during a routine client review is exactly the kind of result that protects your clients and your reputation.
Request a Code Review Book a Call →Also see: CVE-2023-27739 — discovered by ThreeShield during client code review