# AI App Exposure Desk Pricing

## SignalCheck Lead Triage - Free Outreach Hook

The agent discovers public candidate apps and runs passive lead triage. Outreach only includes broad public-signal categories and production-readiness language. It does not show exact exploit paths, sensitive values, route lists, or private records.

Lead triage output:

- Public exposure signals found
- No obvious public exposure signals found
- Broad category and severity summary
- Recommended next paid review path

## Public Surface Review - $349 to $499

Outside-only review of public HTML, headers, public JavaScript bundles, indexed snippets, public routes visible from safe pages, terms/privacy pages, and visible admin/export/dashboard/contact/demo signals.

Boundaries:

- No login attempts.
- No export clicks.
- No API probing.
- No vulnerability exploitation.

Deliverable: PDF or Markdown report with exact public findings where safe, screenshots/snippets where safe, risk score, and next steps.

## Authorized Readiness Review - $1,250+

Customer grants written authorization and scope. Review can include repo/config/Supabase/Firebase/Stripe/OAuth/storage/logging/deployment settings.

Review areas:

- RLS policies.
- Frontend secret cleanup.
- Auth and export guards.
- Tenant isolation.
- Webhook verification.
- OAuth redirects and scopes.
- Public buckets.
- PHI/PII logging.
- Demo/prod separation.

Deliverable: prioritized remediation plan and walkthrough.

## Remediation Sprint - $3,000+

Cyber Craft fixes scoped issues directly. Examples include RLS policies, secret cleanup, auth/export guards, Stripe webhook verification, OAuth redirect hardening, bucket permissions, logging cleanup, and production config separation.

## Regulated Hardening Packet - $5,000+

For healthcare, finance, legal, child-data, or government-adjacent apps. Supports compliance readiness but does not claim certification or legal compliance.

Deliverables:

- Data-flow map.
- Control checklist.
- Evidence packet.
- Vendor boundary review.
- Remediation roadmap.