How long does an audit like this take?

It depends on the size of the codebase. A small vibe-coded product can be read in a couple of days, a twelve-year-old monolith demands weeks. What matters is the order, not the speed - fast at the start means slow at the finish.

Why start with the map, not with security?

Without context, a security scan is theatre. The AI finds generic things that often aren't even real problems in this particular system. We give the model a mermaid map first, and only then send it hunting for SQL injection, auth bypasses, and other real holes.

Does this process also work for vibe-coders who shipped a product in a month?

Yes, even more so. In vibe-coded systems the AI loves dropping in the newest package just because it's newest, leaves helper functions uncalled, and never asked about .env files or hardcoded API keys. All seven stages apply, the road is just shorter.

Is 100% of inherited systems really leaky?

By our experience over the past year - yes, every single one had at least one critical security issue the owner had no idea existed. The models keep getting stronger, the internet is full of automated scanners, and legacy code stays in place. The only question is who finds the gap first.

Auditing inherited code with AI in seven stages

★ Key takeaways

Over the past half-year we audited dozens of inherited codebases, and 100% had at least one critical security issue the owner had no idea existed.
The guide covers two groups - vibe-coders who built a product in months with Claude Code or Codex, and owners of older systems with twelve-year-old monoliths.
Order matters more than speed. Seven stages: the map, packages and versions, integration points, the asynchronous layer, dead code, infrastructure and security, priorities.
Models have become terrifyingly powerful at finding vulnerabilities. What a security specialist used to find in a week, Claude or Codex now finds in an hour - and automated attackers use the same advantage.
Dead code confuses the AI agent itself. The standard /review and /security-review commands are the baseline hygiene most teams don't use.

#legacy code#vibe-coding#security#Claude Code#Codex#dead code#code audit

Frequently asked questions

How long does an audit like this take?: It depends on the size of the codebase. A small vibe-coded product can be read in a couple of days, a twelve-year-old monolith demands weeks. What matters is the order, not the speed - fast at the start means slow at the finish.
Why start with the map, not with security?: Without context, a security scan is theatre. The AI finds generic things that often aren't even real problems in this particular system. We give the model a mermaid map first, and only then send it hunting for SQL injection, auth bypasses, and other real holes.
Does this process also work for vibe-coders who shipped a product in a month?: Yes, even more so. In vibe-coded systems the AI loves dropping in the newest package just because it's newest, leaves helper functions uncalled, and never asked about .env files or hardcoded API keys. All seven stages apply, the road is just shorter.
Is 100% of inherited systems really leaky?: By our experience over the past year - yes, every single one had at least one critical security issue the owner had no idea existed. The models keep getting stronger, the internet is full of automated scanners, and legacy code stays in place. The only question is who finds the gap first.

Inherited code and AI. A staged guide to cleaning up your codebase and surfacing the critical bugs

Frequently asked questions

More from the blog

How We Control Computers Is About to Change. Here's My Bet, As an AI Practitioner.

I Designed an AI System That Could End Corruption and Nepotism in Lithuania

I pitted OpenAI against Google in 8 cinematic scenes. The results weren't what I expected.