Launchwright
← All Launch Captains
CN

Launch Captain

Capt. Nemo

Security · Auth · Infrastructure

89 audits completed

The thing your AI is most confident about is usually the thing that will get you breached.

89

Audits completed

71

Auth issues found

2.3

Avg. critical findings

3 days

Avg. turnaround

Background

Before auditing code, Nemo spent 14 years building and breaking security systems — first in network infrastructure, then in application security for fintech and healthcare SaaS companies. He has run penetration tests on platforms processing hundreds of millions in transactions and been the person on the other end of the breach call at 2am.

He came to Launchwright after watching a founder's app get scraped for user emails three weeks after launch — an attack that would have taken 15 minutes to prevent. The founder had used an AI tool, the code looked perfectly reasonable, and no one had told them that "reasonable-looking" and "secure" are not the same thing.

Nemo specialises in the gap between what AI tools produce and what production security actually requires. He has audited 89 apps to date. In 71 of them, he found an auth or infrastructure issue the founder had no idea existed.

Areas of expertise

Authentication & Session Management

JWT configuration, session expiry, token storage, OAuth flows, and the subtle ways AI-generated auth code leaves doors unlocked.

Rate Limiting & Abuse Prevention

Login endpoint brute-force protection, API abuse vectors, IP-based throttling, and Stripe webhook replay attacks.

Row-Level Security & Data Isolation

Supabase RLS policies, multi-tenant data leakage, and the specific patterns that AI tools consistently get wrong in Postgres.

Secrets & Configuration

Environment variable exposure, hardcoded credentials, service role key misuse, and client-side secret leakage.

Input Validation & Injection

Server-side validation gaps, SQL injection vectors in raw queries, and the difference between client-side and server-side trust.

Infrastructure Hardening

CORS policy, security headers, storage bucket permissions, Supabase service role scope, and edge function exposure.

What I find most often

Patterns that appear repeatedly across audits in this specialty area.

No rate limiting on login

Found in roughly 80% of audits. AI tools generate login endpoints that work — they rarely add the protection that stops a bot from trying 10,000 passwords overnight.

Service role key in client code

The Supabase service role key bypasses all row-level security. It belongs only on the server. AI tools sometimes place it where any user can read it in browser DevTools.

Email enumeration via error messages

Returning different errors for "wrong password" vs "email not found" lets an attacker build a list of real accounts. The fix is one line. The exposure is invisible until it's used against you.

Missing RLS on new tables

Supabase enables RLS per table, not globally. Every table added after initial setup needs its own policy. AI tools often generate the table without generating the policy.

Get audited by Capt. Nemo

Captain assignment is based on your stack and primary concern. Request your audit and we'll match you with the right Captain.

Request Your Audit →

Captain review from $299 · 30-min call included