Case Study June 12, 2026 · 6 min read

How Evident-AI Went From C to B

Two real vulnerabilities. One false positive. Three advice conversations with Replit. Zero broken features.

C
Before
B
After
2 critical findings fixed
1 false positive identified
No features broken

The app

Evident-AI is a study and document management platform built on Replit using PostgreSQL and OpenAI. Real users, real data, real login system — built without a traditional development background using AI-assisted development.

Like most apps built this way it worked perfectly. Users could sign up, upload documents, and use the AI features. But working and secure are two different things.

Running the scan

I submitted the Evident-AI GitHub repository to Verilay. The analysis read 18 files including package.json, auth middleware, API routes, database schema, and environment config. The result came back as a C grade with 2 critical findings and 3 warnings.

Score C — 2 critical findings
Most AI-built apps score C on their first scan. It does not mean the app is broken — it means there are specific issues worth investigating.

The findings

CriticalDependency vulnerabilities in package.json

Two packages had known security vulnerabilities — protobufjs 7.5.4 and @google-cloud/storage 7.18. Both had patched versions available.

CriticalAPI endpoints missing rate limiting

The OpenAI-powered endpoints had no rate limiting. A malicious user could make hundreds of requests per minute — running up API costs with no ceiling.

False positiveMissing authentication on admin routes

Verilay flagged admin routes as potentially unprotected. This was incorrect — Replit Auth was handling this correctly. The middleware was present but written in a pattern Verilay did not initially recognise.

Three conversations with Replit

Instead of asking Replit to fix everything, each prompt asked it to investigate and explain first. This is the advise not fix approach.

Conversation 1 — Dependency vulnerabilities:

I received a security review flagging protobufjs 7.5.4 and @google-cloud/storage 7.18 as having known vulnerabilities. Can you review these dependencies and advise what the actual risk is for this app, and whether updating them is safe?

Replit confirmed both were genuine. It updated protobufjs to 7.6.2 and @google-cloud/storage to 7.19. No features broke.

Conversation 2 — Rate limiting:

I received a security review noting that the OpenAI API endpoints have no rate limiting. Can you review the current endpoint structure and advise what rate limiting approach would work here without breaking existing functionality?

Replit agreed this was a real risk. It added per-user rate limiting — 10 requests per minute per user with a clear error message when exceeded. Total time: 20 minutes.

Conversation 3 — Admin route authentication:

I received a security review flagging admin routes as potentially missing authentication. Can you review the auth middleware and confirm whether these routes are actually protected?

Replit confirmed the routes were fully protected. The Replit Auth middleware was correctly applied. We marked it as verified in the report — false positive confirmed.

The result

✅ Score B — properly secured
Both genuine vulnerabilities fixed. False positive identified and verified. No features broken. Total time: under 1 hour.

What this shows

Working and secure are different things. Evident-AI worked perfectly before the scan. Users were logging in, documents were being processed. But two genuine vulnerabilities were sitting there quietly.

Not every finding is real. One of three critical findings was a false positive. Without the verify step — without asking Replit to investigate before acting — we might have tried to fix something that was not broken and actually caused a problem.

B is the right target. After fixing two genuine issues Evident-AI scored B. That is the realistic target for an AI-built app. B means properly secured for real users. A requires enterprise-level hardening that goes well beyond what any AI builder can automate.

What score does your app get?
Free analysis. No login. Takes 2 minutes.
Run a free analysis →