Use Cases

One audit.
Seven different reasons to run it.

IntentGuard produces seven distinct use cases from a single analysis. Each audience gets a report written in their language โ€” not a raw security dump. Here is exactly how each workflow works, and what you get.

๐Ÿฆ VC Due Diligence Replace $50k TDD ๐Ÿš€ Founder Readiness Pre-Series A/B/C โš™๏ธ CTO Oversight Architectural drift ๐Ÿ’ป Developer Reviews Sprint & release ๐Ÿ“‹ Compliance & CISO EU AI Act ยท SOC 2 ๐Ÿค– AI-First Builders Cursor ยท Copilot ๐Ÿ” IT Auditors / CISA Evidence packs ยท Working papers
VC / PE Analysts ยท Investment Teams
Technical due diligence.
One hour. Not three weeks.

Manual TDD costs $22,000โ€“$150,000 per engagement and takes 3โ€“12 weeks. You evaluate 50+ deals a year. Every week a deal stalls in diligence is a week a competitor can move. IntentGuard delivers the same investor-grade technical health report โ€” architecture maturity, security posture, compliance status, intent alignment, and TCO signals โ€” in under one hour, for a fraction of the cost.

Single Audit
$249
Professional quality ยท All 4 personas ยท Investor Report ยท No account required
Three workflows
Early-stage screening (Seed / Pre-A)
Run a Starter Single Audit ($89) before committing partner time to a deal. Get architecture maturity, security headline, and intent alignment in 20 minutes. Flag the deal-killers before the first CTO call โ€” bus factor, undeclared AI components, critical vulnerabilities, GPL licensing risks.
Full diligence (Series A / B)
Run a Professional Single Audit ($249). All four report personas โ€” Investor, Executive, Developer, Auditor. Architecture maturity Level 0โ€“4. Drift detection. Full compliance posture against SOC 2, ISO 27001, GDPR. TCO signals quantified. Every finding linked to exact file and line โ€” so you can hand the Developer Report to your technical advisor and have them verify every claim in minutes, not days.
Portfolio monitoring (ongoing)
Business tier ($2,499/month) includes 100 audits/month and the VC Portfolio Dashboard. Run quarterly audits across your portfolio. Track architectural maturity score over time. Catch intent drift before your portfolio companies head into their next round โ€” or before a production incident surfaces what the audit would have caught.

The research is clear: VCs treat AI-generated reports with "trust but verify" discipline. IntentGuard's multi-model consensus directly addresses this โ€” every finding is verified by up to 4 independent AI models. A finding that only one model raised does not appear in your report.

What the Investor Report delivers
  • โœ“Architecture Maturity Score โ€” Level 0โ€“4 with evidence. Tells you if this codebase is seed-stage scrappy, Series A ready, or production-grade.
  • โœ“Scalability Horizon โ€” How many users / transactions before the current architecture needs a significant redesign. In plain language, not engineering jargon.
  • โœ“Technical Debt Quantification โ€” Findings mapped to estimated remediation cost and engineering hours. "This debt will cost $35k to address before Series B scale."
  • โœ“Security Risk Summary โ€” Critical and high severity findings with business impact framing, not a raw CVE list.
  • โœ“IP & Licensing Audit โ€” GPL/AGPL copyleft risks that could force open-sourcing of proprietary code. Common deal-killer caught automatically.
  • โœ“Undeclared AI Components โ€” AI components in the codebase that may create EU AI Act obligations the startup hasn't disclosed in their data room.
  • โœ“TCO Signals โ€” Unmetered LLM calls, missing caches, vendor lock-in โ€” the infrastructure cost signals that become burn rate surprises post-investment.
  • โœ“Shareable report link โ€” Send the Investor persona report to your technical advisor or co-investor. No account required to view it.
Join the waitlist โ†’ See Business tier for portfolio monitoring
INT ARC SEC TCO CPL GOV
Solo Founders ยท Startup CTOs ยท Pre-raise teams
Know what the investor
will find before they do.

Intent drift is the gap between what your product was designed to do and what the codebase actually does. It widens with every AI-assisted sprint. Your Series A meeting is in three weeks. IntentGuard measures that gap โ€” architecture maturity, security posture, compliance status, undeclared AI components โ€” so you walk in prepared, not surprised.

Best option
$249
Professional Single Audit or Starter plan $249/mo
When to run an audit
4โ€“6 weeks before first VC meeting
Run the audit. Review the Investor Report. Identify and remediate the deal-killers โ€” critical security vulnerabilities, undeclared AI, GPL licensing risks, the things that have killed deals at term sheet stage. Show up knowing your architecture maturity score before they ask.
During data room preparation
Download the PDF Investor Report. Add it to your data room alongside your cap table, financial model, and team bios. IntentGuard's report format is structured around the same checklist VCs use in manual technical due diligence โ€” architecture, security, compliance, IP, TCO. It tells the technical story of your codebase in the language investors expect.
Ongoing: monthly or per-sprint
Starter plan ($249/month, 8 audits) lets you run a health check after every major sprint. Track your architecture maturity score over time. Catch context drift before it accumulates. Know your Intent Alignment Score before your next investor update.

"Your investor meeting is in three weeks. IntentGuard measures the gap between what your product was designed to do and what the codebase actually does โ€” before your investors measure it for you."

What you get
  • โœ“Intent Alignment Score โ€” A 0โ€“100 score representing how closely your codebase matches your declared product design. The number investors will ask about.
  • โœ“Architecture Maturity Level โ€” Level 0โ€“4. Level 3+ tells investors the codebase can scale with the business. Level 0โ€“1 flags where the risk is.
  • โœ“Pre-remediation checklist โ€” The Executive Report identifies which findings to fix before the investor meeting and which are acceptable at your stage.
  • โœ“Compliance posture snapshot โ€” SOC 2, ISO 27001, GDPR, POPIA โ€” how close you are and what's needed to complete each framework. Enterprise deals are won or lost on this.
  • โœ“EU AI Act status โ€” Are any components in scope for August 2026 high-risk obligations? Undeclared AI is automatically flagged.
  • โœ“Investor Report PDF โ€” Formatted for a data room. Same structure as a Big 4 TDD report, generated automatically from your codebase.
Join the waitlist โ†’ Join the waitlist
INT ARC CPL GOV
CTOs ยท Engineering Leads ยท Platform Teams
Context drift widened
with every commit. Now measure it.

Your team ships with Cursor, Copilot, or Windsurf. Each AI session starts without context of your original product design. Each commit can silently drift further from the architecture you intended. By the time architectural drift becomes a production incident, it's expensive. IntentGuard detects it while it's still cheap to fix.

Best option
$599/mo
Professional plan ยท 20 audits/mo ยท Drift detection ยท Architecture diagram
How CTOs use IntentGuard
Post-sprint architecture review
Run an audit after every major sprint or release. The Developer Report gives you findings at file path and line number. The Executive Report gives you the architecture maturity score and what changed since the last audit. Context drift is measured, not just flagged.
Before a major infrastructure decision
Run an audit before a database migration, a vendor switch, or a scaling initiative. The TCO Intelligence tab surfaces the hidden cost signals โ€” unmetered LLM calls, missing caches, vendor lock-in patterns โ€” before you commit to an architectural direction you'll regret at 10x traffic.
When onboarding a new engineering team
New team inheriting an AI-generated codebase from a previous sprint cycle or a prior team? Run an audit as a baseline. Know the architecture maturity level, the technical debt surface, and the security posture before your engineers touch the code. Evidence-backed, not impression-based.
What the CTO gets
  • โœ“Architecture diagram โ€” Auto-generated from the actual codebase. Compares declared vs actual architecture. Highlights where AI-generated code diverged from your design.
  • โœ“Drift detection โ€” Explicit measurement of how far the current codebase has drifted from the declared product specification. Trend visible across audits over time.
  • โœ“Architecture maturity Level 0โ€“4 โ€” Not a vague quality score. Level definitions are explicit: Level 0 = unstructured, Level 4 = optimised. You know exactly where you are.
  • โœ“TCO Intelligence โ€” Unmetered API calls, missing connection pooling, inefficient query patterns, over-provisioned infrastructure โ€” before the cloud bill arrives.
  • โœ“Developer Report โ€” Every finding at file path and line number. Prioritised by severity. Evidence hash included for verification. Built for sprint retrospectives.
  • โœ“What your team got right โ€” 30โ€“40% of every IntentGuard report confirms correct engineering decisions. Not just problems โ€” evidence of sound work.
Join the waitlist โ†’ See Professional plan
INT ARC SEC TCO
Developers ยท Engineering Teams ยท Tech Leads
Every finding. Every file.
Every line.

You need evidence-backed findings at file path and line number โ€” the level of detail you need for sprint reviews, architecture decisions, and technical discussions with your team and your stakeholders. Not a dashboard summary. An audit trail.

Best option
$249/mo
Starter plan ยท 8 audits/mo ยท Developer Report included
When developers run audits
Pre-merge review for AI-generated code
Before merging a large AI-generated feature branch, run an audit against your product specification. Catch intent mismatches before they enter main. Know if the AI built what you asked it to build โ€” or a plausible-looking approximation of it.
Sprint retrospectives
Use the Developer Report as evidence in sprint retrospectives. Every finding has a file path, line range, severity, and cryptographic hash. You can verify each claim against the codebase in minutes. Present to your team with evidence, not impressions.
Before a release to production
Run an audit against main before a production deployment. Surface OWASP Top 10 vulnerabilities, secrets accidentally committed, architectural patterns that will break under load. The audit takes under one hour. A production incident costs a lot more than that.
The Developer Report
  • โœ“File path + line range โ€” Every finding includes the exact location in the codebase. No "somewhere in authentication module" โ€” exact file, exact lines.
  • โœ“Cryptographic hash โ€” Every finding is anchored to a commit hash. The finding is verifiable and reproducible โ€” not a probabilistic guess.
  • โœ“Severity prioritisation โ€” Critical โ†’ High โ†’ Medium โ†’ Low. Ordered by actual risk, not alphabetical order of file names.
  • โœ“Remediation guidance โ€” What to do about each finding, not just that a finding exists. Code-level recommendations, not abstract advice.
  • โœ“Consensus verification โ€” Findings are only included when multiple independent AI models agree. False positives are suppressed before they reach your report, not after.
  • โœ“Confirmations โ€” 30โ€“40% of every report surfaces what was done correctly. IntentGuard confirms good decisions, not just flags bad ones.
Join the waitlist โ†’ See Starter plan
SEC INT ARC
Compliance Leads ยท CISOs ยท Security Teams
Audit-ready evidence.
From the actual codebase.

Architectural drift creates AI-native vulnerabilities โ€” code that passes linting and tests but silently violates the security assumptions in your original architecture. Standard scanners don't detect this. IntentGuard does. And every finding is auto-mapped to the relevant clause in your compliance framework โ€” SOC 2, ISO 27001, GDPR, ISO 42001, EU AI Act โ€” with file-level evidence included.

Best option
$599/mo
Professional plan ยท Auditor Report ยท Full compliance mapping ยท EU AI Act module
Critical date: August 2026
EU AI Act โ€” High-risk obligations active August 2026
If your product includes LLM API calls, agent orchestration, or automated decision-making in a high-risk domain, it may fall under EU AI Act high-risk obligations โ€” regardless of whether you have declared it. IntentGuard automatically detects undeclared AI components from the codebase itself. Know your risk classification before regulators and investors ask.
SOC 2 and ISO 27001 evidence packages
IntentGuard maps every finding to the relevant SOC 2 trust service criteria or ISO 27001 control. The Auditor Report produces a compliance evidence matrix with file-level citations โ€” the format your auditor expects, generated automatically from your codebase, not manually assembled in a spreadsheet.
Enterprise procurement security reviews
Enterprise buyers require security certifications before signing. 1 in 3 companies lose enterprise deals due to missing security certifications. IntentGuard identifies the gaps between your current codebase and the certifications your next enterprise customer requires โ€” and prioritises what to fix first by business impact.
The Auditor Report covers
  • โœ“SOC 2 Trust Service Criteria mapping โ€” Every finding mapped to CC, A, C, PI, P controls. Evidence cited at file level. Exportable as an evidence matrix.
  • โœ“ISO 27001 control mapping โ€” Annex A controls mapped to findings and confirmations from the codebase analysis.
  • โœ“HIPAA Technical Safeguards mapping โ€” ยง164.312 access control, audit controls, integrity, transmission security โ€” for healthcare applications and platforms handling PHI.
  • โœ“PCI DSS v4.0 mapping โ€” Requirements 3, 6, 8, and 10 mapped to codebase evidence. For applications in scope for cardholder data environment controls.
  • โœ“NIST CSF and CIS Controls v8 โ€” Identify, Protect, Detect, Respond, Recover functions and the 18 critical security controls โ€” mapped to code patterns and IaC configurations.
  • โœ“OWASP ASVS compliance โ€” Application Security Verification Standard checklist with pass/fail against actual code evidence.
  • โœ“GDPR Article 32 technical measures โ€” Encryption, data minimisation, access control โ€” verified from the codebase, not from a questionnaire.
  • โœ“EU AI Act risk classification โ€” Automatic detection of AI components and their EU AI Act risk tier. Undeclared components explicitly flagged.
  • โœ“ISO 42001 AI governance mapping โ€” AI management system controls mapped to codebase evidence. Required for organisations with AI components in scope.
  • โœ“POPIA mapping โ€” For South African organisations and their compliance obligations under the Protection of Personal Information Act.
Join the waitlist โ†’ See Professional plan
CPL GOV SEC ARC
Vibe Coders ยท AI Builders ยท Cursor / Copilot / Windsurf Users
Find out what your AI
actually built.

You've been shipping with Cursor or Copilot. The app works. But your AI assistant had no context of your product design. Every session started fresh. The code it shipped may pass all the tests โ€” but does it match what you intended to build? Does it have vulnerabilities you haven't seen yet? IntentGuard tells you, before your users, investors, or production environment do.

Start here
Free
14-day trial ยท 3 audits ยท No credit card ยท GitHub OAuth
Why AI-generated code needs auditing
Your AI had no memory of your product design
Every Cursor session, every Copilot suggestion, every Windsurf generation โ€” started without context of what your product was supposed to be. Each AI-assisted commit is a potential divergence from your original intent. IntentGuard reconstructs the context your AI never had and tells you where the code drifted.
45% of AI-generated code has vulnerabilities
Research across 100+ LLMs and 80 real-world coding tasks (Veracode, 2025) found that 45% of AI-generated code introduces OWASP Top 10 vulnerabilities. Your AI assistant does not have a security architecture background. It generates code that works โ€” but it also generates SQL injection vectors, hardcoded credentials, and insecure data flows. IntentGuard finds them.
Before you show it to investors or launch
You built something. It works. You're thinking about raising or launching. Run an audit first. Know your architecture maturity score. Know your security posture. Know if you have compliance gaps that will surface in your first enterprise sales conversation. Walk in prepared.

"Your AI assistant has no memory of what you were building. Every session starts without context. IntentGuard is the contextual ground truth your codebase never had โ€” the specification your AI forgot."

What you find out
  • โœ“Does your code do what you designed? โ€” Intent alignment analysis compares your product description against your actual codebase. The gap is measured, not guessed.
  • โœ“Security vulnerabilities โ€” OWASP Top 10, hardcoded secrets, injection vulnerabilities โ€” at the exact file and line your AI generated them.
  • โœ“Architecture maturity โ€” Level 0โ€“4. Tells you if your codebase is investor-ready or if there are structural issues to address before a raise.
  • โœ“What you got right โ€” IntentGuard confirms correct decisions, not just flags problems. 30โ€“40% of every report is confirmations.
  • โœ“Executive Report for sharing โ€” Share your Intent Alignment Score with a co-founder, advisor, or early investor. No account required to view the shared report.
Join the waitlist โ†’ Join the waitlist โ†’
SEC INT ARC
IT Auditors ยท CISA ยท Internal Audit Teams
Evidence-backed compliance posture.
Audit-ready on demand.

Manual controls testing takes days per framework. Producing a working paper with file-level evidence citations requires hours of manual cross-referencing between code reviews, scanning tools, and compliance checklists. IntentGuard maps every finding to the relevant ISO 27001, SOC 2, PCI DSS, HIPAA, and NIST CSF control โ€” with file-level citations on every finding โ€” in under one hour.

Best option
$599/mo
Professional plan ยท Auditor Report ยท Full compliance matrix ยท 14 live frameworks
Three IT auditor workflows
Application security audit
Run an intent audit on the application under review. The Auditor Report produces a compliance matrix mapping every finding to ISO 27001, SOC 2, OWASP ASVS, NIST CSF, CIS Controls, PCI DSS, or HIPAA โ€” depending on the application's obligations. Every finding cites a file, a line range, and the specific control clause. Your working paper has never had this level of specificity before.
Pre-certification gap analysis
Before a SOC 2 or ISO 27001 audit engagement, run IntentGuard to identify the technical control gaps at the codebase level. Know which controls have evidence and which have gaps before the external auditor arrives. Reduce audit preparation time by coming in with a pre-built evidence matrix.
Vendor or third-party technical assessment
When your client needs to assess a third-party software vendor's security and compliance posture, IntentGuard produces an independent, evidence-backed assessment without requiring a multi-week manual engagement. The Auditor Report is structured for working paper use โ€” framework by framework, control by control, finding by finding.
What the Auditor Report covers
  • โœ“14 live compliance frameworks โ€” ISO 27001, SOC 2, OWASP ASVS L2, NIST CSF, CIS Controls v8, GDPR, HIPAA, PCI DSS v4.0, ISO 42001, EU AI Act, NIST AI RMF, OWASP API Top 10, POPIA, CCPA. Every control mapped to codebase evidence.
  • โœ“File-level evidence citations โ€” Every finding cites the exact file, line range, and a cryptographic hash. Findings without evidence are suppressed before they reach the report.
  • โœ“Multi-LLM consensus verification โ€” Up to 3 independent AI models from 3 organisations must agree before a finding surfaces. When they disagree, an independent Adjudicator resolves the conflict and shows its reasoning. No finding is a single model's opinion.
  • โœ“Confirmations โ€” what is working โ€” 30โ€“40% of every report confirms correct controls implementation. IntentGuard is not only a gap finder โ€” it confirms evidence of controls in place.
  • โœ“Shareable report link โ€” Generate a scoped share token for the Auditor Report. Your client's team can view the full evidence matrix without an IntentGuard account.
  • โœ“Architecture assessment โ€” Architecture maturity Level 0โ€“4, rendered as a component diagram derived from the actual codebase โ€” not from documentation.
Join the waitlist โ†’ See Professional plan
CPL SEC ARC GOV
How IntentGuard differs

Not a scanner. Not a consultant.
A new category.

vs
Snyk / SonarQube
Finds vulnerabilities in dependencies and code quality issues. Built for DevSecOps continuous workflows. Produces a list of findings for developers to triage.
What they can't do
Cannot tell you if the code matches your product design intent. Cannot produce an investor-grade report. Do not use multi-model consensus โ€” a single analysis engine with no cross-verification. Cannot detect context or intent drift. Cannot map to EU AI Act risk tiers.
vs
Automated technical due diligence tools
Enterprise codebase analysis platforms used in M&A and investment due diligence. CAST Highlight produces architecture and quality metrics. Code Registry produces an AI Quotient score. Targeted at PE firms and acquirers running point-in-time deal diligence.
What makes IntentGuard different
CAST and similar tools produce quality and security metrics โ€” they do not compare code against a declared product design intent. They do not use multi-LLM consensus across independent providers. They do not produce separate persona reports for investors, developers, auditors, and executives from one audit. And they do not include EU AI Act classification or ISO 42001 governance mapping as first-class outputs. IntentGuard is also self-serve from $249 โ€” not an enterprise engagement requiring a vendor relationship.
vs
ASPM platforms (Aikido, OX)
Application Security Posture Management tools that consolidate multiple scanners (SAST, SCA, cloud) into one dashboard. Reduce tool fatigue for developer and security teams.
What they can't do
Built for ongoing development workflows, not point-in-time due diligence. Do not produce investor-grade reports. Do not compare code against product design specifications. Do not use multi-model consensus. Do not have an Investor or Auditor persona report.

1 Professional audit free.
Start in 30 seconds.

Connect with GitHub. Describe what your product does. Your first Intent Audit is ready in under one hour.

Join the waitlist โ†’
1 audit included 14-day trial No credit card Cancel any time

Payments handled by Paddle ยท Your code is never stored after an audit completes