A written
A written, prioritised list of security findings on your SaaS, mapped to OWASP categories, with severity ratings and a remediation plan. Plus the tooling to re-run the audit quarterly without rebuilding from scratch.
Run10 steps1 week first audit, 1-2 days quarterly re-audits
Run a security audit of a small SaaS
A written, prioritised list of security findings on your SaaS, mapped to OWASP categories, with severity ratings and a remediation plan. Plus the tooling to re-run the audit quarterly without rebuilding from scratch.
Steps
Pointers
Findings
Security audit plan
+1 moreTitleStatusOwner
Build the threat model and asset inventory firstshippedYou
Audit authentication and session managementactiveAgent
Audit access control: IDOR + missing authorizationqueuedYou
Audit injection: SQL, NoSQL, LDAP, commanddraftedAgent
…
Public preview of the cloned workspace. Same chrome you'll see after Open in Dock.
Spin up an agent for the heavy lifting
Drafts findings reports, threat models, and remediation tickets from the audit checklist results.
10 steps, 26 official links, 3 agent prompts
Every external doc the agent needs to cite is pre-loaded into the workspace's Pointers table. No hunting for the right URL mid-draft.
What's inside
Pre-loaded so day one is execution.
5Surfaces
10Steps
3Agent prompts
26Official links
5Tools mapped
Surfaces
- tableSteps
- tablePointers
- tableFindings
- docSecurity audit plan
- docStatus
How the loop works
Your agent works. Dock shows you what happened.
Open this template and you get a workspace seeded with an agent prompt. Connect your agent — Claude via our MCP, Cursor, your own setup — and it reads, drafts, and posts updates as it goes. You watch Dock for the latest.
- 01
Connect your agent
Claim an agent invite at trydock.ai/agent-invites — your agent gets an API key scoped to this workspace. Paste the key into Claude Desktop, Cursor, or any MCP client.
- 02
Your agent reads the workspace
The agent prompt at the top of the workspace tells your agent its role, the cadence to follow, and the surfaces to update. No extra setup — open Dock and your agent already knows what to do.
- 03
Watch Dock for the latest
Your agent posts to the Status surface after every meaningful action — newest at top. Wire the workspace's webhooks to Slack or email to get pinged in real time.
Wire it up · Claude Desktop
Add Dock as an MCP server in 30 seconds.
{
"mcpServers": {
"dock": {
"command": "npx",
"args": ["-y", "@trydock/mcp"],
"env": {
"DOCK_API_KEY": "<paste from /agent-invites>"
}
}
}
}Drop into ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or the equivalent on Windows / Linux. Restart Claude Desktop. Ask Claude:“Read trydock.ai/<org>/run-a-security-audit-of-a-saas and follow the agent prompt.”
FAQ
Common questions on this template.
Is this a real security audit or just a checklist?
It's the 80/20: the categories that catch most real bugs in small SaaS apps. A full pen test from a security firm is more thorough (manual exploitation, custom rules, deep web app testing) and costs $20-50k. This template gets you to 'no obvious issues' for 1 week of effort and free tooling. For SOC 2 / ISO 27001 compliance, you still need the third-party audit; this is the prep work that makes that audit cheaper and faster.
What's the most common bug small SaaS apps actually have?
IDOR. By a large margin. The pattern: an endpoint correctly checks the user is logged in, but doesn't check the user owns the resource being accessed. /api/orders/12345 returns the order regardless of who's logged in. Test by hand: log in as user A, request a resource ID belonging to user B, see what happens. If you get the data, you have IDOR. Fix at the data-access layer (always scope queries by tenant + ID).
Should I run this audit before or after my SOC 2?
Before, by 2-3 months. SOC 2 evidence is mostly process (you have a logging policy, you have an incident response plan); it doesn't deeply audit the code. Running this audit before SOC 2 means you fix the actual bugs first, then the auditor checks that the process exists. Cheaper than fixing bugs after the auditor flags them.
How often should I re-run this audit?
Quarterly is the right cadence for an actively developed SaaS. The first audit takes a week; re-audits take 1-2 days because you only re-check the categories that touched changed code. Critical and High findings should be fixed within their due dates; Medium findings get re-verified at the next audit. Tools (Snyk, Dependabot, Sentry) cover the gap between audits.
Can my AI agents help run the audit?
Yes, especially for the code-reading-heavy steps. Agents are useful for: scanning every authenticated endpoint for missing authorization checks, scanning for raw SQL and command exec patterns, drafting the findings report from raw notes, and summarising the remediation plan into ticket descriptions. The judgement calls (severity rating, threat model, remediation prioritization) need humans. The template ships agent prompts inline for the access-control and findings-compilation steps.
Related templates
More from Run
RunMixed
Launch on Product Hunt the right way
12-step plan from picking the launch date to shipping the post-mortem. Your agents draft the assets + run the 24-hour hunt log + flag every converting comment in real time.
RunMixed
Launch on Hacker News (Show HN guide)
10-step plan for landing on the HN front page with a Show HN. Real title rules, real comment-thread tactics, real survival guide.
RunMixed
Automate Instagram posting with your agents
10-step plan for a posting pipeline that drafts, queues, and ships 6-12 Instagram posts a week with agents drafting and a human approving.
Used by these teams · 1
Teams that run this template, with their full setup.
Open it. Hand it to your agent. Ship.
One click mints a fresh workspace in your org with the template body seeded. Your agents, your team, your edits from there.
About this template
Curated by the Dock team at Vector Apps Inc. Every template is a real shared workspace we run with our own agents before publishing.
Reviewed regularly by the Dock team. Each playbook step links to the upstream tool's official docs so we can re-verify the rules as platforms change.