From Prototype to Production

A prototype built with Lovable, v0, Bolt or Cursor proves an idea can work – it does not make it a production platform. Between a running prototype and a system that stays secure and reliable under load, in failure scenarios and after months in operation lies substantial engineering work. AxisOps: From Prototype to Production, What Founders Get Wrong This guide lays out the five concrete phases between an AI-generated prototype and a production-ready system: realistic timelines, costs and decision criteria.

95%

of enterprise AI pilots fail to reach measurable ROI (MIT 2025)

74%

of fast-growing startups fail due to premature scaling

45%

of AI-generated coding tasks contain vulnerabilities (Veracode)

6–14

weeks typical duration: prototype → production

Phase 1: Assessment – understanding the status quo

Before a single line of code is changed, the existing prototype has to be evaluated systematically. At AnvilStack this assessment is free – it is part of the initial consultation and the basis for a binding quote.

What gets reviewed:

Architecture: Component structure, dependency graph, data flow, state management. Is the architecture modular, or a monolith with implicit coupling?
Security: Authentication, authorization, input validation, secret management, OWASP Top 10. Escape.tech found over 400 exposed secrets across 5,600 vibe-coded apps, including API keys hardcoded into the frontend. Escape.tech: 2,000+ Vulnerabilities in Vibe-Coded Apps
Dependencies: Count, currency, known CVEs, license compatibility. AI-generated code tends toward oversized dependency trees.
Scalability: Database queries, N+1 problems, missing indexes, caching strategy, connection pooling.
Compliance: GDPR conformity (Art. 25 Privacy by Design), NIS2 requirements, data storage locations, data processing agreements.

Phase 2: Architecture – redefining the foundation

Prototypes rarely have a deliberate architecture. AI tools optimize for "works now," not "scales tomorrow." Phase 2 defines the target architecture.

Core decisions:

Clean architecture: A clear separation of presentation, business logic and data access. AI-generated code almost always blends these layers.
Database schema: Normalization, indexing, migration strategy. Prototype schemas often have missing constraints, no foreign keys and redundant data.
API design: RESTful or GraphQL with consistent error handling, versioning and rate limiting. Prototypes often expose internal data structures directly.
Auth system: OAuth 2.0 / OIDC with proper token management, RBAC and session handling. Home-grown auth systems in prototypes are a common security risk.

Supalabs: Prototype to Production – Scaling Startup Architecture

Phase 3: Engineering – refactor or rewrite

The choice between refactoring and rewriting is the single most important technical fork in the road. The honest answer hinges on one question: Is the existing architecture fundamentally flawed, or are the problems contained to specific areas? Graphite: Refactoring vs. Rewriting Code – Decision Guide

Kriterium	Refactor	Rewrite
When it makes sense	Architecture fundamentally sound, localized quality issues	Architecture fundamentally flawed, outdated technology
Timeline	4–8 weeks, incremental	8–16 weeks, parallel build
Risk	Low – existing functionality is preserved	Higher – second-system effect, feature-parity drift
Effort	Lower, incremental	Higher, parallel rebuild
Recommendation	Default case for most prototypes	Only when refactoring would cost more than rebuilding

Whether you refactor or rewrite, these steps are mandatory in either case:

Security hardening: Input validation, output encoding, parameterized queries, CORS configuration, security headers, secret rotation
Testing strategy: Unit tests for business logic (>80% coverage), integration tests for API endpoints, E2E tests for critical user flows
Code quality: Linting, formatting, type safety (TypeScript strict mode), no any types, consistent error-handling patterns

Veracode: GenAI Code Security Report – Security Flaws in AI Code

Phase 4: Infrastructure – EU-sovereign and automated

Prototypes run on Vercel, Netlify or Replit – platforms optimized for demos, not for production with European compliance requirements. SoftwareSeni: DORA, NIS2 and the AI Act Make Sovereign Cloud Mandatory

Production infrastructure includes:

EU-sovereign hosting: Deployment on Hetzner (Germany) – a privately held German GmbH, no CLOUD Act, GDPR-native. Comparable servers cost a fraction of hyperscaler prices there (details in the Hetzner vs. AWS cost comparison).
CI/CD pipeline: An automated build-test-deploy chain with branch protection, required reviews and automated security scans before every merge.
Monitoring: Application performance monitoring (APM), structured logging, alerting for error rates, latency spikes and resource utilization.
Backup & recovery: Automated database backups, point-in-time recovery, documented and tested restore procedures.
Staging environment: A production-identical staging environment for QA, performance testing and deployment validation.

Phase 5: Launch & Operations – going live in a controlled way

Go-live is not a switch you flip once. It runs in a controlled fashion, with defined fallback options should problems arise.

Deployment strategy:

Blue/green deployment: Two identical production environments – switch over with zero downtime, instant rollback if problems occur
Health checks: Automated verification of application endpoints, database connections and external services after every deployment
Incident response plan: Documented escalation paths, defined responsibilities, runbooks for common scenarios

Ongoing operations:

Dependency updates: Automated checks for new CVEs, monthly dependency updates with automated testing
Performance monitoring: Continuous measurement of Core Web Vitals, API latency and database performance
Capacity planning: Regular review of resource usage, proactive scaling ahead of bottlenecks

The 5 most common founder mistakes

1. Skipping the assessment. "We already know what's wrong" – no, you don't. Without systematic analysis, the most critical problems get overlooked precisely because they are invisible (missing security headers, exposed secrets, race conditions). nFlo: Security Audit for Startups – A Practical Checklist

2. Premature scaling. Introducing Kubernetes clusters and microservices before your first 1,000 users creates complexity without benefit. According to Startup Genome, 74% of fast-growing startups fail due to premature scaling. Startup Genome: Why Startups Fail, Premature Scaling (3,200+ Startups)

3. Ignoring compliance. GDPR violations cost up to 4% of global annual revenue. GDPR Art. 83: Fines up to 4% of Annual Revenue Since December 2025, Germany's NIS2 implementation act has required documented cybersecurity measures. OpenKRITIS: NIS2 Implementation Act in Germany Retrofitting compliance after the fact is far more expensive than building it in from the start.

4. Just "building on top of" the prototype. Without an architecture review, technical debt grows exponentially. What costs an hour to fix today costs a week in six months. Martin Fowler: Bottleneck #01 – Tech Debt

5. Treating testing as optional. Prototypes rarely have tests. Without test coverage, any change can break existing functionality without anyone noticing before deployment – regressions then surface only in production.

Timeline and cost: realistic expectations

Duration depends on the complexity of the prototype and the target state. AI-assisted development primarily shortens routine tasks such as coding, testing and documentation, but the engineering work – review, security, load testing – remains. Ideas2IT: MVP Development Cost 2026

Phase	Duration	Included in fixed price
1. Assessment	3–5 days	free (upfront, part of the initial consultation)
2. EU migration & hardening	2–4 weeks	✓
3. Engineering	4–10 weeks	✓
4. Infrastructure	1–2 weeks	✓
5. Launch	1 week	✓
Total	6–14 weeks	Fixed price €36,000

Technical due diligence: what investors check

For startups heading into a funding round, technical due diligence is a decisive gate. Investors increasingly commission external TDD reviewers to evaluate the entire tech stack: 26lights: Tech Due Diligence Guide for Startups 2025

Code quality: Modular structure, test coverage, consistent style, no obvious anti-patterns
Architecture: Scalability, maintainability, clear layers, documented decisions (ADRs)
Security: Vulnerability scans, dependency audit, penetration test results, incident response plan
Infrastructure: CI/CD automation, monitoring, backup strategy, disaster recovery
Team capability: Can the team explain, extend and maintain the code?

Sphere: Technical Due Diligence Checklist for Startups madewithlove: Technical Due Diligence for SaaS Startups

A prototype that meets none of these criteria is a red flag in any funding round. A documented run through these five phases is effectively a pre-emptive TDD record and shortens the review in the funding process.

Conclusion: method beats speed

The fastest route to production does not run through more features, but through the right order: assessment first, then architecture, then hardening. Founders who treat the path from prototype to production as five defined phases rather than chaotic add-ons save time and money and avoid the mistakes that sink the majority of failed startups.

You have an AI-generated prototype and want to go to production? In a free initial consultation, we evaluate your prototype and map out the path through all five phases – from assessment to sovereign deployment on Hetzner. We deliver the full build for a fixed price of €36,000.

Frequently asked questions

How long does it take to make a prototype production-ready?

Typically 6–14 weeks, depending on complexity. The assessment takes 3–5 days, the engineering phase 4–10 weeks, and infrastructure and launch 1–2 weeks each.

What does the path from prototype to production cost?

The initial consultation and assessment are free. We deliver the full build from prototype to a production-ready, EU-hosted platform for a fixed price of €36,000.

Refactor or rewrite – which is better?

Refactoring is the default for most prototypes, provided the architecture is fundamentally sound. A rewrite only makes sense when the architecture is fundamentally flawed or built on outdated technology.

What do investors check in technical due diligence?

Code quality, architecture, security, infrastructure and team capability. A prototype with no tests, no CI/CD and hardcoded secrets is a red flag that can drag the valuation down by as much as 20%.

Can I keep using my AI-generated prototype?

Yes – working business logic is carried over and placed on a production-ready foundation. In the free assessment, we evaluate which parts can be kept and what needs to be rebuilt.

Why do I need EU-sovereign hosting?

Prototypes often run on Vercel, Netlify or AWS – all US providers subject to the CLOUD Act. For GDPR-compliant production systems, an EU-owned provider like Hetzner is the legally sound choice, at significantly lower cost.