Implementation & Hardening

In the I step of the ANVIL system, your validated prototype becomes the MVP – the first market-ready version of your product. This is the moment where speed meets rigor: we continue development AI-accelerated, harden every feature against the OWASP Top 10, and review every line of code in senior review. Your prototype is no throwaway artifact; it's the most precise spec there is – it shows in black and white what your product needs to do, and it saves weeks of requirements workshops.

45%

of AI-generated code contains security vulnerabilities (Veracode 2025)

2.74x

more security issues in AI code than in human code (CodeRabbit)

From €36,000

one fixed-price engagement – from validated prototype to hardened MVP

€3.87M

average cost of a data breach in Germany (IBM 2025)

Your validated prototype becomes your MVP

The I step is where your groundwork earns its stripes. What you built with Cursor, Claude, Lovable, or a freelancer is the foundation we build on – not despite its precision, but because of it. Three terms, three levels of maturity, cleanly separated:

Stage	What it is	Where in the ANVIL system
Prototype	Your work – the working demonstration of your idea	Entry into the system
MVP	The first market-ready, hardened version with real users	Outcome of the I step
Platform	The scaled version, running in production	Outcome of step L

After the paid Analysis (Step A) that all four entry paths share, two paths land directly on this step: if you bring a prototype (our most common client), you enter here at I; if you want an existing, insecure, or fragile platform brought up to standard, you start at I or L. In either case, Step A has already produced a prioritized roadmap, and we know exactly what to do. Our guide: From Prototype to Production lays out the path from prototype through MVP to platform in detail.

Hardening against the OWASP Top 10:2025

AI accelerates development enormously – but it also reproduces the same weaknesses systematically. According to CodeRabbit's analysis of 470 pull requests, security issues appear up to 2.74x more often in AI code than in code written by humans alone; Veracode found that 45% of AI-generated code contains vulnerabilities. CodeRabbit: State of AI vs. Human Code Generation Report Veracode: GenAI Code Security Report 2025 The Verizon DBIR 2025 adds that the exploitation of vulnerabilities as an initial attack vector rose by 34%. Verizon: Data Breach Investigations Report 2025

That's why we test your MVP systematically against the ten most common risks in the OWASP Top 10:2025 and fix every finding: OWASP Top 10 (2025)

Broken Access Control – missing authorization checks, IDOR vulnerabilities
Security Misconfiguration – default credentials, verbose error messages, open debug endpoints
Software Supply Chain Failures – compromised dependencies, missing SBOMs, insecure CI/CD
Injection – SQL, NoSQL, and command injection
Cryptographic Failures – unencrypted transmission, weak algorithms
Authentication Failures – weak policies, missing MFA; we deploy Keycloak as a self-hosted identity provider with passwordless auth and magic links
Logging & Monitoring Failures – we implement structured logging with OpenTelemetry for complete traceability

Typical patterns we find and close in AI-generated applications: hardcoded API keys, missing input validation, exposed admin routes, personal data in log files, and missing rate limits. In 2025 alone, more than 28.6 million new secrets were exposed in public GitHub repositories. GitGuardian: State of Secrets Sprawl 2026 For a deeper look at the recurring patterns, see our article Vibe Coding Done Right; systematically hardening these weaknesses is a core part of Step I.

Every line in senior review: AI for speed, expertise for rigor

This duality is our core promise: AI speed, backed by senior experience. We use AI tools like Claude Code actively in development – but every line of generated code passes through a human review by senior engineers. That's how we combine the speed of AI assistance with the quality assurance of experienced developers. GitHub: Quantifying Copilot's Impact on Productivity (2022)

Automated test suite: Unit, integration, and E2E tests cover every feature. Every fix is anchored with a test so that vulnerabilities don't come back.
CI/CD with quality gates: Linting, security scanning, and a GitOps-based deployment pipeline. No commit reaches production without review.
Senior review of every line: No black box. Architecture decisions are documented and justified, and the code stays comprehensible for you and for any team that comes after.

The difference isn't academic: we use Snyk and Trivy for continuous vulnerability scanning – important because, according to Snyk and the Linux Foundation, 40% of all open-source vulnerabilities live in transitive dependencies that were never installed directly. Snyk & Linux Foundation: State of Open Source Security 2022

Hardened infrastructure, GDPR and NIS2 from day one

Hardening doesn't stop at the application boundary. We secure the infrastructure defined in step N on the principle of least privilege:

Network & WAF – least-privilege firewall rules, segmentation, web application firewall
TLS configuration – TLS 1.3, HSTS, Certificate Transparency
Container security – minimal base images, no root processes, image scanning, hardened K3s configuration
Secrets management – no credentials in code or environment variables, Vault integration

Compliance here isn't a bolt-on; it's part of the hardening: encryption at rest and in transit, access logs, deletion concepts, and a documented record of processing activities. We implement the security-relevant NIS2 core measures under Article 21 in technical terms – relevant because, since December 2025, NIS2 requires roughly 29,500 German companies to maintain documented cybersecurity measures. BSI: NIS2 Implementation in Germany For details, see our NIS2 Security Checklist, the page NIS2 for Web Platforms, and the GDPR Vendor Audit. The economic leverage is substantial: according to IBM, companies that use security extensively reduce their average breach costs by $1.9M and shorten the breach lifecycle by 80 days. IBM: Cost of a Data Breach Report 2025

How does the I step work?

Kriterium	Phase	Timeline
1. MVP build from the validated prototype	Core functionality, data model, API, and authentication on the target architecture from step N	Week 1–6
2. Hardening & OWASP Top 10	Remediation, rate limiting, input validation, secure headers, secrets management	Week 4–8
3. Tests & senior review	Automated test suite, CI/CD quality gates, review of every line	ongoing
4. Verification	Independent penetration test, regression tests, GDPR review	Week 8–10
5. Handover to L	Documented audit trail, security report, transition to Launch & Operations	Week 10

At the end of the I step you get a verifiable result, not a document: a running, hardened MVP with Git repository handover and documentation, a configured CI/CD pipeline with automated tests, a security report with the results of the penetration test, and architecture documentation for further development. From here it's just one step to Launch & Operations (L).

One package, one fixed price: where the I step begins and what it costs

The I step isn't a product you can book on its own. There is exactly one offering: the ANVIL system, a fixed price from €36,000 for the entire path from prototype to production system – Analysis, New design, Validation, Implementation & Hardening, and Launch. No tiers, no rate cards, no hidden hourly rates.

Every project begins with the mandatory, paid Analysis (Step A): an audit report, a prioritized roadmap, and a dependable cost plan. Your fee for Step A is credited in full against the engagement. Only then does the build begin. Compared with continuing to run a vibe-coded project, this discipline pays off over the lifetime of the system – technically and financially.

Do you have a validated prototype or a platform that needs to become production-ready? Send us a short description of your project. In a free 30-minute intro call, we'll show you the concrete path to a hardened MVP.

Frequently asked questions

What is the I step – Implementation and Hardening?

The I step is the fourth stage of the ANVIL system. Your validated prototype becomes the MVP – the first market-ready version. We continue development AI-accelerated, harden against the OWASP Top 10, cover every feature with automated tests, and review every line of code in senior review. The result is a system that holds up to a security audit and to real customers.

I have an AI-built prototype – do I start here?

Yes. The prototype path is our most common entry point and begins – after the paid Analysis (Step A) – directly in the I step. Your prototype is no throwaway artifact; it's the most precise spec there is: it shows in black and white what your product needs to do, and it saves weeks of requirements workshops.

How do you secure AI-generated code?

Through the duality of speed and rigor. AI tools accelerate development, but every line passes through a senior review and automated tests. We test systematically against the OWASP Top 10:2025, fix every vulnerability we find, and lock in the fix with a test. The AI speed stays; the security holes go.

What's the difference between a prototype, an MVP, and a platform?

A prototype is your work – the working demonstration of your idea and the entry into the ANVIL system. The MVP is the outcome of this I step: the first market-ready, hardened version with real users, tests, and compliance foundations. The platform is the scaled version running in production – the outcome of the Launch step (L).

Is the MVP GDPR- and NIS2-compliant from the start?

Yes. Encryption, access control, audit logging, and a documented record of processing activities are part of the hardening. We implement the security-relevant NIS2 core measures under Article 21 in technical terms and host with EU sovereignty, without CLOUD Act exposure. You get an audit trail, not a mere statement of intent.

What does Implementation and Hardening cost?

The I step isn't a separately bookable product; it's part of the one ANVIL system: a fixed price from €36,000 for the entire path from prototype to production system. Every project begins with the paid Analysis (Step A); its fee is credited against the engagement. The exact scope comes out of the free intro call.