So it's really just you?
Yes. Matt Owens builds the product, runs the security tests, and sends the updates. If a project needs extra hands, I'm upfront about it and only bring in people I trust.
FAQ
Honest answers before we work together
No marketing fluff or scripted support responses. If you still have questions after reading this, send me an email at matt@codewheel.ai and I'll answer directly.
Do you have client testimonials?
Not yet-CodeWheel is new. My background is verified on LinkedIn and I publish technical content so you can judge the work. Early clients receive discounted pricing while we build case studies together.
What kinds of work do you take on?
RAG builds, prompt injection testing, penetration tests, architecture reviews, and ongoing advisory. All engagements include both engineering and security so you're not juggling multiple vendors.
Do you handle compliance paperwork?
I prepare you for vendor security reviews and due diligence. I provide the technical evidence (pen test reports, architectural diagrams) your auditor or enterprise buyer needs, but I do not issue formal compliance certificates myself.
How do projects usually start?
I walk through your architecture, timeline, and goals with you. If it's a match, I send a simple proposal with scope, price, timeline, and what I need to start. 50% to reserve time, 50% when you have the deliverables.
Do you work with enterprise companies?
I focus on pre-seed through Series A teams. If you need a multi-person agency or a 24/7 SOC, I'm not a fit. If you want senior engineering with honest pricing, I am.
How fast can you start?
Usually within 1-2 weeks. If it's urgent and the scope is clear, I can sometimes start sooner. Let me know your launch date and I'll confirm availability.
What tools or stacks do you work with?
Next.js, Astro, Supabase, Postgres/pgvector, Stripe, Clerk, Vercel, AWS, OpenAI/Anthropic, and a long list of supporting security tools (OWASP ZAP, Burp, Nuclei, Kali, etc.).
How do communication and updates work?
I stay in touch via Slack or email plus weekly Notion recaps (with screen recordings when helpful). Critical findings are shared immediately. You always know what's happening, what's blocked, and what's next.
What if we need help after the engagement?
Every project includes a 30-day support window for questions and retesting. If you want longer-term help, we can continue on a light advisory retainer.
How do you keep agents from doing destructive actions?
Tools are permissioned, inputs are schema-validated, and sensitive actions require confirmations or human-in-the-loop checks. We also run offensive tests against tool bindings before they ever hit production.
How do you prevent data leakage between tenants?
Row-level security, per-tenant namespaces for embeddings, and strict filters at the retrieval layer. Every RAG and agent call is scoped before it ever reaches the model.
How are AI features tested safely?
Prompt-injection suites, RAG retrieval boundary tests, and Playwright E2E flows run in CI. Offensive tests happen in a sandbox before go-live, and we re-test after fixes are applied.