Production audit · Node.js · AWS

Production systems,
not demos.

I'm Olha Shevchenko. I open production systems that are already carrying business risk and map where they fail first. Authorization, reliability, recovery paths.

See the approach Request an audit

Audit findings

day 5 / 5

P0 Public database reachable
P0 Restore never tested
P1 Admin scope never narrowed
P2 Untested month-end path

ranked by blast radius

What I do

Production audits

Five-day map of where a live system fails first.

You leave with: A prioritized risk register: severity, evidence, fix, effort.

Multi-tenant authorization review

Where tenant isolation actually leaks.

You leave with: A route-by-route map of which tenant boundaries hold, and which don't.

AWS infrastructure reconstruction

What the architecture is now, not what the diagram claims.

You leave with: A current-state map of the system as it actually runs, with the gaps named.

Deployment & rollback analysis

How code reaches prod, and whether it can come back.

You leave with: A pipeline trace with the rollback path tested, or named as missing.

Recovery-path verification

Backups and restores that have actually been run.

You leave with: A real restore drill: how long it took, what was lost, what failed mid-run.

AI-system operational review

Failure modes, oversight, and exposure in regulated domains.

You leave with: A failure map of the model and the system, with the human checkpoints named.

Most production backends fail the same few ways. Untested code that works until it doesn't. Config that drifted from what the README claims. Credentials in a committed .env. An admin role that was widened once for a deploy and never narrowed. Backups nobody has ever restored.

None of it shows up in a demo. All of it shows up when there is a customer on the other end.

Untested code that happens to work is a demo that hasn't failed yet.

Typical audit engagement

Five days in, the output is a written report: the failure map ranked by blast radius, with remediation priorities. Not slides. Not a line-by-line code review.

See a sample report

1 Day 1 System surface mapping
2 Day 2 Authorization and infrastructure review
3 Day 3 Deployment and recovery-path analysis
4 Day 4 Operational risk validation
5 Day 5 Findings, blast radius, remediation priorities

On day 5 you have: a written report ranked by blast radius, remediation tracks priced. The next decision is a budget line, not another meeting.

What clients usually call me for

Unstable production systems
Unclear ownership boundaries
Infrastructure nobody fully understands
Authorization drift
Deployment instability
Systems that "work" but cannot be trusted

From a client

Trust comes from precision of observation, not credentials.

★★★★★

An outstanding backend and infrastructure audit that exceeded expectations in both depth and clarity. The report was not just a surface-level review: it included clear identification of key issues, root causes, and a well-structured, prioritized execution plan. Communication was smooth, professional, and efficient throughout the entire process, with strong ownership, technical expertise, and a results-driven mindset. I would confidently recommend her to anyone looking for a high-level backend or infrastructure expert.

Verified Upwork review · backend & infrastructure audit · 2026

Featured

What I look for first when I open a production system

I have five days, not to fix a system, but to find where it will fail and what that failure will cost. The order I look in is not a checklist. It is a ranking by blast radius.

Read →

Production systems,not demos.