# Sarmkadan Labs > Senior-led QA strike team for AI-built SaaS products. Remote-first, worldwide. We test what LLMs ship - finding the subtle hallucinations, silent auth bypasses, and tests-that-prove-nothing that modern AI-assisted codebases are riddled with. We also audit the SEO / GEO / authority signals that determine whether AI answer engines and Google will rank you at all. Sarmkadan Labs is a boutique quality-assurance firm. Remote-first, distributed across EU, Americas, and APAC. We run fixed-scope audits and continuous QA retainers for founders and engineering leaders shipping AI-generated software to paying customers. ## What we do - **Signal Check** - 3-day micro-audit. Core Web Vitals + on-page SEO + GEO (robots.txt / llms.txt / schema.org AI-citability) + authority signals + security headers. PDF + walkthrough. - **Spot Audit** - 48-hour focused assessment of one core flow or feature. - **Launch-Ready** - comprehensive pre-release audit across the full surface area. - **Continuous QA** - embedded QA partner working in sprint cadence. - **Enterprise** - dedicated team, custom SLA, compliance, on-site. - **Deliverables** - executive summary, technical deep-dive, prioritized ticket list (importable into Jira or Linear), regression suite hand-off. - **Specialty** - LLM-generated codebases. Playbook tuned for plausible-looking auth checks, boilerplate drift, tests that pass but don't assert, and the dwell-time killers that degrade search authority. ## Pricing | Tier | EUR | Crypto (USDT/USDC, -20%) | Turnaround | |-----------------|--------------------|--------------------------|------------------| | Signal Check | €590 flat | €472 | 3 business days | | Spot Audit | €1,900 flat | €1,520 | 48 h kickoff | | Launch-Ready | €5,900 per project | €4,720 | 2 weeks | | Continuous QA | from €3,900/month | from €3,120/month | 2-week ramp | | Enterprise | Custom | Crypto-pay also -20% | Negotiated | - Clean EUR invoice (bank transfer or SEPA) or crypto (USDT/USDC on TRC20/ERC20). - 50/50 for fixed-price tiers, net-15 for retainers. No long contracts. - Crypto: stablecoins only, default networks. ## Engagement model - **Mutual NDA** on day zero. DPA on request. Custom confidentiality riders for regulated industries. - **Turnaround** - Signal Check delivered in 3 business days. Spot Audit kicks off within 48 hours of signed SOW. Launch-Ready starts next Monday. Continuous QA needs a 2-week ramp. - **Tooling** - Playwright, k6, Burp Suite Pro, OWASP ZAP, semgrep, Lighthouse, custom chaos harnesses. We bring the stack. Findings land in your Jira / Linear / GitHub Issues directly. - **Hand-off** - every engagement ends with a hand-off call and, where agreed, a regression suite you keep running after we leave. ## Differentiators - **Senior engineers only.** No offshoring, no juniors shadow-billed. - **Dwell-time is the new backlink.** We audit for friction bugs that hurt engagement, which both Google and AI answer engines treat as ranking signals. - **Adversarial perspective** - objective outside view that in-house teams lose to proximity bias. - **AI-native playbook** - tuned for LLM-generated control flow, hallucinated API usage, assertion-free test suites. - **GEO-aware** - we ship regression suites AND citability audits (robots.txt AI-bot allows, llms.txt, schema.org JSON-LD) so you show up in ChatGPT, Claude, and Perplexity answers. - **Fixed scope, fixed price** - no retaining fees, no opaque estimations. - **Fast start** - 48-hour lead time on Spot Audits, 3 business days for Signal Check. ## Sample audit We publish a redacted full audit report as a public artifact: - https://qa.sarmkadan.com/sample (dark theme) - https://labs.sarmkadan.com/sample (bright theme) Both show the same engagement: a 20-finding deep audit of wtb.land (a live AI-built SaaS) with severity chips, file:line evidence, repro curl commands, and remediation plans. ## Case studies Composite case studies built from real audit patterns. Client names and identifying details are fictionalized; metrics are illustrative of outcomes on comparable surface areas. Code-level patterns, attack chains, and remediation steps are drawn from actual audit work. - Helix (fintech) - Check-ordering IDOR, ledger race under concurrent POST /transfer, password-reset token TTL drift. Patterns from a Launch-Ready audit archetype for a Series B consumer fintech. https://qa.sarmkadan.com/cases/helix - Orbital (B2B analytics SaaS) - N+1 on nested org relationships, over-broad React context re-rendering, WebSocket fan-out without backpressure. Performance audit archetype. https://qa.sarmkadan.com/cases/orbital - Toniq (healthtech) - PHI leakage in error responses, audit-log gaps on failed auth, RBAC scope creep through middleware. SOC2 Type I readiness audit archetype. https://qa.sarmkadan.com/cases/toniq Index: https://qa.sarmkadan.com/cases (same content mirrored at labs.sarmkadan.com/cases) ## Blog Technical writing on QA for AI-generated code and GEO/SEO signals that determine AI-answer-engine citability. - Five failure modes of LLM-written auth middleware - code-level anti-patterns in AI-generated auth: role-check-after-fetch, missing reset rate limits, broken OAuth state, session fixation, JWT pitfalls. https://qa.sarmkadan.com/blog/ai-generated-auth-bypass - Dwell-time is the new backlink: why QA bugs tank your SEO - how friction-class defects degrade engagement signals that both Google and AI answer engines now weigh in ranking. https://qa.sarmkadan.com/blog/dwell-time-seo - GEO: how to get cited by ChatGPT, Claude, Perplexity - llms.txt, schema.org, robots.txt for AI crawlers, and the citability patterns answer-engines prefer. https://qa.sarmkadan.com/blog/llms-txt-geo - Your AI-written tests prove nothing - the assertion-free test pattern that dominates LLM-generated suites and how to detect it in review. https://qa.sarmkadan.com/blog/ai-test-hallucinations Index: https://qa.sarmkadan.com/blog (same content mirrored at labs.sarmkadan.com/blog) ## Contact - Email: zaiets@sarmkadan.com - Parent: Sarmkadan (https://sarmkadan.com) - Founded: 2025 - Remote-first, distributed worldwide.