Somewhere north of 90% of the code in the companies that pitch us was written by AI. Cursor, Claude Code, Copilot — pick your tool. This is not a complaint. It's the new baseline, and the teams that embrace it ship five times faster than the teams that don't.
So no — we don't care if you vibecode. Some of the sharpest founders we've met can't write a binary search by hand and have working products with paying users. The leverage is real.
What we care about is a different question entirely: who is in charge of the code?
What AI ships besides features
AI writes code that works. That's exactly what makes it dangerous — it works, it demos well, and the holes don't show until someone goes looking. The patterns we keep seeing in diligence:
- Secrets and API keys committed to the repo, because the AI "made it work" in one file.
- Endpoints that mutate data with no authentication check — the AI wrote the happy path, nobody asked for the unhappy one.
- Auth flows the team can't explain, because nobody on the team wrote them.
- Dependencies nobody chose, pinned to versions nobody vetted.
AI code ships fast — and it ships more security holes than most teams ever catch.
None of this is fatal. All of it is fixable. But it has to be found first — and the team that built the product is structurally the worst-placed to find it, because they're inside the same blind spots the AI gave them.
Diligence has moved into the repo
A decade ago, due diligence meant financial statements and reference calls. At pre-seed today, the repo is the company. So when we advance a company to Stage 2, we ask four things — with zero judgment attached: who owns the code, what tools you build with, whether that person has finished a project before, and how you handle the security of AI-written code today.
And one thing is mandatory before Stage 3: a code audit. Not because we doubt you. Because we underwrite what's actually in the repo, the same way a serious investor reads the actual contracts.
Cost stopped being an excuse
The classic objection was price — a traditional audit engagement runs five to six figures, absurd at pre-seed. That objection is dead. A new generation of audit tools runs locally, for the price of a dinner — and "locally" matters more than founders admit, because every founder is quietly afraid of someone stealing their idea. With a local audit, your code never has to leave your machine. If you've engaged a traditional auditor instead, that works too.
An audit certificate attached to your pitch fast-tracks our diligence. Think of it as the cheapest signal you can buy: it tells us you take seriously the thing your customers will eventually have to trust.
Building with AI? Good.
Pitch us with what you have. If there's a fit, we'll ask the four questions — and we'll never judge you for how the code got written.
Pitch us— Colin Wirch, NoRev