10 client orgs, one laptop, zero uploaded code.
Salesforce consultancies audit client orgs constantly: pre-engagement discovery, mid-engagement health checks, post-engagement handoffs, compliance evidence packs for regulated clients. The market default for this is CodeScan or Clayton, both per-user-per-month SaaS that charges your team whether you have one client this quarter or ten.
Vulkro flips the economics: one laptop, unlimited Salesforce orgs, fixed annual price, and your client code never leaves the consultant's machine.
The per-engagement math
Suppose your consultancy runs 10 client engagements a year and you have 3 consultants doing Salesforce reviews.
| CodeScan SaaS | Vulkro Consultancy Pack | |
|---|---|---|
| Pricing model | $25 / user / month | Flat annual, 10 floating activations (contact-priced) |
| Cost for 3 users / year | $900 | Contact |
| Cost across 10 client orgs | included | included |
| Per-client incremental cost | $0 | $0 |
| Client code uploaded | yes (SaaS) | no |
| Client NDA implications | "we use a SaaS scanner" | "we run a local CLI" |
| Renewal | automatic | manual |
The Vulkro Pack pays for itself the first time a client asks "is the audit tool a separate data processor?" and the answer is no.
What you get per engagement
-
Per-org HTML reports. Run
vulkro-sf appexchange-report <client-project> -o report.htmlagainst each client SFDX project you manage. Each run produces a self-contained HTML report for that org, grouped by the published checklist sections. Hand the report directly to the client. -
CRUD/FLS taint findings across class boundaries. Vulkro's Apex engine builds an intra-class and cross-class call graph and resolves enforcement and data-op reach. A method that delegates its FLS check to a private helper is no longer a false positive; a method whose DML lives in a callee class is now caught.
-
AppExchange Security Review readiness report. For ISV clients,
vulkro-sf appexchange-reportrenders the same 10-section checklist mapping. Bring it to the kickoff for any client planning a managed-package submission. -
All the Salesforce coverage gaps closed in P8.7. Visualforce (
escape="false"reflected merge fields, dynamicincludeScript), metadata (profile over-privilege, named credentials, connected app OAuth scopes), Flow (system-context DML, hardcoded IDs), PII mapping for the standard SObjects (Account, Contact, Lead, Opportunity, Case, User). -
Detector packs for client orgs beyond core CRM. Clients on B2C Commerce, Marketing Cloud, Health Cloud, FSC, CRM Analytics, Salesforce Functions, or Heroku Connect are covered by the same one-year team license. Each pack self-gates on activation markers in the project root, so a vanilla Apex / LWC org never pays the walk cost. B2C Commerce, Marketing Cloud, Industries Clouds (Health + FSC), CRM Analytics, SF Functions, and Heroku Connect, plus the PMD-for-Apex / ESLint LWC / RetireJS wrappers as a one-shot sfdx-scanner replacement, are all documented in the Vulkro for Salesforce coverage matrix.
-
Live-org posture audits you can track across the engagement. Connect a client org through the consultant's own
sfCLI login (read-only, metadata only, the OAuth token stays in the CLI, no business records) and the desktop console audits identity and permission over-privilege, Connected App OAuth posture, installed packages, Agentforce, and SecuritySettings hardening (session timeout, IP binding, clickjack, CSRF, password policy). Each audit is a point-in-time snapshot, so a mid-engagement re-audit diffs what changed since discovery (what is NEW and what was RESOLVED) and proves the remediation to the client without re-reading a line of their code. See live-org setup.
Multi-org without uploading any of it
The Pack ships 10 floating activations sharing one team_id.
Each activation binds to the laptop on first vulkro activate,
then scans any number of client SFDX projects on that laptop
through a one-year term. There is no per-org gate inside the
engine; the consultant rotates through clients as the engagements
land.
VULKRO_OFFLINE=1 enforces zero network calls at the process
boundary if a client contract requires it. The CVE bundle lives
in the binary; updates ship through a separate signed download
that you control the timing of.
Pricing for the consultancy
The Vulkro Consultancy Pack is one year of the full product with 10 floating activations, contact-priced while we validate the first cohort. Nothing renews on its own: when the term expires the CLI asks you to request a fresh license, and you buy a fresh Pack when you decide to.
Like all Vulkro licensing, the Pack is issued directly by our team. Email hello@vulkro.com with your consultancy name, rough number of client orgs you audit per year, and how many consultants would use the seats. We reply within one business day.
Why offline matters here
Every client engagement starts with an NDA. Many of those NDAs forbid sending client code to "third-party services" or "external data processors." A SaaS code scanner is exactly the kind of processor procurement teams are getting trained to flag.
Vulkro is a single static binary. No upload and no cloud LLM: client code, paths, and findings never leave the laptop (the account entitlement check carries six usage fields, never anything about the code, and a license file removes even that). Your consultant reads the report, fixes the client's code, writes the deliverable, deletes the local checkout. The audit tool was never a data processor for client code.
Compare with the alternatives
- vs CodeScan: the most common direct comparison.
- vs Snyk: if you have clients pushing SaaS scanners on you.
- vs Semgrep: the open-source angle.
Ready to discuss your engagement model?
Email contact@vulkro.com
Tell us your consultancy name, roughly how many client orgs you audit in a year, and how many consultants would be using the Pack. We send back a proposal within one business day.