Blitzy logo
OverviewUse-casesSecurity
Company
DocsBlogVideos
Pricing
OverviewUse-casesSecurity
Company
DocsBlogVideos
Pricing

How I Made Blitzy More Secure In My First Week

Jun 30, 2026 • Alex Gardiner • 3 min read

How I Made Blitzy More Secure In My First Week

Every engineering team has a backlog of unglamorous, yet necessary work. These projects do not end up in launch announcements or involve clever algorithms and fancy services. The category includes tasks like "we need to audit our auth layer," or "we should probably add pagination."

Role Based Access Control (RBAC) sits squarely in this category.

RBAC is a security model that controls what actions users can perform, rather than giving users blanket access to every endpoint. You define roles (like Admin or Member), assign permissions to those roles (like projects:delete or users:write), and then enforce those permissions at each point of action.

RBAC is basic security hygiene: the kind of work that gets added to a backlog, triaged every quarter, and then pushed aside… again and again.

The Challenge

When I joined Blitzy a couple of months ago, I had no familiarity with the codebase. I didn't know the conventions, the history behind design decisions, and I hadn't developed a sense of how permissions should map to actual user behavior in the product.

These mappings are actually the hardest part of RBAC. While the technical implementation is relatively straightforward, deciding whether a MEMBER should be allowed to delete a project, or whether access sharing should be gated to ADMIN and above, requires intuition that takes time to build.

With our backend service having hundreds of endpoints across many domains, the scale factor made the project feel even harder. With a manual approach, this would require days of discovery before starting implementation, and getting it wrong could be costly.

Risks include:

  • Locking users out of features they rely on
  • Or worse, leaving gaps that the access model was meant to close

Additionally, edge cases hiding beneath the surface make things tricky, as permissions aren't uniform across Blitzy's product. Some resources are owned by an entire organization, others belong to specific teams, and users can access things through multiple paths.

Adding RBAC is precisely the kind of task Blitzy is built for.

My Approach

Rather than working through RBAC manually, I delegated to Blitzy.

My prompt described a centralized architecture I had in mind, while instructing Blitzy to make judgement calls in areas where my knowledge ran thin. I wanted to encourage the platform to reason through unknowns rather than to work around them. This was an important moment for my early experience with Blitzy, as I realized that I wasn't limited by a lack of understanding.

Blitzy then generated an Agent Action Plan (AAP). Reviewing the AAP gave me a complete picture of every endpoint that needed enforcement and the specific permission decisions Blitzy made, given its knowledge of the codebase. This review process was of particular value as I wasn't just approving the plan, but also learning from it, as Blitzy surfaced new findings that I hadn't yet encountered.

Next, I started Code Generation and let Blitzy run over the course of a few days, in order to cover the vast scope of the AAP. Once complete, I reviewed the Project Guide to see what Blitzy built, the reasoning behind its decisions, and the areas it wanted me to review manually. That last part was especially useful for me as a newcomer, since I had a fully transparent report on the large set of code changes.

The Outcome

After finishing and merging the Blitzy project, the rollout completed with no incidents.

What made this possible was the structured handoff the Project Guide provided. Blitzy's flagged assumptions gave reviewers a head start, rather than requiring them to audit every decision from scratch.

For a project of this scope, a successful outcome is not guaranteed. With the combination of roles, subscription tiers, resource types, and more, there are a lot of ways to mess up. The fact that the feature shipped cleanly reflects on Blitzy's ability to reason carefully, navigate a large codebase, and apply changes with intention.

The Value

RBAC is necessary work that makes software systems safer. This project is exactly the kind that teams defer because the costs are disproportionate to business impact.

What Blitzy changes isn't just the speed at which work gets done, but whether it gets done at all.

A project that would have required weeks of discovery and deep product intuition became something I could initiate within days of joining and complete with confidence.

More from the blog

View all
Blitzy Scores a Record 84.95% on SWE-Bench Pro

Blitzy Scores a Record 84.95% on SWE-Bench Pro

Jun 26, 2026 • Dr. Neeraj Deshmukh • 4 min read

Open Source in the Age of AI

Open Source in the Age of AI

Jun 23, 2026 • Carly Levinsohn • 3 min read

Frequently asked questions

What is Blitzy?

toggle button

Blitzy enables development teams to transform six-month software projects into six-day turnarounds using Blitzy OS, an agentic platform that enables thousands of AI Agents to 'think' and cooperate for hours to bulk build software with precision. The platform builds everything AI can deliver in a precise manner, around 80% of any roadmap or new product, supplemented with a human engineering guide to complete the remaining 20% needed for production. With over 27 patents and counting, Blitzy is actively hiring PhDs and senior developers in Cambridge, MA who have a passion for building AI that leverages 'System 2 Thinking' to solve problems at inference.

Who is Blitzy for?

toggle button

Enterprises that aim to dramatically accelerate their software development velocity, development agencies with enterprise clients, development teams with complex existing products, and individuals looking to accelerate their own velocity on complex builds.

How does Blitzy's technology work?

toggle button

Our patent-pending code ingestion framework maps a curated selection of robust, reliable, and secure open source software libraries that we track by version and update frequently. Combined with our proprietary code generation technology that specializes on enforcing enterprise-class software policies, Blitzy far exceeds the utility of typical chatbots and co-pilots in creating production-ready software at scale.

Is Blitzy a coding co-pilot?

toggle button

Nope. Blitzy surpasses traditional co-pilots with its ability to autonomously generate nearly-complete code repositories, not just snippets. It features a daily-refreshed knowledge base, avoiding the pitfalls of outdated information. Blitzy's proprietary codebase representation system enables deep understanding of generated code, offering highly contextual and relevant suggestions for your entire repository.

What's my role in Blitzy's development process?

toggle button

Your team is responsible for bringing the requirements, and as an approver during the technical specification stage. We ask you to edit/approve the Technical Specification. The document is editable, so you can edit and approve to get exactly what you had in mind.

How does Blitzy decide which tasks to delegate to human developers?

toggle button

Blitzy's multi-agent system is meticulously and rigorously trained to know what it can accomplish, and what needs to be left for the human engineers. This ensures you only receive quality code and have a clear picture of remaining tasks.

Does Blitzy do more than just autonomous code generation?

toggle button

Yes. Blitzy is a comprehensive platform that provides end-to-end development assistance. We support the entire development lifecycle by taking descriptive inputs and generating software requirements documents, technical design, code structure, and generative code within repos for your product.

Is this high quality and secure?

toggle button

Quality and security matter deeply to us — and they were our biggest frustration with the copilots already on the market. That frustration is what led us to build something different: a system designed to meet enterprise standards from the start. Every piece of work passes through multiple QA agents that review each other's output before any code reaches you, so what you receive is held to a consistent quality bar rather than the variable output typical of single-pass code generation. We deliver production-grade code repositories. As with any code entering your environment — written by humans or AI — your team should still run its own QA, QC, and security testing before deployment. We build to a high standard and give your reviewers a strong starting point; final validation stays with the team that owns the production environment.

What is the typical cost of your solution?

toggle button

Blitzy uses a two-phase pricing model: evaluation followed by deployment. This structure lets enterprises validate ROI at their preferred scale before committing to organization-wide implementation. The evaluation phase provides three options. Reverse Engineer ($0) offers an initial assessment with complete codebase reverse engineering and understanding up to 100K lines of code; Proof of Concept ($50K for a 2-month term), where Blitzy delivers a guided POC to demonstrate value; or Structured Pilot ($250K for a 6-month term), which fully deploys Blitzy in your environment with 5M lines onboarding and 1.25M lines generation to prove production readiness. Following successful evaluation, organizations choose between three deployment paths. Commercial ($500K typical investment per year) adopts Blitzy on one team to accelerate a defined initiative: the first 20M lines onboarded are included, with additional onboarding at $0.10 per line and generation at $0.20 per line starting at 2.5M lines, plus dedicated infrastructure and SAML-SSO. Enterprise ($5M typical investment per year) rolls Blitzy out across your engineering organization, with onboarding billed at $0.10 per line across the full codebase — a typical engagement onboards 50M lines — and generation at $0.20 per line as needed, adding a Dedicated AI Solutions Consultant, 2 Forward Deployed Engineers, org-wide onboarding and certification, and priority support. Transformation ($50M typical investment per year) supports your largest codebases, with a typical engagement onboarding 500M lines at the same per-line rates, custom deployment, and embedded teams including a Field CTO, a Dedicated AI Solutions Consultant, 6 Forward Deployed Engineers, and 2 Forward Deployed Designers for complete digital transformation. All tiers maintain SOC 2 Type II compliance, ISO 27001 certification, and guarantee no training on your code. Pricing follows a transparent two-rate model: $0.10 per line onboarded for reverse engineering and $0.20 per line generated for forward engineering. Because reverse engineering also produces complete technical documentation of your codebase, onboarding-only engagements are fully supported, and in every tier costs align directly with the value delivered.

After submitting my prompt, Blitzy added functionality in my tech spec that I did not expect. What do I do?

toggle button

The system defaults to taking advantage of all technology upgrades when modernizing or upgrading to the latest technology stack. For example, if you specify an upgrade to Java 21, the system will by default implement virtual threads, as it's generally seen as a superior technical approach. If you do not want this, you must simply tell the system to 'make as few changes as possible to achieve the desired request'. Being as specific as possible about what functionality is (and is not) desired helps yield results that will align with expectations.

What do Blitzy agents rely on as a source of truth to represent my existing codebase?

toggle button

Blitzy agents rely on the actual source code of your existing codebase—not the Tech Spec documentation—when performing refactors or extending functionality. However, an accurate Tech Spec significantly aids the system's efficiency in querying the underlying representation of the code. Therefore, investing time to ensure the Tech Spec reflects the core features of the application will yield expectation-aligned results and will save time with last-mile development.

Can Blitzy work with existing products and code bases?

toggle button

Yes! Blitzy excels at working with existing codebases, using them as a foundation to ensure consistent, high-quality development. The platform enables you to add new features to existing products, generate comprehensive documentation, and tackle technical debt by upgrading legacy systems to state-of-the-art technologies or refactoring complex codebases. Our platform deploys dedicated AI agents that map and understand your codebase before generation, ensuring intelligent, contextualized development that aligns with your existing patterns and standards.

What programming languages does Blitzy support?

toggle button

Blitzy's AI platform works with all programming languages.

How should I structure my prompts for Blitzy?

toggle button

Structure and organization are crucial when prompting Blitzy. The most effective prompts follow our prompting template with clear sections for WHY (vision & purpose), WHAT (core requirements), and HOW (technical details, user experience & implementation priorities). Each section should be detailed but concise, focusing on essential information while providing relevant context. Including structured frameworks and concrete examples - like data models, user stories, or feature templates - helps Blitzy deliver more precise and purposeful solutions.

What information does Blitzy need to compile and run my code?

toggle button

During code generation, Blitzy compiles your codebase and performs runtime validation to ensure the generated code works correctly. To enable this, we require: (1) Internal dependencies - any private packages, libraries, or binaries not publicly available that your code needs to build and run, (2) Environment variables and secrets - API keys, credentials, and configuration values required for compilation and runtime (shared securely through our encrypted UI, never exposed to AI agents), and (3) Build instructions - the specific steps or scripts needed to compile your code, typically found in your README or setup documentation. This information allows Blitzy to replicate your development environment and verify that all generated code functions properly before delivery.

How can I exclude certain files or folders from Blitzy's code generation?

toggle button

Create a .blitzyignore file in your repository's root directory to specify which files or paths Blitzy should exclude during tech-spec generation and code generation. This works similarly to .gitignore - simply list the file patterns, directories, or specific files you want Blitzy to skip, using standard gitignore syntax like *.log, /build/, or config/secrets.json. To ensure Blitzy respects these exclusions, mention in both your codebase context prompt and target state prompt that Blitzy should reference the .blitzyignore file and exclude those paths from processing.

Can I cancel my project/job (code gen) once in progress?

toggle button

At this time, jobs are not cancelable. Once you submit, it consumes the assigned quota.

Build enterprise software in days, not months.

Start buildingTalk to an expert
Blitzy

Blitzy

One Kendall Square,

Cambridge,

MA 02139

© 2026 Blitzy. All rights reserved

Product

  • Overview
  • Use-cases
  • Security
  • Pricing

Company

  • About us
  • Careers

Support

  • Help
  • Service status
  • Trust center

Resources

  • Docs
  • Blog
  • Videos

Social

  • YouTube
  • LinkedIn

Legal

  • Terms of use
  • Privacy policy