Skip to content
Unlisted / Security
Approach

We do not run a tool, generate a PDF, and disappear. Every engagement is built like an attack.

We sit down with the system the way an attacker would. We learn how it works, where the trust boundaries are, what it assumes about its environment, and where those assumptions silently break under pressure.

Engagement length
2–6 weeks
Phases
6
Review style
Manual
Remediation pass
Included
Principles

The rules we work by.

Hundreds of small decisions during a review compound into a report that is either useful or theater. These are the principles that keep ours useful.

  • 01

    We review systems, not files.

    If a system has multiple moving parts, we treat them as one connected attack surface — because attackers do.

  • 02

    Manual first, tooling where it helps.

    Static analyzers, fuzzers, and symbolic tools are useful. They are not a substitute for a human reading the code with bad intent.

  • 03

    Threat model > checklist.

    Checklists find what teams already know to look for. Threat modeling finds what they don't.

  • 04

    Severity is calibrated, not inflated.

    We won't promote a finding to make a report look impressive. Trust takes years to build and a single inflated High to lose.

  • 05

    Findings are engineering-ready.

    Every finding ships with a fix recommendation that fits your stack. We work with your engineers, not at them.

  • 06

    We tell you when we're wrong.

    If a finding turns out not to apply, we say so plainly. We optimize for accuracy, not impressions.

Engagement phases

Six phases, repeated across every engagement.

Phases overlap. Findings inform the threat model. The threat model informs deeper review. We iterate until the system holds up to the questions we're asking it.

  1. Week 0

    Recon & scoping

    We start by mapping the system — every service, every contract, every integration, every identity, every place value flows. We agree on scope based on what is actually risky, not what fits a template.

    Deliverables
    • Trust map
    • Scope memo
    • Engagement plan
  2. Week 1

    Threat modeling

    We enumerate realistic attackers and abuse cases against your specific system. Then we list the assumptions your code silently relies on — the ones that quietly break first when something goes wrong.

    Deliverables
    • Threat model
    • Assumption register
    • Abuse-case catalogue
  3. Weeks 1–4

    Adversarial review

    Manual line-by-line review of code, configuration, infrastructure, and integrations — guided by the threat model, not a checklist. We chain findings: a low becomes a high when paired with a missing assumption.

    Deliverables
    • Findings draft
    • Invariants & properties
    • Open questions log
  4. Throughout

    Reproduction

    Where useful, we build proofs-of-concept. We never inflate severity, and we never hand-wave exploitability. If we say something is exploitable, we can show you how.

    Deliverables
    • PoCs where useful
    • Calibrated severity
    • Exploit walkthroughs
  5. Final week

    Reporting

    Every finding ships with impact, exploit path, affected components, severity, likelihood, and a recommended remediation. We hold a live readout call with your engineers and leadership.

    Deliverables
    • Final report
    • Executive summary
    • Engineering walkthrough
  6. Post-fix

    Remediation review

    We re-review your fixes after you ship them. Closing a finding means we agree it is closed — not a checkbox in a tracker.

    Deliverables
    • Verified fix sign-off
    • Updated final report
Engagements opening Q1–Q2

Find what others miss.
Before attackers do.

Tell us what you're building. We'll come back with a focused scope, a fixed quote, and a sample of the kinds of risks we expect to find on a system like yours.

Request a Security ReviewView Sample Report