Skip to content
Unlisted / Security
Services

Five surfaces.
One connected attack surface.

We review smart contracts, backend services, applications, infrastructure, and architecture as one connected system. Below is what each surface looks like — and what we look for when we open it up.

Surfaces
5
Engagement length
2–6 weeks
Review style
Manual, adversarial
Remediation pass
Included
Jump to/01 Smart Contract Audits/02 Backend Security Reviews/03 Application Security Reviews/04 Infrastructure & Cloud Security/05 Architecture & Threat Modeling
/ 01
Service

Smart Contract Audits

Security reviews for on-chain systems including DeFi protocols, prediction markets, staking contracts, vaults, launchpads, bridges, governance systems, token contracts, and custom protocol logic.

We review every contract in scope manually, then re-review them as a connected protocol. We look for the integration risks that single-contract reviews routinely miss: cross-contract reentrancy, accounting drift, oracle and adapter assumptions, payout and settlement edge cases, governance and admin escape hatches, and economic abuse paths only an attacker would search for.

Scope an engagement

Focus areas

  • Access control issues
  • Accounting bugs
  • Broken invariants
  • Payout and settlement flaws
  • Oracle assumptions
  • Governance attack paths
  • Economic manipulation
  • Cross-contract interaction risks

Stacks we work in

  • Solidity
  • Vyper
  • Cairo
  • Move
  • Rust (Solana / NEAR)

What you get

  • Findings report (Critical → Informational)
  • Invariants & properties memo
  • Threat model & trust diagram
  • Remediation review pass
/ 02
Service

Backend Security Reviews

Security reviews for server-side code, APIs, services, databases, queues, workers, and the business logic that ties them together.

Backend code is where ownership, money, and trust quietly change hands. We dig into authentication and authorization, multi-tenant isolation, idempotency, race conditions, retries, rate limits, sensitive data handling, and the messy boundaries with third-party integrations and webhooks.

Scope an engagement

Focus areas

  • Authentication and authorization flaws
  • Privilege escalation
  • Insecure API design
  • Business logic abuse
  • Data validation failures
  • Rate limit bypasses
  • Race conditions
  • Sensitive data exposure
  • Unsafe third-party integrations

Stacks we work in

  • Node / TypeScript
  • Go
  • Python
  • Rust
  • Elixir
  • Ruby

What you get

  • Findings report
  • Auth/permission model review
  • Abuse-case catalogue
  • Concrete fix recommendations
/ 03
Service

Application Security Reviews

Security reviews for full-stack web and mobile applications including user flows, admin panels, dashboards, payment flows, account systems, and internal tooling.

Most applications collapse into the same set of high-leverage flows: signup, login, password reset, billing, admin overrides, and account recovery. We target those flows the way an attacker would — looking for account takeover paths, frontend/backend trust mismatches, authorization gaps in admin panels, and broken assumptions around uploads, sessions, and payments.

Scope an engagement

Focus areas

  • Account takeover risks
  • Session handling issues
  • Permission model failures
  • Admin panel abuse paths
  • Input validation vulnerabilities
  • File upload risks
  • Payment logic flaws
  • Frontend/backend trust assumption failures

Stacks we work in

  • Next.js / React
  • React Native
  • iOS / Android
  • Vue
  • Svelte

What you get

  • Findings report
  • Critical-flow walkthroughs
  • Permission matrix audit
  • Reproduction steps & PoC where useful
/ 04
Service

Infrastructure & Cloud Security

Security reviews for cloud configuration, deployment pipelines, secrets management, access controls, and production environments.

An application is only as secure as the cloud account, pipeline, and identities behind it. We review IAM boundaries, secrets handling, CI/CD trust, deployment workflows, network exposure, environment isolation, and the operational controls that determine how a small foothold becomes a full compromise.

Scope an engagement

Focus areas

  • Exposed services
  • Misconfigured cloud permissions
  • Weak IAM boundaries
  • Leaked secrets
  • Unsafe CI/CD pipelines
  • Insecure deployment workflows
  • Logging and monitoring gaps
  • Environment isolation issues

Stacks we work in

  • AWS
  • GCP
  • Cloudflare
  • Kubernetes
  • Terraform
  • GitHub Actions

What you get

  • Findings report
  • IAM & secrets review
  • Pipeline trust diagram
  • Hardening checklist tailored to your stack
/ 05
Service

Architecture & Threat Modeling

System-level analysis of how your product, contracts, backend, infrastructure, users, admins, and external integrations work together.

Done right, a threat model is the highest-leverage security work a team can do. We work with your engineers to map trust boundaries, identify critical assets, enumerate realistic abuse cases, and stress-test how the system behaves when components misbehave, partners turn hostile, or assumptions silently break.

Scope an engagement

Focus areas

  • Trust boundaries
  • Critical assets
  • Attack surfaces
  • Failure modes
  • Abuse cases
  • Permission flows
  • Dependency risks
  • Operational controls

Stacks we work in

  • Greenfield designs
  • Pre-launch protocols
  • Re-architectures
  • M&A diligence

What you get

  • Threat model document
  • Trust & data-flow diagrams
  • Prioritized risk register
  • Architecture recommendations
Engagements opening Q1–Q2

Find what others miss.
Before attackers do.

Tell us what you're building. We'll come back with a focused scope, a fixed quote, and a sample of the kinds of risks we expect to find on a system like yours.

Request a Security ReviewView Sample Report