Home Services Pricing About Blog Get Assessment
Services

Four ways we secure what you've built.

From deep code review to attack surface mapping, we combine manual testing expertise with methodical reconnaissance to find the gaps that automated tools miss.

Core

Web Application Assessment

Deep manual testing that finds what scanners can't see — logic flaws, chained exploits, and context-dependent bugs.

5–7 days
$800

Methodology

  • Authentication + session testing
  • IDOR + broken access control fuzzing
  • Injection (SQL, NoSQL, command)
  • Business logic manipulation
  • API endpoint enumeration
  • Client-side controls bypass
  • Report writing with CVSS scoring

Deliverables

  • Executive summary
  • Full technical findings with reproduction steps
  • CVSS v3.1 scoring per issue
  • Remediation guidance
  • One free retest included

Sample Excerpt

[FINDING-04] Broken Object-Level Auth on /api/orders/{id} Severity: Critical · CVSS 9.1 Reproducer: GET /api/orders/42841 HTTP/1.1 Authorization: Bearer <victim-token> → 200 OK { "customer_email": "…", "shipping": "…" }
Recon

Attack Surface Mapping

See what attackers see. Complete external footprint including the assets your team forgot existed.

3–5 days
$300

Methodology

  • Passive DNS enumeration
  • Active subdomain brute-forcing (dnsx, amass)
  • Full port sweep IPv4/IPv6
  • Technology fingerprinting
  • Historical DNS + cert lookup
  • Credential leak search (HIBP, dark web)
  • Shadow IT + abandoned asset detection

Deliverables

  • Inventory of every reachable asset
  • Risk-ranked findings
  • Screenshot evidence
  • PDF report handable to a board
  • Monitored watchlist optional

Sample Excerpt

api.internal.acme.io CRITICAL nginx 1.24 staging-db.aws-prod.acme.io HIGH MongoDB 6.0 mail.acme.io MEDIUM Postfix cdn-old.acme.io ALIVE Cloudflare
Retainer

Continuous Security

The security function your business needs without hiring one full-time.

Monthly
$500/mo

Methodology

  • Monthly attack surface diff
  • Quarterly full assessment
  • Priority alerts on new CVEs affecting your stack
  • Slack/email dedicated channel
  • Monthly executive summary
  • Free retests
  • 30-day cancel any time

Deliverables

  • All above services included
  • Signed engagement agreement
  • Compliance documentation

Sample Excerpt

Monthly Report — July 2026 ━━━━━━━━━━━━━━━━━━━━━━━━━━ New Subdomain: api-v2.internal REQUIRES ASSESSMENT CVE Alert: Log4j RCE (CVSS 10.0) IN YOUR STACK Retest: FINDING-04 ✓ FIXED Next QA Assessment: Aug 15
Verify

Remediation Verification

After patches ship, we confirm they hold. Includes before/after evidence for stakeholders.

2–3 days
$200

Methodology

  • Retest every documented finding
  • Verify fix vs partial mitigation
  • Confirm no regression
  • Updated stakeholder report
  • Compliance evidence (before/after)

Deliverables

  • Updated report with FIXED/PARTIAL/OPEN status per finding
  • Optional third-party letter of attestation

Sample Excerpt

[FINDING-02] IDOR on /account/{id}/profile Status: ✓ FIXED Fix: Role-based access control added Verified: July 3, 2026 Evidence: See attached before/after screenshots
Not sure which fits?

Let's scope it in 15 minutes.

Book a Consult →