Available · 2 slots Q3
HomeServicesAuditsSamplesGovernmentAboutContact
§ Security Audits  / FHA-03

Security audits

Booking 6-week slots

A clear-eyed look at the system you actually have — not the one in the architecture diagram from 2022. Our audits are scoped in writing, executed by hand, and reported in a format your engineers can ship from.

§ 01Audit approach

Ten phases. Plain language. No surprises.

Below is the full sequence we run on a typical application audit. Smaller engagements collapse phases together; larger ones break them out further. Every audit ends with a written report you can hand to your customers.

  • P1
    Scope definitionAgree on the system boundary, threat model focus, and definition of done. Fixed scope, fixed price, in writing.
  • P2
    Code reviewManual review of application code, supplemented by SAST tooling. We read the auth, data, and integration paths first.
  • P3
    Dependency reviewAudit of third-party dependencies, transitive risk, supply-chain exposure, and unmaintained packages.
  • P4
    Authentication & authorizationSession handling, password & MFA flows, OAuth/SAML implementation, role checks, IDOR, privilege boundaries.
  • P5
    Data handlingPII / PHI handling, encryption at rest and in transit, logging hygiene, backup & retention exposure.
  • P6
    AI workflow reviewPrompt/data boundaries, retrieval scope, tool permissions, evaluation coverage, human review loops, and failure handling.
  • P7
    Deployment & configurationIaC review, secrets management, CI/CD posture, environment isolation, exposed services.
  • P8
    Findings reportWritten report with severity, evidence, business impact, and remediation guidance specific to your stack.
  • P9
    Remediation planPrioritized roadmap to close findings — what to do this week, this month, and what to defer with eyes open.
  • P10
    Retest (optional)Focused retest of closed items, with a short verification memo for customers, board, or auditors.
§ 02What you receive

The deliverable, in detail.

Cover document

Executive summary

One page. Plain language. For the people who sign things.

Per finding

Severity · evidence · fix

Every finding is rated, reproduced with evidence, and paired with a remediation specific to your stack.

Appendix

Tooling output & methodology

Reproducible. Auditable. Won't surprise the next reviewer.

On request

Verification memo

After retest. Suitable for customer security reviews. Not a certification.

Note: Forge Honor Assurance does not issue formal certifications, pentesting credentials, or guarantees of compliance. We provide engineering work, written technical findings, and remediation support.