Security audits
Booking 6-week slotsA clear-eyed look at the system you actually have — not the one in the architecture diagram from 2022. Our audits are scoped in writing, executed by hand, and reported in a format your engineers can ship from.
§ 01Audit approach
Ten phases. Plain language. No surprises.
Below is the full sequence we run on a typical application audit. Smaller engagements collapse phases together; larger ones break them out further. Every audit ends with a written report you can hand to your customers.
- P1Scope definitionAgree on the system boundary, threat model focus, and definition of done. Fixed scope, fixed price, in writing.
- P2Code reviewManual review of application code, supplemented by SAST tooling. We read the auth, data, and integration paths first.
- P3Dependency reviewAudit of third-party dependencies, transitive risk, supply-chain exposure, and unmaintained packages.
- P4Authentication & authorizationSession handling, password & MFA flows, OAuth/SAML implementation, role checks, IDOR, privilege boundaries.
- P5Data handlingPII / PHI handling, encryption at rest and in transit, logging hygiene, backup & retention exposure.
- P6AI workflow reviewPrompt/data boundaries, retrieval scope, tool permissions, evaluation coverage, human review loops, and failure handling.
- P7Deployment & configurationIaC review, secrets management, CI/CD posture, environment isolation, exposed services.
- P8Findings reportWritten report with severity, evidence, business impact, and remediation guidance specific to your stack.
- P9Remediation planPrioritized roadmap to close findings — what to do this week, this month, and what to defer with eyes open.
- P10Retest (optional)Focused retest of closed items, with a short verification memo for customers, board, or auditors.
§ 02What you receive
The deliverable, in detail.
Executive summary
One page. Plain language. For the people who sign things.
Severity · evidence · fix
Every finding is rated, reproduced with evidence, and paired with a remediation specific to your stack.
Tooling output & methodology
Reproducible. Auditable. Won't surprise the next reviewer.
Verification memo
After retest. Suitable for customer security reviews. Not a certification.
