Approach

We find the evidence before attackers do.

Then we turn it into clear decisions and fix paths. An engagement should leave your team with more certainty than when it started — about what was tested, what holds, and what to do next.

The engagement

Four phases, no surprises

01

Kickoff

We confirm scope, success criteria, access, and timelines, and agree how disclosure is handled before any work begins. For crypto, that includes the deployment targets, upgrade authority, and which invariants the protocol is supposed to guarantee.

02

During review

You get concise progress notes. We don't dramatize a partial lead before it's validated, and we don't go quiet for two weeks either. If we find something serious mid-review, you hear about it promptly and privately.

03

Findings

Each finding carries a severity, the affected component, exploitability, reproducible evidence, real-world impact, and concrete fix guidance. Severity reflects impact and likelihood — not how dramatic it sounds.

04

Closeout

A final report, a remediation review of your fixes, a verified-fix memo, and honest residual-risk notes. Closeout means the fixes were re-tested, not just promised.

What a finding contains

Written to be acted on

Summary

What matters, why, and exactly how to act on it — in a few plain sentences.

Impact

The concrete consequence: funds at risk, data exposed, or an invariant broken.

Evidence

A reproducible path — a test, a script, or a trace — not a hunch.

Recommendation

A specific fix, plus the trade-offs if there's more than one option.

Verification

How we confirmed the fix holds, and what we'd watch for next.

Severity

Impact × likelihood, calibrated — high reserved for findings that earn it.

Principles

How we hold ourselves

  • Evidence over assertion. If we can't reproduce it, we don't ship it as a finding.
  • Candid, not alarmist. We won't manufacture urgency, and we won't soften a real problem.
  • Discreet by default. Engagements, findings, and client names stay confidential unless you decide otherwise.
  • We check our own work. Findings are reviewed adversarially in-house before they reach you, so what lands is what holds up.
Ready when you are

Bring us the part that worries you most.

We'll scope it honestly and start with the questions that carry the most risk.

Request an auditBrowse services