Approach

We find the evidence before an attacker does.

Then we turn it into decisions you can act on. You should finish an engagement more certain than you started: what we tested, what holds up, and what to do about the rest.

The engagement

Four phases, no surprises

01

Kickoff

We confirm scope, success criteria, access, and timelines, and agree how disclosure is handled before any work begins. For crypto, that includes the deployment targets, upgrade authority, and which invariants the protocol is supposed to guarantee.

02

During review

You get concise progress notes. We won't raise a partial lead before we've validated it. We also won't go dark for two weeks. If we find something serious mid-review, you hear about it that day, and privately.

03

Findings

Each finding carries a severity, the affected component, exploitability, reproducible evidence, real-world impact, and concrete fix guidance. Severity reflects impact and likelihood, never how dramatic the issue sounds.

04

Closeout

A final report, a remediation review of your fixes, a verified-fix memo, and honest residual-risk notes. When we close an engagement, it means we re-tested the fixes and watched them hold.

What a finding contains

Written to be acted on

Summary

What matters, why, and exactly how to act on it, in a few plain sentences.

Impact

The concrete consequence: funds at risk, data exposed, or an invariant broken.

Evidence

A reproducible path: a test, a script, or a transaction trace. Never just a hunch.

Recommendation

A specific fix, plus the trade-offs if there's more than one option.

Verification

How we confirmed the fix holds, and what we'd watch for next.

Severity

Impact × likelihood, calibrated. High is reserved for findings that earn it.

Principles

How we hold ourselves

  • Evidence over assertion. If we can't reproduce it, it isn't a finding yet.
  • Candid. We won't manufacture urgency. We also won't soften a real problem to keep things comfortable.
  • Discreet by default. Your engagement, our findings, and your name stay confidential unless you decide otherwise.
  • We check our own work. Every finding gets attacked in-house before it reaches you. What lands is what survived that.
Ready when you are

Bring us the part that worries you most.

We'll scope it honestly and start with the questions that carry the most risk.

Request an auditBrowse services