Security services

Deep manual testing of web apps, B2B portals, and backend APIs, with focus on authentication, authorisation, data exposure and business logic flaws.

• OWASP Top 10 and advanced logic issues (IDOR, race conditions, workflow abuse).
• Multi-tenant separation checks for B2B and finance-style applications.
• API-specific issues – mass assignment, broken object level authorisation, rate limiting gaps.
• File upload, SSRF, deserialisation and other high-impact vectors where relevant.
• Clear reproduction steps and PoCs so your engineers can retest easily.

Scenario-based offensive exercises that mimic realistic attacker behaviour against people, processes, and technology – with defined rules of engagement.

• Goal-based assessments (e.g., sensitive data access, lateral movement, persistence).
• External, internal or hybrid scenarios depending on your threat model.
• Use of phishing/social engineering where explicitly allowed and scoped.
• Detection & response gap analysis and blue-team feedback.
• Executive-ready reporting for leadership plus detailed technical notes for engineers.

Security testing focused on AI features – including chatbots, copilots, and LLM-based workflows – to identify prompt injection, unsafe tool usage and data leakage paths.

• Prompt injection, jailbreaks and indirect prompt injection (via documents / tools).
• Data exfiltration risks across chat history, knowledge base and integrated systems.
• Abuse of tools, plugins and external connectors (e.g., file access, email, tickets).
• Review of guardrails, content filters and fallbacks.
• Recommendations for safer patterns and monitoring around AI features.

A configuration and attack-path review of your AWS/Azure and Kubernetes environments, focusing on how misconfigurations can be chained in practice.

• IAM roles, policies and privilege escalation paths across services.
• Network exposure – security groups, NSGs, firewalls, ingress/egress paths.
• K8s RBAC, Pod Security, hostPath volumes and privileged workloads.
• Cluster add-ons, service accounts and secrets handling.
• Container image, registry & supply-chain checks.

A structured review of your cloud architecture against security best practices and industry guidance, with prioritised hardening steps for your teams.

• Baseline review against cloud security benchmarks (CIS-style controls).
• Data protection – encryption, key management, backups and recovery.
• Logging, monitoring and alerting coverage for key services.
• Secure patterns for multi-account / multi-subscription setups.
• Actionable roadmap you can plug into your engineering backlog.

A fast-growing SaaS company wants to validate its security posture before onboarding larger enterprise customers.

• Scope: customer-facing portal, key APIs and the core cloud environment.
• Approach: manual web/API pentest, review of auth & RBAC, multi-tenant checks.
• Cloud review for exposed services, IAM gaps and network misconfigurations.
• Outcome: prioritised report (quick wins + strategic items) and a follow-up call with engineering teams to plan remediation.

A product team has added an AI assistant that can see tickets, documents and internal tools, and wants to understand the risks.

• Scope: AI assistant flows, prompt templates, integrated tools and data sources.
• Approach: targeted prompt injection, data exfiltration attempts, tool abuse tests.
• Review of guardrails, logging and safe patterns around the AI feature.
• Outcome: clear list of abuse scenarios, improved guardrail design and recommendations for monitoring.