TRACK 02 SECURITY & GRC

Sentinel. Find the holes before someone else does.

Your watchman. Application security audits for startups and apps before they raise — and after, when investors and compliance start asking. We surface critical vulnerabilities, score them with CVSS, and either remediate them ourselves or hand your team a report tight enough to act on Monday morning.

SAMPLE FINDINGS REPORT 36 ISSUES · 2 CRITICAL · 7 HIGH · 19 MEDIUM

Critical Public API endpoint returns user location data without auth CVSS 9.1

Critical Account pause/delete vulnerable to CSRF from third-party pages CVSS 8.8

High Missing rate limiting on auth endpoints (brute-force risk) CVSS 7.5

High JWT signature algorithm allows downgrade to "none" CVSS 7.4

Medium Database error messages leak schema structure CVSS 5.3

What we audit

Where attackers actually get in.

We focus on the surfaces real attackers target first — the public APIs, authentication flows, and forgotten admin endpoints that show up in every breach postmortem. Not theoretical attack chains. Real exploitable issues, ranked by what would hurt you most.

Public API surfaces

Every endpoint, every method, every authentication state. Unauthenticated data exposure, broken access controls, IDOR, mass assignment.

Authentication & sessions

JWT misconfiguration, session fixation, password reset flows, OAuth scope abuse, MFA bypass paths, account takeover vectors.

CSRF, XSS, injection

Cross-site request forgery on state-changing endpoints, stored and reflected XSS, SQL/NoSQL/command injection, SSRF, XXE.

Data exposure & PII

Geolocation leakage, profile data over-disclosure, S3 bucket permissions, log file exposure, debug endpoints in production.

Configuration & headers

Missing security headers (CSP, HSTS, X-Frame-Options), TLS configuration, CORS misconfig, exposed admin panels, default credentials.

Logic & rate limits

Business-logic abuse, missing rate limits on auth and reset flows, race conditions, payment manipulation, coupon stacking.

The process

Five steps. Live in five days.

Most security audits drag on for weeks because the auditor is figuring out the engagement as they go. We don't. Here's the exact sequence from kickoff to findings report.

Scope

Day 1. Walk through your stack, identify the surfaces that matter, agree on what's in and out.

Recon

Day 2. Map every endpoint, every auth state, every data flow. Build the attack tree before testing.

Test

Days 3–4. Manual + automated testing of API surfaces, auth flows, and config. Real exploit attempts on a staging instance.

Score

Day 5 morning. Every finding gets CVSS scored. Critical / High / Medium / Low. Severity ranked by real-world exploit likelihood.

Report

Day 5 afternoon. Written report with findings, reproduction steps, remediation recs, and a 30-min walkthrough call.

Pricing

Two ways to start.

Start with the audit if you want to know where you stand. Move into a hardening retainer if you want help fixing what we find. Most clients do both.

Lead service

Security audit

From $500

Five-day audit of your application's public surfaces, auth flows, and data exposure. Findings report with CVSS scoring and remediation recommendations.

Full API + auth + data audit
CVSS-scored findings report
Reproduction steps for each finding
Prioritized remediation roadmap
30-min walkthrough call
Credits 100% toward remediation engagement

Book audit →

Follow-on

Hardening retainer

From $2,500/mo

Monthly engagement to remediate audit findings, harden the stack, and stay ahead of new vulnerabilities. Includes monthly re-tests and a Slack channel for fast questions.

Critical & High remediation
Monthly re-tests of fixed issues
New endpoint reviews on PR
Security header + config hardening
Slack channel, async Q&A
Quarterly executive summary

Scope retainer →