Security assessments attackers would actually run.
Independent offensive security, led by Atilla Mammadli. Every finding ships with a working exploit, a CVSS justification, and a fix your engineers can land in the next sprint.
BFLA on 180+ admin GraphQL mutations — platform takeover via user JWT.
- Target
- Series B fintech (redacted)
- Channel
- Responsible Disclosure
- Impact
- Self-escalation to admin; direct wallet egress.
- Reported
- 2026-04-18
- Patched
- 2026-04-20 ✓ verified
One card of 958 on our public disclosure record.
Active across leading bug bounty & audit platforms
Platforms: Cantina, Sherlock, HackerOne, Code4rena.What we do
Single-vulnerability reports are what scanners find.
Every engagement is manual, evidence-driven, and backed by working proofs-of-concept. The critical bugs live where two "low impact" findings intersect — that is where we look.
Web Application Pentest
Black-box & grey-box testing aligned to OWASP ASVS — authentication, session, IDOR, SSRF, deserialization, business-logic flaws.
Smart Contract Audit
Solidity, Move, Rust / Anchor. Reentrancy, precision, access control, oracle manipulation, MEV exposure — with executable PoCs.
API Security Testing
REST, GraphQL, and WebSocket attack surfaces. BOLA/BFLA, mass assignment, rate-limit bypass, token scope escalation.
Bug Bounty Engagement
Continuous adversarial testing on your private program. Proven track record across Cantina, Sherlock, HackerOne, and Code4rena.
Source Code Review
Threat-modeled static review of your codebase. We read code the way attackers do — with a clear remediation roadmap.
Signature disclosures
Three findings that shipped as fixes.
A sample from our public disclosure record. Every one reproducible, scored, and delivered with remediation.
Complete API Authentication Bypass (ALL 66 Endpoints)
Responsible Disclosure · African Crypto Trading Platform
SQL Injection Full Database Compromise (14.8M records)
Responsible Disclosure · African KYC/Identity Provider
Production MySQL User Created via Stacked Query
Responsible Disclosure · African KYC/Identity Provider
What we don't do
Four things that separate us from commodity vendors.
The easiest way to understand our engagements is to know what they are not.
- No automated scanner dumps passed off as findings.
- No subcontractors or junior hand-offs mid-engagement.
- No severity inflation to justify the invoice.
- No public disclosure without your sign-off.
How we work
Built on evidence, not checkboxes.
Scoping & Threat Model
We map your attack surface, agree on rules of engagement, and identify the crown-jewel assets worth protecting.
Active Testing
Manual exploitation backed by tooling. Every finding gets a reproducible proof-of-concept — no noisy scanner dumps.
Reporting
Executive summary for leadership, technical detail for engineering. CVSS-scored, impact-driven, and actionable.
Remediation Support
Free re-testing within 30 days of report delivery. We verify fixes and sign off only when risk is actually reduced.
Client voice
Reports engineers actually read.
Names withheld under NDA. Named references available to qualified prospects on request.
“The report read like an internal postmortem — clear root-cause, clean PoCs, and remediation that our engineers actually implemented in a sprint. Easily the most useful pentest we have commissioned.”
“Atilla found a critical issue in our liquidation path that three prior audits had missed. Exploit was reproducible in Foundry within an hour. We shipped the fix the same week.”
“What impressed our board was not just the findings — it was how defensible the severity ratings were. CVSS justification on every issue made the conversation with auditors painless.”
48 hours from inbound to fixed-price proposal.
Send the repo, staging URL, or architecture doc. We come back with scope, timeline, and a price you can sign against.