Skip to main content
MemCyber

How we work

Four ways to work with us. One price given up front.

Fixed scope, fixed price, fixed timeline. No day-rate ambiguity. No scope creep. No surprise invoices.

See what a report looks like — sample PDF

Fixed-Scope Assessment

One-off web app, API, or smart contract audit with a defined boundary.

Duration
1–4 weeks
Pricing
$6k–$35k. Fixed before you sign.
Includes
  • Kickoff call + written rules of engagement
  • Manual testing with reproducible PoCs
  • Executive + technical report
  • One free retest within 30 days
Ideal for
Pre-launch auditSOC 2 / ISO 27001 preparationPost-major-release validation

Continuous Retainer

Teams shipping frequently who need ongoing adversarial coverage.

Duration
Monthly, 3-month minimum
Pricing
From $18k/month, 3-month minimum.
Includes
  • Regression testing on every major release
  • Private bug bounty triage (optional)
  • Quarterly threat-model reviews
  • Slack / Discord access for security questions
Ideal for
Fintech with weekly deploysCrypto protocols with upgradeable contractsSaaS with rapidly evolving API

Private Bug Bounty

Companies running invite-only programs who want a signal-heavy researcher.

Duration
Ongoing
Pricing
Pay-per-valid finding, your bounty table.
Includes
  • Continuous testing within your scope
  • Written reports through your platform of choice
  • Chain / combined-impact analysis
  • Honors your SLAs and disclosure policy
Ideal for
Established bug bounty programs needing higher-quality submissions

Source Code Review

Codebases you want reviewed the way attackers read code.

Duration
1–3 weeks
Pricing
$9k–$40k. Scoped by language and LOC.
Includes
  • Threat-modeled static review
  • Per-file risk annotations
  • Remediation roadmap with priorities
  • Follow-up session with engineering
Ideal for
Pre-audit dry runPost-acquisition due diligenceLegacy codebase risk assessment

Custom Engagement

Your scope does not fit any of the above — hybrid audits, red-team exercises, emergency triage, compliance-driven audits.

Duration
Case-by-case
Pricing
Scoped to your need. Fixed price after a 30-min call.
Includes
  • Scoping call to map scope, timeline, and compliance drivers
  • Fixed-price proposal within 48 hours
  • Any combination of services that makes sense (web + contract + review + retainer)
  • Invoice and procurement terms matched to your finance process
Ideal for
Hybrid web + smart contractEmergency incident triagePre-acquisition due diligenceCustom compliance frameworks

Timeline

Inbound to signed-off fix: 4–6 weeks.

Every engagement follows the same reliable cadence. You always know what happens next.

  1. 1
    Day 0
    Inbound request
    You submit the form or email directly. We review within one business day.
  2. 2
    Day 1–2
    Scoping call
    30-minute call to confirm scope, threat model, crown-jewel assets, and access requirements.
  3. 3
    Day 3
    Proposal + NDA
    Written proposal with fixed pricing, timeline, and deliverables. NDA signed before any credentials change hands.
  4. 4
    Week 1
    Kickoff
    Credentials provisioned, rules of engagement signed, testing begins. Daily check-ins if preferred.
  5. 5
    Testing window
    Active assessment
    Manual testing with tooling. Critical findings disclosed immediately — not held for the final report.
  6. 6
    Final week
    Report delivery
    Executive summary + technical report delivered encrypted. Debrief call with engineering.
  7. 7
    Day +30
    Free retest
    Fixes verified. Retest artifact attached to the original report. Sign-off only when risk is actually reduced.

Data handling

Your data stays yours. In writing.

Written authorization

Every engagement starts with signed Rules of Engagement and NDA. Nothing happens without paper.

Encrypted reports

Reports delivered as PGP-encrypted files or through your preferred secure channel (1Password, Bitwarden, Signal).

Data minimization

We collect only what is necessary for the assessment. Any collected evidence is deleted on engagement close.

Disclosure coordination

Findings coordinated with you first. Public disclosure — if any — only after fixes land and with your approval.

Have the scope roughly mapped?

Send it over. Proposal back within 48 hours with fixed price and a suggested timeline.

Request Assessment