Methodology
Seven steps between inbound and sign-off.
Every engagement follows the same pipeline. The benefit to you is predictability — and evidence that your audit stands up to outside scrutiny.
- STEP 01
Threat Modeling
Every engagement starts with STRIDE, data-flow mapping, and trust-boundary identification. We write down what we are protecting before we write down what we will test.
STRIDEAttack TreesData Flow Diagrams - STEP 02
Standards Alignment
Coverage is driven by recognized baselines — not an internal checklist. Where the standard has gaps (business logic, chained flaws) we extend it with engagement-specific test cases.
OWASP ASVS L2/L3OWASP SAMMOWASP WSTGOWASP API Top 10OWASP MASVSPTES - STEP 03
Manual Exploitation
Tooling accelerates the boring parts. Every finding is confirmed manually with a reproducible PoC. If a bug cannot be exploited, it does not ship as a finding.
Burp Suite ProCaidoSemgrepNuclei (targeted)custom scripts - STEP 04
Smart Contract Specific
For on-chain work we layer formal reasoning on top of review. Invariants are captured as runnable tests; exploits are reproduced in the same framework your team uses.
FoundryHalmosSlitherEchidnaSherlock / Cantina severity scales - STEP 05
Severity & Scoring
Every finding gets a CVSS 3.1 score with justification, plus a business-impact narrative. CVSS alone is not enough — auditors and execs want the "what breaks" story.
CVSS 3.1Sherlock severity matrixImmunefi severity scale - STEP 06
Reporting
Executive summary for leadership. Technical section per finding: root cause, reproducible PoC, remediation code. Delivered encrypted. Structured to become audit evidence.
PGP deliverySOC 2 / ISO 27001 alignedRemediation pull-request examples - STEP 07
Retest
One retest within 30 days, included. The retest is an artifact attached to the original report: we confirm each finding is closed. We sign off only when the exploit no longer works.
Retest artifactExploit replayFix verification
Principles
Four rules. No exceptions.
- We read code before we run tools.
- We reproduce every finding before we report it.
- We never inflate severity. We never pad count.
- We never disclose without your sign-off.
Methodology mapped to your compliance driver.
If you need the methodology cross-walked to SOC 2, ISO 27001, or a custom framework, we will do it in the proposal.