Skip to main content
MemCyber

Services

Assessments with working exploits attached.

Every engagement ships with working exploits, CVSS-scored severity, and a clear remediation path. Choose the scope that matches your risk surface.

Download sample report (PDF, 21 pages) 678 KB
Service / 01

Web Application Penetration Testing

Full-spectrum assessment of your web stack — from the login page to the business logic underneath.

Coverage

  • Authentication & session management
  • Authorization (IDOR, BOLA, horizontal & vertical escalation)
  • Injection (SQL, NoSQL, template, command, LDAP)
  • Server-Side Request Forgery & out-of-band attacks
  • Deserialization & prototype pollution
  • Business logic & race conditions
  • File upload, XXE, SSTI
  • CSP, CORS, cookie & header misconfiguration

Deliverables

  • Executive summary with risk-prioritized findings
  • Technical report with reproducible PoCs
  • CVSS 3.1 scoring & remediation guidance
  • One free retest within 30 days
Service / 02

Smart Contract Security Audit

Line-by-line review of on-chain code across Solidity (EVM), Move (Sui / Aptos), and Rust / Anchor (Solana).

Coverage

  • Reentrancy (classic, cross-function, read-only)
  • Precision loss & rounding attacks
  • Access control & privilege misconfiguration
  • Oracle manipulation & price-feed abuse
  • MEV exposure (sandwich, front-run, back-run)
  • Flash-loan and economic attacks
  • Move-specific: object & capability model abuse
  • Upgradeability & storage collision risks

Deliverables

  • Severity-classified findings (Sherlock / Cantina style)
  • Executable PoCs in Foundry / Hardhat / Move CLI
  • Invariant & fuzzing recommendations
  • Post-fix review included
Service / 03

API Security Testing

Attack-surface mapping and exploitation of REST, GraphQL, and WebSocket interfaces.

Coverage

  • Broken Object Level Authorization (BOLA)
  • Broken Function Level Authorization (BFLA)
  • Mass assignment & over-posting
  • GraphQL introspection abuse, batching, aliasing
  • WebSocket auth & message injection
  • JWT / OAuth / OIDC flaws (scope escalation, audience confusion)
  • Rate-limit & anti-abuse bypass
  • Webhook & callback URL forgery

Deliverables

  • Swagger / Postman-annotated findings
  • Per-endpoint risk matrix
  • Token, scope, and rate-limit review
  • Fix verification pass
Service / 04

Private Bug Bounty Engagement

One senior researcher on your private program — not a queue of drive-by submissions.

Coverage

  • Public and private programs on HackerOne
  • Contest platforms: Cantina, Sherlock, Code4rena
  • Continuous scope monitoring & regression hunting
  • Responsible disclosure for out-of-scope but critical findings

Deliverables

  • Findings reported through your preferred platform
  • Custom-written PoCs and repro steps
  • Signal-high, noise-low submissions
  • Chain / combined-impact analysis
Service / 05

Secure Code Review

We read code the way attackers do. We hand back the roadmap an auditor would accept.

Coverage

  • Input validation & output encoding
  • Authn / authz primitives and their misuse
  • Secret handling, crypto, key rotation
  • Dependency & supply-chain risk surface
  • CI/CD, IaC, and deployment pipeline flaws
  • Language-specific footguns (Node, Python, Go, Rust, Solidity, Move)

Deliverables

  • Per-file, per-function risk annotations
  • Prioritized remediation roadmap
  • Architecture-level recommendations
  • Secure-by-default patterns for your team

At a glance

Which engagement fits your scope?

Comparison of MemCyber service offerings by duration, starting price, retest inclusion, and ideal use case.
Service Duration Starts from Retest Best for
Web App Pentest 1–3 weeks $6k Included (30d) Pre-launch, SOC 2 prep, post-release validation
Smart Contract Audit 2–4 weeks $12k Included (30d) Pre-mainnet, post-upgrade, contest-mode dry run
API Security Testing 1–2 weeks $7k Included (30d) Public APIs, partner integrations, GraphQL migration
Bug Bounty Engagement Ongoing Per finding N/A Continuous coverage, established programs
Source Code Review 1–3 weeks $9k Fix review Pre-audit dry run, M&A diligence, legacy systems
Custom Engagement Case-by-case On request Negotiated Hybrid scope, emergency triage, custom compliance

Prices are starting points, scaled by scope complexity. Most firms keep pricing behind a “Get a quote” form — we publish ours. See How We Work for full engagement models.

Send a repo, not a brief.

Give us the URL, the codebase, or the architecture doc. We come back with a short threat model and fixed-price proposal — no obligation.

Request Assessment