INDEPENDENT · SEOUL / REMOTE · WEB & INFRA

See the
threat surface
before it sees you.

Cyclopes is an independent security practice. We run a fast, non-intrusive check on your web product, verify every finding by hand, and hand you a short report with the exact fix — not a 200-page scanner dump.

Request a check → See how it works ↓
axiom — security is always one commit away from a breach.
surface check · sample output ● SAMPLE
CRIT.env file served publicly/.env
HIGHAPI key found in JS bundleapp.js
HIGH.git directory readable/.git/
LOWPrometheus /metrics open/metrics
↑ Illustrative. Example finding types — not a live customer. A real check on your site replaces every line above.
~1 min
First surface check
non-intrusive, no login
100%
Verified by hand
no scanner noise in the report
Free
First heads-up
what we found, with proof
~24h
One human reply
to every message you send
// 01WHAT WE CHECK

Four surfaces.
One attacker's mindset.

Depth before breadth. Each engagement is scoped tight, so every line in the report is real, reproducible, and worth your engineers' time.
WEB

Web app surface check

The fast, non-intrusive pass — only the requests a visitor's browser already makes. The free heads-up starts here.

  • .env / .git exposure
  • Secrets in JS bundles
  • Debug & metrics endpoints
AUDIT

Manual web app audit

A deeper, hands-on review of one application — the business-logic and access-control flaws no scanner can find.

  • Auth & session model
  • Access control / IDOR
  • Injection & logic flaws
CONFIG

Code & config review

Exposed secrets and risky defaults across the build and infra files you ship and the ones you depend on.

  • IaC / Docker / Terraform
  • Dependency hygiene
  • CI/CD secret handling
INFRA

Infrastructure surface

What your network quietly exposes to the open internet — before an attacker maps it for you.

  • DNS & subdomain exposure
  • Open ports & services
  • Cloud bucket permissions
// 02HOW IT WORKS

From first request
to a fix you can ship.

Every engagement follows the same five steps. No surprise pivots, no silent weeks — you always know which step we're on.
$ 01
▸ surface_scan
An automated, non-intrusive pass over your public surface — only the requests a browser already makes. No login, no payloads.
[25 checks] [no-login] [~1 min]
$ 02
▸ manual_verify
Every signal is reproduced by hand. False positives are killed before they ever reach you — the report carries only what is real.
[reproduce] [burp] [by-hand]
$ 03
▸ impact_triage
Findings are ranked by what an attacker actually gains — not by a scanner's default severity. Real chains first.
[cvss-v4] [impact] [chain]
$ 04
▸ plain_report
What it is, the proof, and the exact fix — written for the engineer who has to ship it. No jargon padding.
[evidence] [fix-steps] [no-jargon]
$ 05
▸ retest
We re-check your fix and confirm it actually closed the hole. Included with the full audit.
[retest] [confirm] [30-day]
// 03THE REPORT

The report your
engineers will actually read.

Short. Specific. Reproducible. Every finding lands with proof you can run yourself and a fix you can ship the same day.
report / sample finding CRITICAL

Exposed .env file with live credentials

component · /.env access · public, no login status · confirmed
SUMMARY
The application's .env file is served straight from the web root. It holds a live database URL and API keys — anyone can download the whole file in one request, no login required.
PROOF
$ curl -s https://yoursite.com/.env → DATABASE_URL=postgres://app:••••@db.internal/prod → STRIPE_SECRET_KEY=sk_live_••••••••••••
FIX
1. Remove .env from the deployed web root.
2. Block dotfiles (/.*) at the edge / web server.
3. Rotate every key that was exposed — treat them as burned.
01
Evidence you can reproduce

Every finding ships with a copy-pasteable proof line you can run yourself.

02
Ranked by real impact

Severity reflects what an attacker gains — not a scanner's guess.

03
Exact fix steps

File paths, config, the key to rotate. No vague "consider reviewing".

04
30-day retest

We confirm your fix actually worked. Included with the full audit.

// 04PRICING

A starting point.
Quoted to your scope.

Once a quote is agreed it stays fixed — no retainer, no surprise line items, no upsell on a call.
These prices are a starting framework, not a fixed menu. Every engagement is quoted individually — the final number moves with the difficulty of the work and exactly what you ask for. You always see that number, and agree to it, before any work begins.
Heads-up
Free
What we already found on your site
one-off · no commitment
  • The issue we spotted, in plain words
  • Proof you can reproduce yourself
  • The exact steps to close it
  • No call, no pitch — reply only if you want more
Ask what we see →
MOST ASKED
Full audit
from$500
Deep manual review of one web app
hands-on · written report
  • Everything in the quick scan
  • Hands-on auth & access-control review
  • Business-logic & injection testing
  • Written report + 30-day retest
Request full audit →
Quick scan
from$150
One full pass of your app's surface
2–3 day turnaround
  • Full external surface of one app
  • Every finding verified by hand
  • Written report with fix steps
  • No retest
Request quick scan →
// auditing 3+ products → 20% off  ·  open-source projects → reach out, we'll work something out  ·  NDA on request
// 05CONTACT

Tell us what to break.

One message, one human reply — usually within a day. Tell us the site and what worries you most, and we'll tell you what we can already see.
TELEGRAM
@cyclopesy
fastest — usually replied the same day
EMAIL
[email protected]
for scope, NDAs and longer questions