SMALL ELITE TEAM · 3 OPERATORS · SEOUL / REMOTE

See the
threat surface
before it sees you.

An independent security practice for small web products. One short report, every finding verified by hand, the exact fix attached.

Step 01 · Free
Heads-up
We email what we already see.
Step 02 · $150+
Quick scan
Full surface pass, written report.
Step 03 · $550+
Full audit
Hands-on review + 30-day retest.
surface check · sample output ● SAMPLE
CRIT.env file served publicly/.env
HIGHAPI key found in JS bundleapp.js
HIGH.git directory readable/.git/
LOWPrometheus /metrics open/metrics
↑ Illustrative. Example finding types — not a live customer. A real check on your site replaces every line above.
100%
Verified by hand
no scanner noise
Free
First heads-up
with reproducible proof
~24h
Human reply
to every message
// 01WHAT WE CHECK

Four surfaces.
One attacker's mindset.

Scoped tight, so every line in the report is real and worth your engineers' time.
WEB

Web app surface

Non-intrusive pass — only what a browser already requests.

  • Exposed .env / .git
  • Secrets in JS bundles
  • Open debug & metrics endpoints
AUDIT

Manual app audit

Hands-on review of the flaws no scanner finds.

  • Auth & session model
  • Access control / IDOR
  • Business-logic flaws
CONFIG

Code & config review

Risky defaults and leaked secrets across build and infra.

  • Docker & Terraform
  • Dependency hygiene
  • CI/CD secret handling
INFRA

Infrastructure surface

What your network quietly leaves on the open internet.

  • DNS & subdomain exposure
  • Open ports & services
  • Cloud bucket permissions
// 02LIVE FROM OUR SCANNERS

What we found this week.

A redacted live feed from our non-intrusive scanners. Hostnames are masked so nothing here gives an attacker a head start — the volume tells you we ship.
· findings in feed CRITICAL · HIGH · Last scan · Auto-refresh 30s
findings.stream · redacted
severity / target / issue
loading recent findings...
Real findings, real timestamps, masked targets (e.g. ex***ra.me). No proof, no full URLs, no secrets — we never publish what we haven't first shared with the owner privately. The list polls every 30 seconds, so when our scanners produce a new finding it lands here on its own.
// 03HOW IT WORKS

From first request
to a fix you can ship.

Five steps, every time. You always know where we are.
$ 01
▸ surface_scan
A non-intrusive pass over your public surface. No login, no payloads.
[no-login] [~1 min]
$ 02
▸ manual_verify
Every signal reproduced by hand. False positives die before you see them.
[reproduce] [by-hand]
$ 03
▸ impact_triage
Ranked by what an attacker actually gains — not scanner defaults.
[impact] [chain]
$ 04
▸ plain_report
What it is, the proof, the exact fix. Written for the engineer who ships it.
[evidence] [fix-steps]
$ 05
▸ retest
We confirm your fix closed the hole. Included with the full audit.
[30-day]
// 04THE REPORT

The report your
engineers will actually read.

Short, specific, reproducible. Every finding ships with proof and a fix.
report / sample finding CRITICAL

Exposed .env file with live credentials

component · /.env access · public, no login status · confirmed
Summary
Your .env file is served from the web root. It holds a live database URL and API keys — one request away, no login.
Proof
$ curl -s https://yoursite.com/.env → DATABASE_URL=postgres://app:••••@db.internal/prod → STRIPE_SECRET_KEY=sk_live_••••••••••••
Fix
1. Remove .env from the web root.
2. Block dotfiles (/.*) at the edge.
3. Rotate every exposed key — treat them as burned.
01
Proof you can run

Every finding ships with a copy-paste line you can reproduce yourself.

02
Ranked by real impact

Severity reflects what an attacker gains — not a scanner's guess.

03
Exact fix, then retest

File paths and config, not "consider reviewing". 30-day retest included with the full audit.

// 05PRICING

A starting point.
Quoted to your scope.

Quote fixed up front. No retainer, no surprise line items.
Starting framework, not a fixed menu. The final number moves with what you ask for. You see and agree to it before any work begins.
Heads-up
Free
What we already see on your site
one-off · no commitment
  • The issue in plain words
  • Proof you can reproduce
  • Exact steps to close it
  • No call, no pitch
Ask what we see →
MOST ASKED
Full audit
from$550
Deep manual review of one web app
hands-on · written report
  • Everything in Quick scan
  • Auth & access-control review
  • Business-logic & injection testing
  • Written report + 30-day retest
Request full audit →
Quick scan
from$150–$350
One full pass of your app's surface
2–3 day turnaround
  • Full external surface of one app
  • Every finding verified by hand
  • Written report with fix steps
  • No retest
Request quick scan →
// 3+ products → 20% off  ·  open-source → reach out  ·  NDA on request
// 06CONTACT

Tell us what to break.

One message, one human reply — usually within a day. Send us the site and what worries you most.