Expert services · special projects

The question nobody else could answer.

You’ve got a hard, specific problem, and everyone you’ve asked has come back empty. This is the work for exactly that: beyond a pen test, beyond a red team.

Not ready to scope it? Find your fix →
What this is

Built inside. Offered out.

We can take on what no one else will because we’ve already built it, for ourselves. A testing platform, expert services, our own research: what most firms only sell.

Now and again, a client needs that same depth on a problem of their own. When it fits, we take it on.

A product to break before it ships, an adversary to profile, a question only original research can answer. Rarely the same twice.

If it’s hard, specific, and off the usual playbook — it’s probably a special project.

Specialist capabilityFor theHardAsks.Delivered on request
The work

Three capabilities. And then some.

Vulnerability Research

The vulnerabilities nobody has published yet — the ones no scanner will ever flag, surfaced through original research.

  • Zero-day discovery
  • Reverse engineering
  • Hardware / IoT teardown
  • Root-cause analysis
  • Coordinated disclosure

Intelligence support

Targeted intelligence on the people who’d actually come for you, turned toward your exposure.

  • Adversary tracking
  • Attack-surface recon
  • Leaked-credential monitoring
  • Pre-engagement intel
  • Actionable briefings

Deception

Decoys, honeytokens and traps built into your environment, so an intruder’s first move is the thing that gives them away.

  • Honeypots & decoys
  • Honeytokens
  • Canary credentials
  • Lure & breadcrumb design
  • Alerting & triage

Something else?

If it runs software, we can test it: mainframes, esoteric embedded systems, and stranger things still. If it computes, it’s in scope.

What one looks like

A rootkit, under their rootkit.

A security-product vendor asked us to break their own product. To see how it really worked, we wrote a rootkit that ran underneath the product’s own rootkit-like behaviour. Those findings hardened it.

That rootkit became a capability of its own. On a later engagement, a locked-down secure zone with every control live, we used it to get beneath the controls, then went after everything else.

The productIts rootkit layerOur rootkitBare metal
How we engage

Scoped from scratch, every time.

Whoever the problem needs

Whoever can actually do the work, including the teams who build these capabilities in-house.

Confidential by default

Under NDA as standard, under legal privilege where findings have to stay protected.

What you walk away with

The answer, and what to do with it.

The deliverable is shaped by the project: a report, a reproducible finding, a tool, a briefing. Whatever form it takes, four things are constant:

Backed by evidence

Verify it yourself: code, sources, reproduction.

What it means for you

Why it matters to your risk, your product, your call.

Clear next steps

What to do about it, in language you can act on.

A direct debrief

With the researchers who did the work.

Book a 30-min call