Security Research & Red Team
Most security reviews produce a PDF and a shrug. Real research finds the specific bugs that would actually bite you, shows exactly how, and tells you what it would take to fix. That is the work we do against public programs at scale. It is the same work we bring into a business engagement.
The findings below come from active research against public HackerOne bug bounty programs run by a publicly traded consumer health technology platform, a global fintech payments platform, and a connected health and performance platform. Targets and identifying details are omitted by design. Findings are described at the level of bug class and business impact, not exploit mechanics.
The point is not the list. The point is what the list represents: pattern recognition across hundreds of hours of mobile reverse engineering, API reconnaissance, infrastructure enumeration, and authorization testing. The same pattern recognition brought to bear on your environment finds the same classes of problem, usually faster, because most businesses have not had this kind of look before.
Application Security
Most modern applications stitch together a dozen third-party services for analytics, identity, messaging, and billing. Each stitch is an opportunity. These are findings where the bug lived in how the application talked to a service it already trusted.
Publicly traded consumer health technology platform
A production analytics write key extracted from the mobile binary allowed unauthenticated identity mapping, profile merging, and overwrite of user attributes in the downstream customer data platform. The key had never been rotated and had full write scope. A finding at this severity is usually a combination of bad posture and no one looking.
Publicly traded consumer health technology platform
A subscription mutation accepted entitlement input from the client without verifying that a payment method had been attached. Following the documented request flow produced an active premium account at no charge. This is a revenue leak, not a security curiosity. The fix is a single server side check.
Publicly traded consumer health technology platform
Public GraphQL mutations for account creation, email delivery, and SMS delivery could be invoked without authentication. Chained together, they provided an attacker a branded phishing pipeline running on the company's own sending reputation. The platform pays for the infrastructure. The attacker uses it.
Infrastructure & Cloud
Staging and preproduction are where security hygiene usually slips. Real customer data is not supposed to be there, but credentials, internal hostnames, and OAuth configurations often are. These findings started from public DNS and content security policies.
Global fintech payments platform
A staging identity provider exposed OAuth grant types normally restricted to internal services, together with hostnames that revealed the internal service topology of the production stack. For a regulated financial services platform, reconnaissance value of this kind is what seeds the next finding.
Global fintech payments platform
Content security policy headers and DNS CNAME chains disclosed object storage namespaces and component identifiers belonging to the PCI tier of the environment. Individually small. Collectively a map of what to go after next.
Authorization & Access
The two most common authorization bugs in modern platforms are client trust and predictable identifiers. These findings are both.
Global fintech payments platform
An eligibility flag used to gate access to a financial product was accepted from the client without server side verification. Any caller could set it. The impact is bounded by other controls, but the pattern is the bug: the server should never take the client's word on eligibility.
Connected health and performance platform
Community identifiers were sequential and the membership endpoint returned roster data without verifying the caller belonged to the community. Private groups numbering in the hundreds of thousands were enumerable. For users who had chosen a private group specifically to avoid public visibility, that choice was not being honored by the platform.
How We Work
Mobile Reverse Engineering
iOS Mach-O analysis with Frida and class-dump, Android APK decompilation with jadx and smali editing, runtime instrumentation on jailbroken and rooted devices.
API & GraphQL Reconnaissance
Endpoint enumeration from mobile binaries, schema introspection, mutation discovery, OAuth scope analysis, and authenticated versus unauthenticated surface mapping.
Network Traffic Interception
Router level MITM with real TLS certificates, traffic capture across mobile and desktop clients, and decryption of traffic that bypasses standard proxy configurations.
Cloud & Infrastructure Enumeration
DNS and certificate transparency mining, object storage misconfiguration, CSP and security header analysis, and exposed staging discovery.
Authentication & Authorization Testing
OAuth and OIDC flow analysis, token scope testing, identity provider configuration review, IDOR and access control verification across user boundaries.
Protocol Analysis
Binary protocol reverse engineering, BLE and wireless analysis, DRM and licensing protocol review, and identifying authentication gaps in proprietary protocols.
Source Code & Binary Review
Static analysis on native and managed binaries, source map and build artifact analysis, identification of hardcoded secrets and dangerous client side logic.
Pattern Recognition at Scale
The real value is not a single finding. It is recognizing which bug classes a given stack is likely to have, and going looking for them first.
Reporting That Triggers Action
Findings written so a business leader understands the impact, an engineer understands the fix, and neither has to translate the other. Severity grounded in realistic exploitation.
Engagement Types
Security Review
A time boxed look at a specific surface: your mobile app, your main API, your cloud footprint, or a vendor you are about to integrate. You get a written report with the findings that matter, ranked by impact, with reproduction steps for engineering and a one page summary for leadership.
Pre Audit & Pre Acquisition Review
Before a third party penetration test, before an SOC2 audit, or before you close on an acquisition. We find what the formal process will find, plus what it will miss, while there is still time to fix it without the timeline pressure of a delivered report.
Ongoing Research Partner
For organizations that ship software and do not have a dedicated application security function. A retainer that gets you a set number of research hours per month against your environment, with findings delivered as they land.
A conversation costs nothing. The findings usually pay for themselves.
Start a Conversation