We build it.
We break it.
Penetration testing, compliance readiness, and secure development for small and mid-size businesses in Connecticut and Dallas–Fort Worth. Senior-only engagements. Reports that exploit, not just scan.
Penetration testing and compliance readiness
Fixed-price engagements from $500 website checks to full-scope compliance readiness. No junior handoffs. The person who tests is the person who writes the report.
PCI DSS Pentest
Annual internal + external testing for Requirement 11.4.
SOC 2 Readiness
Pre-audit work Vanta and Drata cannot do.
HIPAA Assessment
Risk analysis, pentest, and Security Rule readiness.
CMMC Readiness
110 NIST 800-171 practices for DoD contractors.
AI Security Audit
OWASP LLM Top 10. Prompt injection, agentic tool-chain, RAG + vector store.
CT Penetration Testing
Local CT firm for Hartford, New Haven, Stamford, Greenwich.
DFW Penetration Testing
DFW coverage + Texas SB 2610 safe harbor readiness.
Vertical-specific expertise
Different industries have different regulators, different attackers, and different failure modes. Our engagements are shaped around your vertical.
What we are finding right now
Original vulnerability research published regularly. Platform-specific attack patterns, compliance breakdowns, and threat intelligence from active engagements.
A login bug where the password "null" works. The Note Mark OIDC bypass and what it teaches every auth team.
GHSA-pxf8-6wqm-r6hh: Note Mark's local-password endpoint accepted the literal string 'null' as a valid password for users who'd been migrated to OIDC. The hash field was NULL in the database; bcrypt.compare coerced both sides to the string 'null' and returned true. One null check would have prevented it. Walk through the bug, the broader pattern (any app that added SSO to a previously local-auth codebase), and the static + runtime detection rules every team should adopt.
Traefik shipped three authentication bypasses in 24 hours. The same root cause is in every reverse proxy.
Three high-severity Traefik advisories on April 25 2026: StripPrefixRegex Path/RawPath desync, forwarded-alias spoofing for pre-auth decisions, and ForwardAuth trustForwardHeader=false still leaking X-Forwarded-Prefix. All three are pre-authentication, all three let unauthenticated requests reach protected backends, and all three share the same root cause: edge and origin disagreed about what the request was. The same bug class lives in nginx, Envoy, HAProxy, and every CDN-fronted authenticated backend. Patch + audit guide.
GitPython's command injection (GHSA-rpm5-65cw-6hj4): the multi-options bypass and what it means for your CI runners.
Two GitPython advisories on April 26 2026 — both command-injection bugs that fire when validation runs before the shlex.split transformation that introduces the injection vector. GitPython is the silent dependency in CI runners, repo-scanning security tools, AI agent frameworks that read repos, and webhook handlers. If user input reaches multi_options, it's RCE. The validate-the-final-form-not-the-input-form pattern, plus a fix-flow audit checklist for every callsite.
Start with a free security check
We scan your public surface and send a plain-English findings report in 48 hours. No obligation. No sales pitch. If the findings matter, we scope a real engagement. If they do not, we tell you.