Security tools
The custom Python auditors we wrote and run on client engagements. Nine tools. Each one addresses a specific 2026 attack pattern or compliance gap that generic scanners miss.
oauth21_tester.pyOAuth 2.1 compliance and attack auditor
Probes RFC 8414 authorization-server metadata, tests grant types against the OAuth 2.1 deprecation list, validates PKCE enforcement, checks DPoP support, validates JWKS, probes dynamic client registration, tests introspection. Tested live against accounts.google.com and Microsoft Entra. Finds real misconfigurations that generic scanners miss.
pci_payment_script_audit.pyPCI DSS 4.0 6.4.3 + 11.6.1 payment-page script integrity auditor
Catalogs every script on a payment page. Validates Subresource Integrity hashes. Validates Content Security Policy for script-src strictness. Detects inline script without nonces. Detects external scripts without SRI. Reports gap against PCI DSS 4.0 6.4.3 (script authorization) and 11.6.1 (payment page change detection).
pci_script_monitor.pyContinuous payment-page script monitoring daemon
Productized version of the above. Runs continuously against specified payment pages. Alerts on any unauthorized script change, SRI hash mismatch, or new script addition. Shipping as a $99/month SaaS for PCI 11.6.1 compliance automation.
email_auth_audit.pyComprehensive email authentication auditor
Validates SPF, DKIM (with key rotation analysis), DMARC (with policy strength evaluation), MTA-STS, TLS-RPT, BIMI, DNSSEC on the target domain. Cross-references against Gmail and Microsoft 365 enforcement expectations. Specific remediation output per finding.
webhook_forge_test.pyPayment webhook forgery tester
Tests webhook endpoints for proper signature verification. Supports Stripe, Shopify, Twilio, SendGrid, and GitHub signature schemes. Attempts forged payloads with invalid signatures, missing signatures, and timing-attack vulnerable verification. Reports specific provider-compatible exploit payloads.
supply_chain_risk.pyNPM and PyPI typosquat and supply chain risk detector
Analyzes package dependencies. Levenshtein distance + adjacent-swap + homoglyph typosquat detection. Cross-references against published threat intelligence. Validates maintainer history, release cadence, and abrupt ownership changes. Detected axios -> axois (adjacent swap), react -> reacl (homoglyph), lodash -> lodash-next (namespace squat).
k8s_admission_probe.pyKubernetes admission controller policy tester
Runs 14 admission tests against target cluster via kubectl apply --dry-run=server. Tests privileged container, hostPath: /, docker.sock mount, hostNetwork, hostPID, hostIPC, SYS_ADMIN capability, :latest tag enforcement, resource limits, automount ServiceAccount tokens. Safe to run on production clusters because --dry-run=server does not actually create resources.
sfec_audit.pySalesforce Experience Cloud guest user auditor
Probes the 2022 Varonis-disclosed class of Salesforce Experience Cloud misconfigurations where guest users can access more data than intended. Tests public APIs, object permissions, profile configuration. Outputs specific remediation guidance tied to the Salesforce security controls.
valtik_full_audit.pyFull-audit orchestrator
Runs oauth21, email, pci-audit, and sfec (when applicable) in sequence against a target domain. Produces unified Markdown and JSON reports with findings grouped by severity. Used as the opening artifact on compliance readiness engagements.
We run these on every engagement
Not as a replacement for human-led testing. As the automation layer that finds the known issues fast, so human time goes into business logic, chained exploitation, and the findings that scanners cannot produce.